9c64126315cf4cf12d63a97757c567b06a528b6c7758a2ccd1e4e071fa8d0255

Analysis

max time kernel
85s
max time network
88s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
27-12-2024 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

iFlyDownInstall_v10.10.39.exe
Size

1.0MB
MD5

e3f14ae0d42383344509ea5c1576c87e
SHA1

80b83db19f0950d76d20df0d3b16f2c9104a2dc5
SHA256

9c64126315cf4cf12d63a97757c567b06a528b6c7758a2ccd1e4e071fa8d0255
SHA512

9aefa9b444adc3a0a57805798661e9fab3574cad7d5e068f4d9a8995aa162bcc346f1672109ee2447a11c34289684a35bc75e3708f8da3b623b5cc92420d0f0b
SSDEEP

24576:9uYMMe+Irx73UG1szLSvJwmqIkRLtxptsZjU:OyE73UfqvCakRLdtsZg

Score

7^/10

discovery pyinstaller upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x001900000002aacf-11.dat	acprotect

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002aacf-11.dat	upx
behavioral1/memory/5044-14-0x0000000073CD0000-0x0000000073D8C000-memory.dmp	upx
behavioral1/memory/5044-1987-0x0000000073CD0000-0x0000000073D8C000-memory.dmp	upx
behavioral1/memory/5044-10336-0x0000000073CD0000-0x0000000073D8C000-memory.dmp	upx
behavioral1/memory/5044-15754-0x0000000073CD0000-0x0000000073D8C000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\iFlyDown\iFlyDown.exe	iFlyDownInstall_v10.10.39.exe
File created	C:\Program Files\iFlyDown\locales\it.pak	iFlyDownInstall_v10.10.39.exe
File opened for modification	C:\Program Files\iFlyDown\locales\it.pak	iFlyDownInstall_v10.10.39.exe
File created	C:\Program Files\iFlyDown\locales\vi.pak	iFlyDownInstall_v10.10.39.exe
File opened for modification	C:\Program Files\iFlyDown\locales\zh-TW.pak	iFlyDownInstall_v10.10.39.exe
File created	C:\Program Files\iFlyDown\resources\app.asar.unpacked\resources\icon.png	iFlyDownInstall_v10.10.39.exe
File opened for modification	C:\Program Files\iFlyDown\snapshot_blob.bin	iFlyDownInstall_v10.10.39.exe
File created	C:\Program Files\iFlyDown\locales\en-GB.pak	iFlyDownInstall_v10.10.39.exe
File opened for modification	C:\Program Files\iFlyDown\locales\en-US.pak	iFlyDownInstall_v10.10.39.exe
File created	C:\Program Files\iFlyDown\locales\nb.pak	iFlyDownInstall_v10.10.39.exe
File created	C:\Program Files\iFlyDown\v8_context_snapshot.bin	iFlyDownInstall_v10.10.39.exe
File opened for modification	C:\Program Files\iFlyDown\locales\ca.pak	iFlyDownInstall_v10.10.39.exe
File created	C:\Program Files\iFlyDown\locales\pl.pak	iFlyDownInstall_v10.10.39.exe
File opened for modification	C:\Program Files\iFlyDown\v8_context_snapshot.bin	iFlyDownInstall_v10.10.39.exe
File opened for modification	C:\Program Files\iFlyDown\iFlyDown.exe	iFlyDownInstall_v10.10.39.exe
File opened for modification	C:\Program Files\iFlyDown\resources	iFlyDownInstall_v10.10.39.exe
File opened for modification	C:\Program Files\iFlyDown\resources\app.asar.unpacked\node_modules\@sentry\cli-win32-x64	iFlyDownInstall_v10.10.39.exe
File created	C:\Program Files\iFlyDown\locales\bn.pak	iFlyDownInstall_v10.10.39.exe
File created	C:\Program Files\iFlyDown\locales\fa.pak	iFlyDownInstall_v10.10.39.exe
File created	C:\Program Files\iFlyDown\resources\app.asar	iFlyDownInstall_v10.10.39.exe
File opened for modification	C:\Program Files\iFlyDown\d3dcompiler_47.dll	iFlyDownInstall_v10.10.39.exe
File opened for modification	C:\Program Files\iFlyDown\libEGL.dll	iFlyDownInstall_v10.10.39.exe
File created	C:\Program Files\iFlyDown\resources\elevate.exe	iFlyDownInstall_v10.10.39.exe
File created	C:\Program Files\iFlyDown\chrome_200_percent.pak	iFlyDownInstall_v10.10.39.exe
File opened for modification	C:\Program Files\iFlyDown\locales\am.pak	iFlyDownInstall_v10.10.39.exe
File created	C:\Program Files\iFlyDown\locales\da.pak	iFlyDownInstall_v10.10.39.exe
File opened for modification	C:\Program Files\iFlyDown\locales\da.pak	iFlyDownInstall_v10.10.39.exe
File opened for modification	C:\Program Files\iFlyDown\locales\vi.pak	iFlyDownInstall_v10.10.39.exe
File created	C:\Program Files\iFlyDown\locales\zh-CN.pak	iFlyDownInstall_v10.10.39.exe
File created	C:\Program Files\iFlyDown\vk_swiftshader.dll	iFlyDownInstall_v10.10.39.exe
File opened for modification	C:\Program Files\iFlyDown\locales	iFlyDownInstall_v10.10.39.exe
File created	C:\Program Files\iFlyDown\locales\et.pak	iFlyDownInstall_v10.10.39.exe
File opened for modification	C:\Program Files\iFlyDown\locales\hr.pak	iFlyDownInstall_v10.10.39.exe
File created	C:\Program Files\iFlyDown\locales\ms.pak	iFlyDownInstall_v10.10.39.exe
File opened for modification	C:\Program Files\iFlyDown\resources\app.asar.unpacked\node_modules\@sentry\cli-win32-x64\package.json	iFlyDownInstall_v10.10.39.exe
File opened for modification	C:\Program Files\iFlyDown\resources\app.asar.unpacked\resources\icons\64x64.png	iFlyDownInstall_v10.10.39.exe
File opened for modification	C:\Program Files\iFlyDown\locales\en-GB.pak	iFlyDownInstall_v10.10.39.exe
File created	C:\Program Files\iFlyDown\locales\kn.pak	iFlyDownInstall_v10.10.39.exe
File opened for modification	C:\Program Files\iFlyDown\locales\ko.pak	iFlyDownInstall_v10.10.39.exe
File created	C:\Program Files\iFlyDown\resources\app.asar.unpacked\resources\icon.ico	iFlyDownInstall_v10.10.39.exe
File created	C:\Program Files\iFlyDown\locales\af.pak	iFlyDownInstall_v10.10.39.exe
File created	C:\Program Files\iFlyDown\locales\ur.pak	iFlyDownInstall_v10.10.39.exe
File created	C:\Program Files\iFlyDown\resources\app.asar.unpacked\resources\icons\16x16.png	iFlyDownInstall_v10.10.39.exe
File created	C:\Program Files\iFlyDown\resources\app.asar.unpacked\resources\icons\256x256.png	iFlyDownInstall_v10.10.39.exe
File opened for modification	C:\Program Files\iFlyDown\libGLESv2.dll	iFlyDownInstall_v10.10.39.exe
File created	C:\Program Files\iFlyDown\resources\app.asar.unpacked\bin\yt-dlp.exe	iFlyDownInstall_v10.10.39.exe
File created	C:\Program Files\iFlyDown\chrome_100_percent.pak	iFlyDownInstall_v10.10.39.exe
File opened for modification	C:\Program Files\iFlyDown\locales\ja.pak	iFlyDownInstall_v10.10.39.exe
File created	C:\Program Files\iFlyDown\locales\lv.pak	iFlyDownInstall_v10.10.39.exe
File created	C:\Program Files\iFlyDown\resources\app.asar.unpacked\node_modules\@sentry\cli-win32-x64\bin\sentry-cli.exe	iFlyDownInstall_v10.10.39.exe
File opened for modification	C:\Program Files\iFlyDown\resources\app.asar.unpacked\node_modules\@sentry	iFlyDownInstall_v10.10.39.exe
File opened for modification	C:\Program Files\iFlyDown\icudtl.dat	iFlyDownInstall_v10.10.39.exe
File opened for modification	C:\Program Files\iFlyDown\locales\fi.pak	iFlyDownInstall_v10.10.39.exe
File opened for modification	C:\Program Files\iFlyDown\locales\he.pak	iFlyDownInstall_v10.10.39.exe
File created	C:\Program Files\iFlyDown\locales\sv.pak	iFlyDownInstall_v10.10.39.exe
File opened for modification	C:\Program Files\iFlyDown\resources\app.asar.unpacked\node_modules	iFlyDownInstall_v10.10.39.exe
File created	C:\Program Files\iFlyDown\locales\fi.pak	iFlyDownInstall_v10.10.39.exe
File created	C:\Program Files\iFlyDown\locales\hr.pak	iFlyDownInstall_v10.10.39.exe
File created	C:\Program Files\iFlyDown\locales\lt.pak	iFlyDownInstall_v10.10.39.exe
File opened for modification	C:\Program Files\iFlyDown\locales\sk.pak	iFlyDownInstall_v10.10.39.exe
File opened for modification	C:\Program Files\iFlyDown\resources.pak	iFlyDownInstall_v10.10.39.exe
File created	C:\Program Files\iFlyDown\resources\app.asar.unpacked\bin\ffmpeg.exe	iFlyDownInstall_v10.10.39.exe
File opened for modification	C:\Program Files\iFlyDown\app.7z	iFlyDownInstall_v10.10.39.exe
File created	C:\Program Files\iFlyDown\locales\am.pak	iFlyDownInstall_v10.10.39.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	iFlyDown.exe

