323278e8ab5c265c05c15f8017c03ab6c4ca2f382e7839b48d37bab6bb85277d

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
15/03/2023, 01:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ByClickDownloader-Setup.exe
Size

28.3MB
MD5

b468baaad4f585217b7c3f0844eed657
SHA1

f453d42e193d3a95c8ae930fa768336af9591548
SHA256

323278e8ab5c265c05c15f8017c03ab6c4ca2f382e7839b48d37bab6bb85277d
SHA512

6bab089195928867aeecec686da68ca577386ba254c8c4e5ba8e1abb170e823f43434a86b30c88e9d818701ab90dd8fc4966e7a5bb259738889df45bc58313da
SSDEEP

786432:ZtZSi2FPQ9eYS7Nvs0vPLFo30mMSdx7Yv:UFY9eYS7NvskjO3hdx7Yv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1516	ByClickDownloader.exe
2220	ByClickDownloader.exe

Loads dropped DLL 49 IoCs

pid	Process
1520	ByClickDownloader-Setup.exe
1520	ByClickDownloader-Setup.exe
972	MsiExec.exe
972	MsiExec.exe
972	MsiExec.exe
972	MsiExec.exe
972	MsiExec.exe
972	MsiExec.exe
972	MsiExec.exe
972	MsiExec.exe
972	MsiExec.exe
916	MsiExec.exe
916	MsiExec.exe
916	MsiExec.exe
916	MsiExec.exe
1520	ByClickDownloader-Setup.exe
916	MsiExec.exe
916	MsiExec.exe
804	MsiExec.exe
972	MsiExec.exe
972	MsiExec.exe
1516	ByClickDownloader.exe
1516	ByClickDownloader.exe
1516	ByClickDownloader.exe
1516	ByClickDownloader.exe
1516	ByClickDownloader.exe
1516	ByClickDownloader.exe
1516	ByClickDownloader.exe
1516	ByClickDownloader.exe
1516	ByClickDownloader.exe
1516	ByClickDownloader.exe
1516	ByClickDownloader.exe
1516	ByClickDownloader.exe
1516	ByClickDownloader.exe
1516	ByClickDownloader.exe
2220	ByClickDownloader.exe
2220	ByClickDownloader.exe
2220	ByClickDownloader.exe
2220	ByClickDownloader.exe
2220	ByClickDownloader.exe
2220	ByClickDownloader.exe
2220	ByClickDownloader.exe
2220	ByClickDownloader.exe
2220	ByClickDownloader.exe
2220	ByClickDownloader.exe
2220	ByClickDownloader.exe
2220	ByClickDownloader.exe
2220	ByClickDownloader.exe
2220	ByClickDownloader.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\J:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\L:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\P:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\N:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\X:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\Y:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\V:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\S:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\Z:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\M:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\F:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\V:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\P:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\U:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\W:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\O:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\O:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\Q:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\T:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\U:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\X:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\I:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\L:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\Z:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\T:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\M:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\H:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\N:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\Q:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\H:	ByClickDownloader-Setup.exe