Executes dropped EXE 12 IoCs

pid	Process
580	iFlyDown.exe
4800	iFlyDown.exe
3328	iFlyDown.exe
4764	iFlyDown.exe
420	iFlyDown.exe
4956	iFlyDown.exe
4692	iFlyDown.exe
1588	iFlyDown.exe
3260	iFlyDown.exe
5348	iFlyDown.exe
5980	yt-dlp.exe
3456	yt-dlp.exe

Loads dropped DLL 64 IoCs

pid	Process
5044	iFlyDownInstall_v10.10.39.exe
5044	iFlyDownInstall_v10.10.39.exe
5044	iFlyDownInstall_v10.10.39.exe
5044	iFlyDownInstall_v10.10.39.exe
5044	iFlyDownInstall_v10.10.39.exe
5044	iFlyDownInstall_v10.10.39.exe
5044	iFlyDownInstall_v10.10.39.exe
5044	iFlyDownInstall_v10.10.39.exe
5044	iFlyDownInstall_v10.10.39.exe
580	iFlyDown.exe
4800	iFlyDown.exe
3328	iFlyDown.exe
4764	iFlyDown.exe
420	iFlyDown.exe
3328	iFlyDown.exe
3328	iFlyDown.exe
3328	iFlyDown.exe
3328	iFlyDown.exe
4956	iFlyDown.exe
4692	iFlyDown.exe
1588	iFlyDown.exe
3260	iFlyDown.exe
5348	iFlyDown.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe
3456	yt-dlp.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x001c00000002ab6c-16696.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iFlyDownInstall_v10.10.39.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5044	iFlyDownInstall_v10.10.39.exe
5044	iFlyDownInstall_v10.10.39.exe
5044	iFlyDownInstall_v10.10.39.exe
5044	iFlyDownInstall_v10.10.39.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	5044	iFlyDownInstall_v10.10.39.exe
Token: SeShutdownPrivilege	580	iFlyDown.exe
Token: SeCreatePagefilePrivilege	580	iFlyDown.exe
Token: SeShutdownPrivilege	580	iFlyDown.exe
Token: SeCreatePagefilePrivilege	580	iFlyDown.exe
Token: SeShutdownPrivilege	580	iFlyDown.exe
Token: SeCreatePagefilePrivilege	580	iFlyDown.exe
Token: SeShutdownPrivilege	580	iFlyDown.exe
Token: SeCreatePagefilePrivilege	580	iFlyDown.exe
Token: SeShutdownPrivilege	580	iFlyDown.exe
Token: SeCreatePagefilePrivilege	580	iFlyDown.exe
Token: SeShutdownPrivilege	580	iFlyDown.exe
Token: SeCreatePagefilePrivilege	580	iFlyDown.exe
Token: SeShutdownPrivilege	580	iFlyDown.exe
Token: SeCreatePagefilePrivilege	580	iFlyDown.exe
Token: SeShutdownPrivilege	580	iFlyDown.exe
Token: SeCreatePagefilePrivilege	580	iFlyDown.exe
Token: SeShutdownPrivilege	580	iFlyDown.exe
Token: SeCreatePagefilePrivilege	580	iFlyDown.exe
Token: SeShutdownPrivilege	580	iFlyDown.exe
Token: SeCreatePagefilePrivilege	580	iFlyDown.exe
Token: SeShutdownPrivilege	580	iFlyDown.exe
Token: SeCreatePagefilePrivilege	580	iFlyDown.exe
Token: 33	5368	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5368	AUDIODG.EXE
Token: SeShutdownPrivilege	580	iFlyDown.exe
Token: SeCreatePagefilePrivilege	580	iFlyDown.exe
Token: SeShutdownPrivilege	580	iFlyDown.exe
Token: SeCreatePagefilePrivilege	580	iFlyDown.exe
Token: SeShutdownPrivilege	580	iFlyDown.exe
Token: SeCreatePagefilePrivilege	580	iFlyDown.exe
Token: SeShutdownPrivilege	580	iFlyDown.exe
Token: SeCreatePagefilePrivilege	580	iFlyDown.exe
Token: SeShutdownPrivilege	580	iFlyDown.exe
Token: SeCreatePagefilePrivilege	580	iFlyDown.exe
Token: SeShutdownPrivilege	580	iFlyDown.exe
Token: SeCreatePagefilePrivilege	580	iFlyDown.exe
Token: SeShutdownPrivilege	580	iFlyDown.exe
Token: SeCreatePagefilePrivilege	580	iFlyDown.exe
Token: SeShutdownPrivilege	580	iFlyDown.exe
Token: SeCreatePagefilePrivilege	580	iFlyDown.exe
Token: SeShutdownPrivilege	580	iFlyDown.exe
Token: SeCreatePagefilePrivilege	580	iFlyDown.exe
Token: SeShutdownPrivilege	580	iFlyDown.exe
Token: SeCreatePagefilePrivilege	580	iFlyDown.exe
Token: SeShutdownPrivilege	580	iFlyDown.exe
Token: SeCreatePagefilePrivilege	580	iFlyDown.exe
Token: SeShutdownPrivilege	580	iFlyDown.exe
Token: SeCreatePagefilePrivilege	580	iFlyDown.exe
Token: SeShutdownPrivilege	580	iFlyDown.exe
Token: SeCreatePagefilePrivilege	580	iFlyDown.exe
Token: SeShutdownPrivilege	580	iFlyDown.exe
Token: SeCreatePagefilePrivilege	580	iFlyDown.exe
Token: SeShutdownPrivilege	580	iFlyDown.exe
Token: SeCreatePagefilePrivilege	580	iFlyDown.exe
Token: SeShutdownPrivilege	580	iFlyDown.exe
Token: SeCreatePagefilePrivilege	580	iFlyDown.exe
Token: SeShutdownPrivilege	580	iFlyDown.exe
Token: SeCreatePagefilePrivilege	580	iFlyDown.exe
Token: SeShutdownPrivilege	580	iFlyDown.exe
Token: SeCreatePagefilePrivilege	580	iFlyDown.exe
Token: SeShutdownPrivilege	580	iFlyDown.exe
Token: SeCreatePagefilePrivilege	580	iFlyDown.exe
Token: SeShutdownPrivilege	580	iFlyDown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 580 wrote to memory of 4800	580	iFlyDown.exe	81
PID 580 wrote to memory of 4800	580	iFlyDown.exe	81
PID 580 wrote to memory of 3328	580	iFlyDown.exe	82
PID 580 wrote to memory of 3328	580	iFlyDown.exe	82
PID 580 wrote to memory of 3328	580	iFlyDown.exe	82
PID 580 wrote to memory of 3328	580	iFlyDown.exe	82
PID 580 wrote to memory of 3328	580	iFlyDown.exe	82
PID 580 wrote to memory of 3328	580	iFlyDown.exe	82
PID 580 wrote to memory of 3328	580	iFlyDown.exe	82
PID 580 wrote to memory of 3328	580	iFlyDown.exe	82
PID 580 wrote to memory of 3328	580	iFlyDown.exe	82
PID 580 wrote to memory of 3328	580	iFlyDown.exe	82
PID 580 wrote to memory of 3328	580	iFlyDown.exe	82
PID 580 wrote to memory of 3328	580	iFlyDown.exe	82
PID 580 wrote to memory of 3328	580	iFlyDown.exe	82
PID 580 wrote to memory of 3328	580	iFlyDown.exe	82
PID 580 wrote to memory of 3328	580	iFlyDown.exe	82
PID 580 wrote to memory of 3328	580	iFlyDown.exe	82
PID 580 wrote to memory of 3328	580	iFlyDown.exe	82
PID 580 wrote to memory of 3328	580	iFlyDown.exe	82
PID 580 wrote to memory of 3328	580	iFlyDown.exe	82
PID 580 wrote to memory of 3328	580	iFlyDown.exe	82
PID 580 wrote to memory of 3328	580	iFlyDown.exe	82
PID 580 wrote to memory of 3328	580	iFlyDown.exe	82
PID 580 wrote to memory of 3328	580	iFlyDown.exe	82
PID 580 wrote to memory of 3328	580	iFlyDown.exe	82
PID 580 wrote to memory of 3328	580	iFlyDown.exe	82
PID 580 wrote to memory of 3328	580	iFlyDown.exe	82
PID 580 wrote to memory of 3328	580	iFlyDown.exe	82
PID 580 wrote to memory of 3328	580	iFlyDown.exe	82
PID 580 wrote to memory of 3328	580	iFlyDown.exe	82
PID 580 wrote to memory of 3328	580	iFlyDown.exe	82
PID 580 wrote to memory of 4764	580	iFlyDown.exe	83
PID 580 wrote to memory of 4764	580	iFlyDown.exe	83
PID 580 wrote to memory of 420	580	iFlyDown.exe	84
PID 580 wrote to memory of 420	580	iFlyDown.exe	84
PID 420 wrote to memory of 4816	420	iFlyDown.exe	85
PID 420 wrote to memory of 4816	420	iFlyDown.exe	85
PID 4816 wrote to memory of 3164	4816	cmd.exe	87
PID 4816 wrote to memory of 3164	4816	cmd.exe	87
PID 420 wrote to memory of 2104	420	iFlyDown.exe	88
PID 420 wrote to memory of 2104	420	iFlyDown.exe	88
PID 580 wrote to memory of 4692	580	iFlyDown.exe	90
PID 580 wrote to memory of 4692	580	iFlyDown.exe	90
PID 580 wrote to memory of 4692	580	iFlyDown.exe	90
PID 580 wrote to memory of 4692	580	iFlyDown.exe	90
PID 580 wrote to memory of 4692	580	iFlyDown.exe	90
PID 580 wrote to memory of 4692	580	iFlyDown.exe	90
PID 580 wrote to memory of 4692	580	iFlyDown.exe	90
PID 580 wrote to memory of 4692	580	iFlyDown.exe	90
PID 580 wrote to memory of 4692	580	iFlyDown.exe	90
PID 580 wrote to memory of 4692	580	iFlyDown.exe	90
PID 580 wrote to memory of 4692	580	iFlyDown.exe	90
PID 580 wrote to memory of 4692	580	iFlyDown.exe	90
PID 580 wrote to memory of 4692	580	iFlyDown.exe	90
PID 580 wrote to memory of 4692	580	iFlyDown.exe	90
PID 580 wrote to memory of 4692	580	iFlyDown.exe	90
PID 580 wrote to memory of 4692	580	iFlyDown.exe	90
PID 580 wrote to memory of 4692	580	iFlyDown.exe	90
PID 580 wrote to memory of 4692	580	iFlyDown.exe	90
PID 580 wrote to memory of 4692	580	iFlyDown.exe	90
PID 580 wrote to memory of 4692	580	iFlyDown.exe	90
PID 580 wrote to memory of 4692	580	iFlyDown.exe	90
PID 580 wrote to memory of 4692	580	iFlyDown.exe	90