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\By Click Downloader\ffmpeg.exe	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\BouncyCastle.Crypto.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\Microsoft.WindowsAPICodePack.Shell.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\rtmpdump.exe	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\taglib-sharp.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\AuthenticationManager.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\AutoDetect.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\WpfAnimatedGif.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\Configuration.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\GUI.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\ByClickDownloader.exe.config	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\UpdaterV2.exe	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\Newtonsoft.Json.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\Parser.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\ByClickDownloader.exe	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\SQLite.Interop.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\System.Data.SQLite.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\Ionic.Zip.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\Microsoft.WindowsAPICodePack.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\NAudio.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\Core.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\History.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\Interop.iTunesLib.dll	msiexec.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIF0FA.tmp	msiexec.exe
File created	C:\Windows\Installer\6cdedc.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF550.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\6cdedb.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE45B.tmp	msiexec.exe
File created	C:\Windows\Installer\{E74613B2-25CE-4C62-BCB9-BC1BA31B80DA}\icon_1.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{E74613B2-25CE-4C62-BCB9-BC1BA31B80DA}\icon_1.exe	msiexec.exe
File created	C:\Windows\Installer\6cdede.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIE092.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE3BE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE7C6.tmp	msiexec.exe
File created	C:\Windows\Installer\6cdedb.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF3C9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI910.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6cdedc.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FA085541-C2D8-11ED-A8C8-E6255E64A624} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 507b1fd5e556d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000074b2d77a8e7a944ea7c282b9066208cc00000000020000000000106600000001000020000000322e720df171f32275ed57b326f608d4e642fff162d3a7ac8006477fa1ac2a63000000000e800000000200002000000042e46d41e4c9eede2fafce88cd86900039709f48c36881ae1143d655da91ce55900000001ad241b9f805a0576f20724967912bb57acf21125bf2710be30516ebae19523911be4bd5b73584a5060dc0c0c1ed336560ded06e8d519522273a52826e45e72839a4cfbf9d85926c5cfb6dea09710522c68a8777735fef56d04d580f120060e803d852239375e6e52a931e945c1776baaf6a753c50768030ec39fd981a9786fb1261269951fed085fc7b2dba91abfdc5400000001baef3ed7e50e9e7900c628c7ade09f25e916d7f260d6d7aa59d2b1d92b0089e05b7f07494d7c05ccfc3f29db201c3d13cd0042e10b7c7d536f83ab1ea4f4642	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000074b2d77a8e7a944ea7c282b9066208cc000000000200000000001066000000010000200000006696485be5e5c8fd1f43e5d41970ab5b671bf44dd60f6291f42d259e559b4d9c000000000e80000000020000200000006e9ef43358c7b4faf71243527c92f737e4c05deba3cd65efd071398f6935dc5b20000000edcc16978118f74e3da5d82591558e80ff19cd2e129230103bbd269c7947265a40000000913fc7059fc60a3a6eee5cf55fc3e7961fdd5be2b9fc0362ec9e3e82fe0851edb5309b6c0fb4d9ee29540d70ec37fcb5446806b4092b9616804ec42971af2cb5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2B31647EEC5226C4CB9BCBB13AB108AD	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B31647EEC5226C4CB9BCBB13AB108AD	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B31647EEC5226C4CB9BCBB13AB108AD\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B31647EEC5226C4CB9BCBB13AB108AD\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3DC15DAB06874F0489B3F00B75123B3F\2B31647EEC5226C4CB9BCBB13AB108AD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B31647EEC5226C4CB9BCBB13AB108AD\SourceList\PackageName = "YouTube By Click.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B31647EEC5226C4CB9BCBB13AB108AD\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B31647EEC5226C4CB9BCBB13AB108AD\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B31647EEC5226C4CB9BCBB13AB108AD\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\ByClick\\By Click Downloader 2.3.37\\install\\31B80DA\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2B31647EEC5226C4CB9BCBB13AB108AD\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B31647EEC5226C4CB9BCBB13AB108AD\PackageCode = "8EB0F89AF5E14BB4AB7C6E0D40D92727"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B31647EEC5226C4CB9BCBB13AB108AD\Version = "33751077"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B31647EEC5226C4CB9BCBB13AB108AD\ProductName = "By Click Downloader"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B31647EEC5226C4CB9BCBB13AB108AD\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B31647EEC5226C4CB9BCBB13AB108AD\ProductIcon = "C:\\Windows\\Installer\\{E74613B2-25CE-4C62-BCB9-BC1BA31B80DA}\\icon_1.