C:\Users\Admin\AppData\Local\Temp\iFlyDownInstall_v10.10.39.exe
"C:\Users\Admin\AppData\Local\Temp\iFlyDownInstall_v10.10.39.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Program Files\iFlyDown\iFlyDown.exe
"C:\Program Files\iFlyDown\iFlyDown.exe"
1⤵
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580
- C:\Program Files\iFlyDown\iFlyDown.exe
  "C:\Program Files\iFlyDown\iFlyDown.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\iFlyDown /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\iFlyDown\Crashpad --url=https://f.a.k/e --annotation=_productName=iFlyDown --annotation=_version=10.10.39 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=27.1.3 --initial-client-data=0x508,0x510,0x514,0x4e4,0x518,0x7ff6b0bca9e0,0x7ff6b0bca9f0,0x7ff6b0bcaa00
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4800
- C:\Program Files\iFlyDown\iFlyDown.exe
  "C:\Program Files\iFlyDown\iFlyDown.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\iFlyDown" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1832 --field-trial-handle=1836,i,2555094925836638512,146235013306495134,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3328
- C:\Program Files\iFlyDown\iFlyDown.exe
  "C:\Program Files\iFlyDown\iFlyDown.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\iFlyDown" --standard-schemes --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=2084 --field-trial-handle=1836,i,2555094925836638512,146235013306495134,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4764
- C:\Program Files\iFlyDown\iFlyDown.exe
  "C:\Program Files\iFlyDown\iFlyDown.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\iFlyDown" --standard-schemes --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Program Files\iFlyDown\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2444 --field-trial-handle=1836,i,2555094925836638512,146235013306495134,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4816
  - - C:\Windows\system32\chcp.com
      chcp
      4⤵
      PID:3164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "chcp"
    3⤵
    PID:2104
  - - C:\Windows\system32\chcp.com
      chcp
      4⤵
      PID:1424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c ""C:\Program Files\iFlyDown\resources\app.asar.unpacked\bin\yt-dlp.exe" -J --no-playlist --no-warnings --flat-playlist --extractor-args "youtube:lang=en" "https://www.youtube.com/shorts/x13TeBoIMiw""
    3⤵
    PID:5936
  - - C:\Program Files\iFlyDown\resources\app.asar.unpacked\bin\yt-dlp.exe
      "C:\Program Files\iFlyDown\resources\app.asar.unpacked\bin\yt-dlp.exe" -J --no-playlist --no-warnings --flat-playlist --extractor-args "youtube:lang=en" "https://www.youtube.com/shorts/x13TeBoIMiw"
      4⤵
      Executes dropped EXE
      PID:5980
    - - C:\Program Files\iFlyDown\resources\app.asar.unpacked\bin\yt-dlp.exe
        
        "C:\Program Files\iFlyDown\resources\app.asar.unpacked\bin\yt-dlp.exe" -J --no-playlist --no-warnings --flat-playlist --extractor-args "youtube:lang=en" "https://www.youtube.com/shorts/x13TeBoIMiw"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3456
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:4584
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:4592
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:1076
- C:\Program Files\iFlyDown\iFlyDown.exe
  "C:\Program Files\iFlyDown\iFlyDown.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\iFlyDown" --standard-schemes --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-user-model-id=iFlyDown --app-path="C:\Program Files\iFlyDown\resources\app.asar" --enable-sandbox --enable-blink-features --disable-blink-features --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3244 --field-trial-handle=1836,i,2555094925836638512,146235013306495134,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4692
- C:\Program Files\iFlyDown\iFlyDown.exe
  "C:\Program Files\iFlyDown\iFlyDown.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\iFlyDown" --standard-schemes --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-user-model-id=iFlyDown --app-path="C:\Program Files\iFlyDown\resources\app.asar" --enable-sandbox --enable-blink-features --disable-blink-features --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3192 --field-trial-handle=1836,i,2555094925836638512,146235013306495134,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4956
- C:\Program Files\iFlyDown\iFlyDown.exe
  "C:\Program Files\iFlyDown\iFlyDown.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\iFlyDown" --standard-schemes --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-user-model-id=iFlyDown --app-path="C:\Program Files\iFlyDown\resources\app.asar" --enable-sandbox --enable-blink-features --disable-blink-features --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3052 --field-trial-handle=1836,i,2555094925836638512,146235013306495134,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1588
- C:\Program Files\iFlyDown\iFlyDown.exe
  "C:\Program Files\iFlyDown\iFlyDown.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\iFlyDown" --standard-schemes --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-user-model-id=iFlyDown --app-path="C:\Program Files\iFlyDown\resources\app.asar" --enable-sandbox --enable-blink-features --disable-blink-features --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3544 --field-trial-handle=1836,i,2555094925836638512,146235013306495134,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3260
- C:\Program Files\iFlyDown\iFlyDown.exe
  "C:\Program Files\iFlyDown\iFlyDown.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\iFlyDown" --standard-schemes --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=3628 --field-trial-handle=1836,i,2555094925836638512,146235013306495134,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5348

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004E4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\iFlyDown\D3DCompiler_47.dll

Filesize
4.7MB

MD5
2191e768cc2e19009dad20dc999135a3

SHA1
f49a46ba0e954e657aaed1c9019a53d194272b6a

SHA256
7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d

SHA512
5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

Download Submit
C:\Program Files\iFlyDown\app.7z

Filesize
151KB

MD5
55feb2593ab510c4ad254a07f4ca8df4

SHA1
a129e15c22a543b4c61116cf6c9d9e6d030b4eff

SHA256
b65692cf95c7022155d7fc50d60ba639e097ce6305c2d5866c8e4fbe3f17dd8a

SHA512
807cb0b462409b0eb52e866da5470ed95b56ea1754ec1eaf8e6c48f559f17f848e345cea3dc5e947a22dd66679dc769fc872a1e95a50ac84b60a4da13dda460f

Download Submit
C:\Program Files\iFlyDown\chrome_100_percent.pak

Filesize
132KB

MD5
a0e681fdd4613e0fff6fb8bf33a00ef1

SHA1
6789bacfe0b244ab6872bd3acc1e92030276011e

SHA256
86f6b8ffa8788603a433d425a4bc3c4031e5d394762fd53257b0d4b1cfb2ffa2

SHA512
6f6a1a8bfe3d33f3fa5f6134dac7cd8c017e38e5e2a75a93a958addbb17a601c5707d99a2af67e52c0a3d5206142209703701cd3fab44e0323a4553caee86196

Download Submit
C:\Program Files\iFlyDown\chrome_200_percent.pak

Filesize
190KB

MD5
c37bd7a6b677a37313b7ecc4ff01b6f5

SHA1
79db970c44347bd3566cefb6cabd1995e8e173df

SHA256
8c1ae81d19fd6323a02eb460e075e2f25aba322bc7d46f2e6edb1c4600e6537a

SHA512
a7b07133fa05593b102a0e5e5788b29488cb74656c5ee25de897c2ba2b2a7b05c0663ade74a003f7d6df2134d0b75f0ad25e15e9c9e0969e9453b7fc40b9f8bb

Download Submit
C:\Program Files\iFlyDown\config.ini

Filesize
78B

MD5
0d371e15428cda87fc5f11e2e72120a8

SHA1
f6e4b0a5db9c6f1c406bd741a9dfd642c1d61d68

SHA256
fd31e9d01104f626bda30a0f85f194696501acb0b0380cb3b3c29d77f7c42c87

SHA512
a9de97a21ef0900bf871f224ec9743feac4e61e8ae33b4536540554015136844d793c258cdbbd348d7504ee2b11105551839d55d238cdd225f53fc1aa630a5a1

Download Submit
C:\Program Files\iFlyDown\ffmpeg.dll

Filesize
2.8MB

MD5
7dd4a1930f7c8b0c8e33afb40866538e

SHA1
97202e729ff788ae9b237d7169cb796b34fe5654

SHA256
4c686f39988abc4e35bbe5de40d801054bc3aa87157aac55d88d34e2e0f2559a

SHA512
cfc8ecb5b025d3f945de3bc9c84188f2ecf6287fdfa3440fd3c4f3eef255733ca916f0d9c6754bb3e5c6adea2dad4e3204af28c36c667d5489d4ee0f0a761b33

Download Submit
C:\Program Files\iFlyDown\icudtl.dat

Filesize
10.2MB

MD5
e0f1ad85c0933ecce2e003a2c59ae726

SHA1
a8539fc5a233558edfa264a34f7af6187c3f0d4f

SHA256
f5170aa2b388d23bebf98784dd488a9bcb741470384a6a9a8d7a2638d768defb

SHA512
714ed5ae44dfa4812081b8de42401197c235a4fa05206597f4c7b4170dd37e8360cc75d176399b735c9aec200f5b7d5c81c07b9ab58cbca8dc08861c6814fb28

Download Submit
C:\Program Files\iFlyDown\libEGL.dll

Filesize
477KB

MD5
0760178f01f579bbf36695b8650a7893

SHA1
20af85937df7b30c728bfeb357ada922b1f652dd

SHA256
04672f618cf8d27c7dddd8b0cdd467cea513f720198dba28722586bef7f468f2

SHA512
17b236155a84cbb109af1963dd96bec2eadf6a3f51dd76ebf8e0c6407ec7e75a987fdf29c22e66996c234a12e0c6ceba830230305b9eda3fb202f767fad71c68

Download Submit
C:\Program Files\iFlyDown\libGLESv2.dll

Filesize
7.3MB

MD5
06d3dce373629f5560f0fc7e0f9d5ad4

SHA1
d9c66072541a919281e6b47ca614282af80ad3a0

SHA256
600cba3cc7786cfc9c8b165e33babf07cc1c80c29e44488a4c243d02f58c0fda

SHA512
cf89aca83b9fabd3e6e657a68d214748109a920c14b6851b1ff37d6aa546b3030eaca9bfbbfe677e940e95239f090e4f795cebef707fb5c3b2b4a328508862a2

Download Submit
C:\Program Files\iFlyDown\locales\en-US.pak

Filesize
411KB

MD5
626f30cfd9ad7b7c628c6a859e4013bd

SHA1
02e9a759c745a984b5f39223fab5be9b5ec3d5a7

SHA256
0fd74bb69ad35b3f9391fa760bf0eb0ee73d2bea0066244577ef2abd269513de

SHA512
9ce902f21fef70c5b5af444b532b36c9a00d896878cb4021c9b1dc07aa3277d956bca65ee0adb68467eec113e535b60a8a5fb5414c7d0ca761ceae5c43b7d9a9

Download Submit
C:\Program Files\iFlyDown\resources.pak

Filesize
5.2MB

MD5
34ed9166ed112a8235fdcc7ac8e8dc35

SHA1
94ca417d61def725569537ea30cba3d063ad9c18

SHA256
17c8d2ab64a5f6ee13697ca818d699a1e9f4988eaeb115dbe07f52fed9eb93b5

SHA512
e05f0bcf569da067fe1e5e64056edd42d91a19b17bbbc2c3d320b9dbdb1f7464cf3fa1fed7c694da8b8d28a48a4df1bc270bb65ad91542108619ce5ed6fad81d

Download Submit
C:\Program Files\iFlyDown\resources\app.asar.unpacked\bin\yt-dlp.exe

Filesize
18.7MB

MD5
6c2b82b2dea207820411d650e13ee735

SHA1
7cf15d773aae52209219b25f913c897a663589ee

SHA256
adb1da2943fd437aa48f48c171ce1cd29fd17d874a3875c533560636fa6ab06d

SHA512
d185d82f7bca2e510d308b86620376662468908a9dec35c22e4a108ec6ec0de679f8bce13384961511a457a0cf4da25eb1c75269dbd7959ad653e3a1b30309d6

Download Submit
C:\Program Files\iFlyDown\resources\app.asar.unpacked\resources\icon.ico

Filesize
7KB

MD5
3697fc83423bc493861de4074110733b

SHA1
526043ac82b7514cd36b3074963fdf71fa481658

SHA256
9d081b9e2a1f5dd21b96a2db5263725b9b17ad281cc87374649fc94c1e97012d

SHA512
cd480f01364f041ae2330794c56ba4bf043bca0621f177737690b31e5c0f0f787f5a10a72765d0c36420b6b121464839bd8dae079993cdca71b1650c392f5d2b

Download Submit
C:\Program Files\iFlyDown\resources\app.asar.unpacked\resources\icon.png

Filesize
14KB

MD5
4ff2e0b3e3d39610e4c79085b9cd1cf8

SHA1
082df25819459b8adf9b1276c878920e1c98e567

SHA256
e63e4aa47a2b66c080f44d405b591e2c533a4ea98f994baeccd13da6f926afff

SHA512
b057989489cb5dfbecac6b897f4146c1c0eb92728613af263767fa9ac2ae7d98b8d64bc7605364f43ad0db7a3ff64552fc8662da20ea641709b2c6163751328f

Download Submit
C:\Program Files\iFlyDown\uninst.exe

Filesize
757KB

MD5
ab2f3c6dd1b4a646ca62e2895557cf5a

SHA1
df7b382009e769c1bb3f1aae2fc81607f00fdeb3

SHA256
be88bb2c489161a5e25abd6b006080206999645f1b83b56adf638d6838e789ac

SHA512
3917eee280fe29f16006c6239b4e6edc42a91f19bacef5e8c15bed086048d2c235b78f257fb3f22c432fcde6a49d7b6a7117fe9a7e0632f7e3f949cca2b49a65

Download Submit
C:\Program Files\iFlyDown\v8_context_snapshot.bin

Filesize
611KB

MD5
1a37f6614ff8799b1c063bc83c157cc3

SHA1
8238b9295e1dde9de0d6fd20578e82703131a228

SHA256
4fbe07f71b706c2a2948eba9a6b1979e23c83342b190723a6ec5251b2d6dad7c

SHA512
6677f65a0e26fdc2cff6cef0231f5e5f0713ee7c5cf7f488599a3c7ac3e8365afaec10b35d6145ea58d364151d8bcb08308765693a9797ea99b894d6e8224ac7