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B31647EEC5226C4CB9BCBB13AB108AD\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B31647EEC5226C4CB9BCBB13AB108AD\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B31647EEC5226C4CB9BCBB13AB108AD\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B31647EEC5226C4CB9BCBB13AB108AD\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B31647EEC5226C4CB9BCBB13AB108AD\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\ByClick\\By Click Downloader 2.3.37\\install\\31B80DA\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B31647EEC5226C4CB9BCBB13AB108AD\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B31647EEC5226C4CB9BCBB13AB108AD\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2B31647EEC5226C4CB9BCBB13AB108AD\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3DC15DAB06874F0489B3F00B75123B3F	msiexec.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ByClickDownloader-Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ByClickDownloader-Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ByClickDownloader-Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ByClickDownloader-Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	ByClickDownloader-Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ByClickDownloader-Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	ByClickDownloader-Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	ByClickDownloader-Setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	ByClickDownloader-Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	ByClickDownloader-Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	ByClickDownloader-Setup.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
972	MsiExec.exe
972	MsiExec.exe
1768	msiexec.exe
1768	msiexec.exe
1516	ByClickDownloader.exe
1516	ByClickDownloader.exe
1516	ByClickDownloader.exe
1516	ByClickDownloader.exe
1516	ByClickDownloader.exe
1516	ByClickDownloader.exe
1516	ByClickDownloader.exe
1516	ByClickDownloader.exe
1516	ByClickDownloader.exe
1516	ByClickDownloader.exe
1516	ByClickDownloader.exe
1516	ByClickDownloader.exe
2220	ByClickDownloader.exe
1516	ByClickDownloader.exe
2220	ByClickDownloader.exe
1516	ByClickDownloader.exe
2220	ByClickDownloader.exe
1516	ByClickDownloader.exe
2220	ByClickDownloader.exe
1516	ByClickDownloader.exe
2220	ByClickDownloader.exe
1516	ByClickDownloader.exe
2220	ByClickDownloader.exe
1516	ByClickDownloader.exe
2220	ByClickDownloader.exe
1516	ByClickDownloader.exe
2220	ByClickDownloader.exe
2220	ByClickDownloader.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
2220	ByClickDownloader.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1768	msiexec.exe
Token: SeTakeOwnershipPrivilege	1768	msiexec.exe
Token: SeSecurityPrivilege	1768	msiexec.exe
Token: SeCreateTokenPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeAssignPrimaryTokenPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeLockMemoryPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeIncreaseQuotaPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeMachineAccountPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeTcbPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeSecurityPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeTakeOwnershipPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeLoadDriverPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeSystemProfilePrivilege	1520	ByClickDownloader-Setup.exe
Token: SeSystemtimePrivilege	1520	ByClickDownloader-Setup.exe
Token: SeProfSingleProcessPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeIncBasePriorityPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeCreatePagefilePrivilege	1520	ByClickDownloader-Setup.exe
Token: SeCreatePermanentPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeBackupPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeRestorePrivilege	1520	ByClickDownloader-Setup.exe
Token: SeShutdownPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeDebugPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeAuditPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeSystemEnvironmentPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeChangeNotifyPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeRemoteShutdownPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeUndockPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeSyncAgentPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeEnableDelegationPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeManageVolumePrivilege	1520	ByClickDownloader-Setup.exe