Download Submit
C:\Program Files\iFlyDown\vk_swiftshader.dll

Filesize
4.9MB

MD5
0fb7f00385dafac0d4a75791c6d6532d

SHA1
a9374ef25c94cecff2b2fb4b379cf0b75effe19d

SHA256
c3c973a740c0bb6f16d82872f3b3ab465987a1f3460b7578720efa7bd930d136

SHA512
2eadb816efee7989ed4b75e3e877fbc7146c4542dd5caf415b0ca47bc2823ff75e6b49d5068ca969a4664314b259d30eae75da080afe641f93224ff6b6142fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59802\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59802\base_library.zip

Filesize
859KB

MD5
4f97d2b1506623197d12da738c0f7e56

SHA1
239884c95b9c0f55e2a62472025693acad1f9b90

SHA256
567b9d4f8bb927e459375ecc4d078a19638d76e0af28fbadb700ee79e9054d89

SHA512
55b0615845a07c199b678a8f36b3d1a39df2d580bc4b56971c2a5771a7a735b44455a9bf047e1e83f0ba68f4b80f1c28f2ab7c58228f1ae60d7b657cf33f3bb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59802\python310.dll

Filesize
4.3MB

MD5
63a1fa9259a35eaeac04174cecb90048

SHA1
0dc0c91bcd6f69b80dcdd7e4020365dd7853885a

SHA256
14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed

SHA512
896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59802\ucrtbase.dll

Filesize
1.3MB

MD5
cce9b64d0f98c2370a2da82aa9a501e0

SHA1
0121a2b000b9a0b3f3b6660b39536fe8d72ba222

SHA256
5d69cce34d22d26bc6dcb4c3e58dbae83346eb3ea203cb80769ad4c077424c96

SHA512
66553c524ca07c537d0e7b18ea35ae0b9218d1adf076726d4ea9071b5ec546ffd87bc6efb55671109041a9aa007f7e0f59462341f365e448be9071d714b6a6f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh71D5.tmp\BgWorker.dll

Filesize
2KB

MD5
33ec04738007e665059cf40bc0f0c22b

SHA1
4196759a922e333d9b17bda5369f14c33cd5e3bc

SHA256
50f735ab8f3473423e6873d628150bbc0777be7b4f6405247cddf22bb00fb6be

SHA512
2318b01f0c2f2f021a618ca3e6e5c24a94df5d00154766b77160203b8b0a177c8581c7b688ffe69be93a69bc7fd06b8a589844d42447f5060fb4bcf94d8a9aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh71D5.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh71D5.tmp\System.dll

Filesize
12KB

MD5
e38d8ff9f749ee1b141a122fec7280e0

SHA1
fbc8e410ef716fdb36977e5c16d3373a6100189a

SHA256
00f7604d4f36a728c7759f4d9cf3e30c9728c503557aac49bbcd55cfc3e4fcb4

SHA512
2b1dccf42d435445331291db94f869c4e8f6dcdfe4371969e76ee275d4e845e1d2e947c216f80484a7dd4b8e85158298e6ec7ed9add6d4259c07fdf87c316a8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh71D5.tmp\nsNiuniuSkin.dll

Filesize
288KB

MD5
1e88afb7fe5b58d09d8a1b631e442538

SHA1
9ddb655cb32d002f68bdee962ce917002faa3614

SHA256
21a9a74fd631030981cdca42ab580f5aa030068ab80c183b73e99bea2d4f7708

SHA512
a7723bd73f55a716ea450f075d7a4fc7cd2080992c56ad67b6d46fdf4e30cef386068e1f4c2c788764cb092b529589cc1119ea2d62d07e32ea6d201e3afaf876

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh71D5.tmp\nsProcess.dll

Filesize
4KB

MD5
88d3e48d1c1a051c702d47046ade7b4c

SHA1
8fc805a8b7900b6ba895d1b809a9f3ad4c730d23

SHA256
51da07da18a5486b11e0d51ebff77a3f2fcbb4d66b5665d212cc6bda480c4257

SHA512
83299dd948b40b4e2c226256d018716dbacfa739d8e882131c7f4c028c0913bc4ed9d770deb252931f3d4890f8f385bd43dcf2a5bfe5b922ec35f4b3144247a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh71D5.tmp\nsis7zU.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh71D5.tmp\skin.zip

Filesize
337KB

MD5
79d25be916a67fb3628807f5ecad7f99

SHA1
ca3b925fc5a4fad34ea1e562c0d3b41ebcf477dc

SHA256
4450170594f81a7925ab8cb0abc40347c470bef57fff263e2e70f1bc74318e86

SHA512
64b18340b7d26c29cc4d2b25109b28d71b84f781ce104e325b57ef707004affc11eb58fbd1323a444a5f2be2b91582b38bce85372d39549d89eb1e8e50af05ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\iFlyDown\Cache\Cache_Data\f_000005

Filesize
239KB

MD5
5b1a50d32003745b1a936967b98f11e6

SHA1
fbe602b3997dd91a54a9a6578b2f5dac7cf50280

SHA256
177717c6a2bfd0ed22a2d249ad621321f2b901f0fce4dc118ef8e020d80d8d95

SHA512
6c49d6db209bb14e1462e655bb7d90b02750eb2ef6241110a97365799b8af2ada372b3455396ced05ecd9ca49baf007171d4a72a7b219fdea4afc16c43b7dac2

Download Submit
C:\Users\Admin\AppData\Roaming\iFlyDown\Cache\Cache_Data\f_00000c

Filesize
49KB

MD5
7ca090d5f0c1a9e7d42edb60ad4ec5e8

SHA1
7278dcacb472ec8a27af7fbc6f8212b21e191042

SHA256
4039fef5575ba88350a109b2c8d9aa107f583acb6cbe2ac8e609071567c4cc76

SHA512
c4f2d23eacf74f87de8dea6e4532b120253bb9ad356341532f5e1aaf2ce90d137f46b50df7de5250bce4eca1fbfb74da088accd7c626fa853dc524abad7bfe8b

Download Submit
C:\Users\Admin\AppData\Roaming\iFlyDown\Cache\Cache_Data\f_00000d

Filesize
635KB

MD5
b537ca5fec304dcf3ce3171edf1e8fa4

SHA1
52665eefc08697d21f82719269fbfef687a643d7

SHA256
50b93c8ccbf1304dde0b424bafadf2fb654597bf4a35def9f29356988dfeb2ca

SHA512
81ae8df536c60aa8eb9a687625a72de559d15018c5248e0bc12ce7ed45aa7b960e999b79a8e197c38ddde219aa942ba4534f154aa99386e5e242d18a7d76c805

Download Submit
C:\Users\Admin\AppData\Roaming\iFlyDown\Cache\Cache_Data\f_00000e

Filesize
34KB

MD5
e85ac71b59dadc1488a1c888db91c5ea

SHA1
a4aa7fc9226bd867a978945a27fd78a0a82cc994

SHA256
7441da6812af01a6eb9afa5d602986b233a57700cb721343b0aa9830a15def0d

SHA512
2b4d952a258f9001c2d8a42402c98788759138669750667524df2031d3926e21836b037974ded859bebf88fd9296791a6a2de65561b8098f066f9cbb8ae719ed

Download Submit
C:\Users\Admin\AppData\Roaming\iFlyDown\Cache\Cache_Data\f_00000f

Filesize
34KB

MD5
6242c13ec6b35fed918ab71eb096d097

SHA1
691e6865e78afb11d9070056ba6cd99bdad7b04e

SHA256
b1c7566622f40bad557a6c5b7bc5b8ae25b4da191ac716cc7923282eef96034c

SHA512
52914b4ca7362e9ebe326ea89006f5cc096fd4d1c360cae33ca768af92fe6fdb5078d0848fb6dc092848ba0e3d3f51bfb20a292250c35e8bd2e79fd5a19dd7b5

Download Submit
C:\Users\Admin\AppData\Roaming\iFlyDown\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
f10642f06a40ec68f3283e4985c7062f

SHA1
2759b5be241be64e90bdfb33a16df3c1d484d8d5

SHA256
2f59d78f1308b66fa6d7b954d6ca47394b9c50fd5c5c61723d8e5b3d2d1e79a1

SHA512
56c48a48af9f54da99bdeba5201a66571877f04be8a996609ad699a86343413970c611511d39851c384151fbcef767b9949e188871046ba3cb1f6779df71a044

Download Submit
C:\Users\Admin\AppData\Roaming\iFlyDown\Code Cache\js\index-dir\the-real-index

Filesize
672B

MD5
5d4091dd3b4dd3dc5253a5df66798099

SHA1
5a6e7c52b5f677a56230a62698b45cb04ef87e70

SHA256
9e88dbb4202e6833a1cd0561f08b7d94345060ddf83a86c6b69a44a3b469c46c

SHA512
b4131164f0d2a0e713b720463ef26183c055953338de5da3d6dcc627dda92f08fa2beb53672d40fbf2a2e9253f0d28fd4811b422092965c1cbf3c8c080a5d5bc

Download Submit
C:\Users\Admin\AppData\Roaming\iFlyDown\Network\TransportSecurity

Filesize
858B

MD5
5eede599369a0f4dc0cc5144d9c51933

SHA1
5a9258bf14fc0fe5d1bbd885ea65b7ef9f7394dc

SHA256
1863b9bd018a18c27b452ec403ab67a4da90d2e4b77ee0e5841e476205d9efb7

SHA512
03faa293543e004d40a3bb4d6d3eefb072036224535e93f84068df108a81f4d6a181d7390fc43d65a8dc8fe86502aef6f3673d7c6be8d886753d5dbc447cf8b4

Download Submit
C:\Users\Admin\AppData\Roaming\iFlyDown\Network\TransportSecurity

Filesize
858B

MD5
a04160dbaf69829863f37e4d8a6a5886

SHA1
e0a252fd553c56f99e190ddbba161f3443f7c691

SHA256
0784ffe2f05af559ec7780a0d5e270cdbe68bbaa889dc59374e91a20aba7d5dc

SHA512
6ce3be85c69f49ce623ecd60c9b115a7e72e95746340744cc2258c67d2d9e3bb814a3b45413041c4671d102d1916ef21f2ea58a46262079087f6575e00fda259

Download Submit
C:\Users\Admin\AppData\Roaming\iFlyDown\Network\TransportSecurity~RFe5852ed.TMP

Filesize
858B

MD5
8f42e8265f469bdce9be60386c7b6938

SHA1
4f40d46c5bd82ca78030184f79fb48ca4cd1d377

SHA256
731f53d240a15967df4f18f1d69f558e1e1629ea9a33802eea3d036f8af68c70

SHA512
9cefaee8c38368e5c7aeff7cedf24e79756924c877d364f54a641630c72223893c7fe0e85ff3193fb8632a10da57b58dfb16dbb6ac230feb0b918c2cdf101310

Download Submit
C:\Users\Admin\AppData\Roaming\iFlyDown\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\2f3caf5c-50dd-470f-b1f5-e4f8f087a69d\index-dir\the-real-index

Filesize
624B

MD5
b6c93123e3929d120f54f290804d916d

SHA1
f6b1b7a71ec4ee156162d56812990428c9e80033

SHA256
ff4b3db5e33d0671be9b5c6817693d789092137330b8db376f6dfe4f68832357

SHA512
232f5849dd8dd12eca436f3eddcaec75ab47e9d5557c1e7318de2ab2184782387556facb962a1de4d47f4691e8e0413aa13354bea05146ac7c81ecc0bea89e68

Download Submit
C:\Users\Admin\AppData\Roaming\iFlyDown\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\2f3caf5c-50dd-470f-b1f5-e4f8f087a69d\index-dir\the-real-index~RFe58872c.TMP

Filesize
48B

MD5
82a687cca14f92286b1a6a94cabfde1c

SHA1
27b31ab2601163d3bc5be31b147bbf9b20a2faa7

SHA256
4cbaad5d49c4ef12f89a3564f1d264dcc9a64a5c990a618beb8d576cf4735648

SHA512
88929f67be73f5744500bba09a177cd956f4cb0f4bee2ebae3fe5578c56faf40b4b7b3d29ebee83a4970d86beb4277104baf2aa9cf81edfce88516b1c77013ff

Download Submit
C:\Users\Admin\AppData\Roaming\iFlyDown\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\b18ba882-c87a-46f2-b1c9-3f4082ef81ab\index-dir\the-real-index

Filesize
2KB

MD5
054a86ee78fa4a8ad3c104af2b50f162

SHA1
d096128aba8090c6b752ad61ffb782bef1caf39d

SHA256
5e07badf6b08148f27085675eeaee1b920883140dcd01c55e2e4146dd0bfb90d

SHA512
fb309865d3e3b30183ba59ba1e426487d99e17bd84e640349a10d1fd8457e90e70ddb80e8b21dc6adf3946c9359bd40926be59ddeea09ff28e7e31f666ca7597

Download Submit
C:\Users\Admin\AppData\Roaming\iFlyDown\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\b18ba882-c87a-46f2-b1c9-3f4082ef81ab\index-dir\the-real-index~RFe582c6a.TMP

Filesize
48B

MD5
7772dd6308e7bc7e45e7234a3f1964b9

SHA1
04bb84282123a2403d0446cf020e407dbcb78ff7

SHA256
4cd3db86dae3e1e6519921e790b975f4059934a89bbbf5861af919131f5cb062

SHA512
ceb2afd9c6cfb25401ddb26472f4c163ed7dca8ba32adc5caa45cbf99cd021020b5e81907a1afab97fc31d0e4705a1c41c6bacd4a4c6d763282b6ebe3ef92b79

Download Submit
C:\Users\Admin\AppData\Roaming\iFlyDown\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
176B

MD5
4de0835e6c2590483208bc8a78a587d9

SHA1
50136a672d3160cf67b94edbe11f58153aff10f5

SHA256
4bc363fee8d0423296b2f89ed4332fc23d14dd9d12ff54281d50b56c79669fb2

SHA512
7d138d6a97038ffd34fe0ea19849403f1d02ab709a6497114e7d04c7e5630e88a32e088501ccd786bc4dccb2c37cdddff99eae0123c38f25c2d648c7cfad0d8f

Download Submit
C:\Users\Admin\AppData\Roaming\iFlyDown\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
178B

MD5
ce0acd2dd75af04034fa820d766b5567

SHA1
810746a51329b374bc8822ff0769a8c1c89239d6

SHA256
e551be01cc34239ef126c4ade88089a24f22a00aab35c35427a89b8c459890a8

SHA512
f16e4bd2b6dee928192b3ba28ae07dc97f19a648ac43ec3b2f656022bf649ad0f1811a49a0ea99da8a2391856fe2af6ad8c34fc4d537b22434d9b72a7575e49e

Download Submit
C:\Users\Admin\AppData\Roaming\iFlyDown\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
112B

MD5
3bceed72e4a01360f8b4dc8d18592f62

SHA1
e06265baf4c63eddb4c886b49bdeb9eac2d9632f

SHA256
55bfda8dff0a7dc5987af59725f46a2f922a281781b738ff6018285a84c6c70f

SHA512
4804dd8be232603bec2656d274efb15a522efc3e94b185bf3aa054a4904de0b3c91947e5694d187ca7ec5f76c6d2a0d4801428dabab0c28f236975af96c8fe5b

Download Submit
C:\Users\Admin\AppData\Roaming\iFlyDown\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
187B

MD5
b15bbabf87a648b268a216414029919f

SHA1
b15c03289e5d55bc422c060c89ca2c31708b0a77

SHA256
b2f0ef24a12c0188d1a5c674cef0154409a99caf6162b40ef30f28cd8c3471c3

SHA512
f90ec17009a1632c4277d9556756eb69e563daccd28823b43bf74c493b508e2f814c4cb0f3605bebc4162acf073a3e7da8f680e2b8112d5f343dac9a0929bb29

Download Submit
C:\Users\Admin\AppData\Roaming\iFlyDown\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
114B

MD5
c0c9e97a8266b908c41b0456a6360cb5

SHA1
054a92b09d7c1c6423a5ac1d1ce074bdd55e21af

SHA256
7f827941c9917f45f807f9093cf52eef37b66ffc3acef7a39e995d60488be809

SHA512
7f33bf1e0d04c129609e3cc24469dd83d003b515e38f4109bc9ebfd9ea2d6c471c26689f54d2a7c32fb1a61d3a90ccdfb69f26e06709c0466d7c876340c0259b

Download Submit
C:\Users\Admin\AppData\Roaming\iFlyDown\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe582093.TMP

Filesize
119B

MD5
084598905b9306d907d091d4d769ef0d

SHA1
e02e411678f10a817f6e3f033ba884a976d32359

SHA256
7a024ffde00cafa61dd91f699b596006263e5c7c82d0a35c6679fc5021cf8a4a

SHA512
42c0681437cdf2e58a7a068731c4e62de21ed5459eb17ece52732945f7c60922d26b1a9448749be5fcc4985fb3ddb1d7f32d66e5541788a9aeceba8c3bd0fb02

Download Submit
C:\Users\Admin\AppData\Roaming\iFlyDown\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\iFlyDown\Service Worker\ScriptCache\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Roaming\iFlyDown\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
8d19d5a2178ce98f914be5f9e79c3006

SHA1
e6dacc20185757ff3bcc47967c9918cd1ff50691

SHA256
eabb372a94937f0fbbc4d416220926b80a1683b6cd02c1a6ae7a5822065bb4e7

SHA512
6d4e56c46deb73f8fd689f492454c7a1f29c90fbb6373eb48a87a416ef77723cb2b258af8a1dbaa3a5daed58295660bd33b883f3982ae3e6225324dd47145359

Download Submit
C:\Users\Admin\AppData\Roaming\iFlyDown\Service Worker\ScriptCache\index-dir\the-real-index~RFe588066.TMP

Filesize
48B

MD5
824d4f7c988b1bd8e85b28388857b68f

SHA1
e4e4bc003adf1d421715d5006a0b5dcf49517749

SHA256
941cbfcfd0ee661fb93783277e9096d1a0d3f140768579ce1367119ae3d04493

SHA512
1c84f6d42ffcf7715b3ad8b0b0f9f1d1930afa0a826bfe24aeb54f7a07820f9f81bcfe092d57a9776934bad9516824f1d3bad26c82dff2c76421cdb67cb34491

Download Submit
C:\Users\Admin\AppData\Roaming\iFlyDown\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\iFlyDown\sentry\scope_v3.json

Filesize
6KB

MD5
c60cde3cf06a2153069d74a568957fbe

SHA1
1da5cce240bd3497701c03af9f2de365f197d4f9

SHA256
df467137163a167202df6450d6dd6cfc97bc4d8fe9bdcb84cda5ca0d141130ec

SHA512
e4296be525d0f8951f574b5102711ba46e2b2d1cb482c2236ef5ade5a5528d659ea833452cd60f2b2d92ea7dd2e72f8afa601d85a00b069eebb04c6b568e5dfd

Download Submit
memory/1588-16469-0x000002564E0A0000-0x000002564E0D1000-memory.dmp

Filesize
196KB

Download
memory/3260-16470-0x000001C08F240000-0x000001C08F271000-memory.dmp

Filesize
196KB

Download
memory/3456-16845-0x00007FF746B80000-0x00007FF746BB7000-memory.dmp

Filesize
220KB

Download
memory/3456-16846-0x00007FFCBEE50000-0x00007FFCBF2B5000-memory.dmp

Filesize
4.4MB

Download
memory/4692-15999-0x000002A9D2070000-0x000002A9D20A1000-memory.dmp

Filesize
196KB

Download
memory/4956-16017-0x00000237CBEB0000-0x00000237CBEE1000-memory.dmp

Filesize
196KB

Download
memory/4956-15990-0x00007FFCDFCA0000-0x00007FFCDFCA1000-memory.dmp

Filesize
4KB

Download
memory/4956-15991-0x00007FFCDF830000-0x00007FFCDF831000-memory.dmp

Filesize
4KB

Download
memory/5044-15934-0x0000000073CD0000-0x0000000073CDB000-memory.dmp

Filesize
44KB

Download
memory/5044-10336-0x0000000073CD0000-0x0000000073D8C000-memory.dmp

Filesize
752KB

Download
memory/5044-1987-0x0000000073CD0000-0x0000000073D8C000-memory.dmp

Filesize
752KB

Download
memory/5044-15754-0x0000000073CD0000-0x0000000073D8C000-memory.dmp

Filesize
752KB

Download
memory/5044-14-0x0000000073CD0000-0x0000000073D8C000-memory.dmp

Filesize
752KB

Download
memory/5348-16102-0x00007FFCE0ED0000-0x00007FFCE0ED1000-memory.dmp

Filesize
4KB

Download
memory/5980-16888-0x00007FF746B80000-0x00007FF746BB7000-memory.dmp

Filesize
220KB

Download