Token: SeImpersonatePrivilege	1520	ByClickDownloader-Setup.exe
Token: SeCreateGlobalPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeCreateTokenPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeAssignPrimaryTokenPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeLockMemoryPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeIncreaseQuotaPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeMachineAccountPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeTcbPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeSecurityPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeTakeOwnershipPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeLoadDriverPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeSystemProfilePrivilege	1520	ByClickDownloader-Setup.exe
Token: SeSystemtimePrivilege	1520	ByClickDownloader-Setup.exe
Token: SeProfSingleProcessPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeIncBasePriorityPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeCreatePagefilePrivilege	1520	ByClickDownloader-Setup.exe
Token: SeCreatePermanentPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeBackupPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeRestorePrivilege	1520	ByClickDownloader-Setup.exe
Token: SeShutdownPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeDebugPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeAuditPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeSystemEnvironmentPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeChangeNotifyPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeRemoteShutdownPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeUndockPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeSyncAgentPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeEnableDelegationPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeManageVolumePrivilege	1520	ByClickDownloader-Setup.exe
Token: SeImpersonatePrivilege	1520	ByClickDownloader-Setup.exe
Token: SeCreateGlobalPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeCreateTokenPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeAssignPrimaryTokenPrivilege	1520	ByClickDownloader-Setup.exe
Token: SeLockMemoryPrivilege	1520	ByClickDownloader-Setup.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
1520	ByClickDownloader-Setup.exe
1520	ByClickDownloader-Setup.exe
812	iexplore.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe
2620	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
812	iexplore.exe
812	iexplore.exe
1076	IEXPLORE.EXE
1076	IEXPLORE.EXE
1076	IEXPLORE.EXE
1076	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 972	1768	msiexec.exe	29
PID 1768 wrote to memory of 972	1768	msiexec.exe	29
PID 1768 wrote to memory of 972	1768	msiexec.exe	29
PID 1768 wrote to memory of 972	1768	msiexec.exe	29
PID 1768 wrote to memory of 972	1768	msiexec.exe	29
PID 1768 wrote to memory of 972	1768	msiexec.exe	29
PID 1768 wrote to memory of 972	1768	msiexec.exe	29
PID 1520 wrote to memory of 1040	1520	ByClickDownloader-Setup.exe	30
PID 1520 wrote to memory of 1040	1520	ByClickDownloader-Setup.exe	30
PID 1520 wrote to memory of 1040	1520	ByClickDownloader-Setup.exe	30
PID 1520 wrote to memory of 1040	1520	ByClickDownloader-Setup.exe	30
PID 1520 wrote to memory of 1040	1520	ByClickDownloader-Setup.exe	30
PID 1520 wrote to memory of 1040	1520	ByClickDownloader-Setup.exe	30
PID 1520 wrote to memory of 1040	1520	ByClickDownloader-Setup.exe	30
PID 1768 wrote to memory of 916	1768	msiexec.exe	34
PID 1768 wrote to memory of 916	1768	msiexec.exe	34
PID 1768 wrote to memory of 916	1768	msiexec.exe	34
PID 1768 wrote to memory of 916	1768	msiexec.exe	34
PID 1768 wrote to memory of 916	1768	msiexec.exe	34
PID 1768 wrote to memory of 916	1768	msiexec.exe	34
PID 1768 wrote to memory of 916	1768	msiexec.exe	34
PID 1768 wrote to memory of 804	1768	msiexec.exe	36
PID 1768 wrote to memory of 804	1768	msiexec.exe	36
PID 1768 wrote to memory of 804	1768	msiexec.exe	36
PID 1768 wrote to memory of 804	1768	msiexec.exe	36
PID 1768 wrote to memory of 804	1768	msiexec.exe	36
PID 1768 wrote to memory of 804	1768	msiexec.exe	36
PID 1768 wrote to memory of 804	1768	msiexec.exe	36
PID 1516 wrote to memory of 812	1516	ByClickDownloader.exe	39
PID 1516 wrote to memory of 812	1516	ByClickDownloader.exe	39
PID 1516 wrote to memory of 812	1516	ByClickDownloader.exe	39
PID 1516 wrote to memory of 812	1516	ByClickDownloader.exe	39
PID 812 wrote to memory of 1076	812	iexplore.exe	41
PID 812 wrote to memory of 1076	812	iexplore.exe	41
PID 812 wrote to memory of 1076	812	iexplore.exe	41
PID 812 wrote to memory of 1076	812	iexplore.exe	41
PID 2620 wrote to memory of 2644	2620	chrome.exe	50
PID 2620 wrote to memory of 2644	2620	chrome.exe	50
PID 2620 wrote to memory of 2644	2620	chrome.exe	50
PID 2620 wrote to memory of 2804	2620	chrome.exe	51
PID 2620 wrote to memory of 2804	2620	chrome.exe	51
PID 2620 wrote to memory of 2804	2620	chrome.exe	51
PID 2620 wrote to memory of 2804	2620	chrome.exe	51
PID 2620 wrote to memory of 2804	2620	chrome.exe	51
PID 2620 wrote to memory of 2804	2620	chrome.exe	51
PID 2620 wrote to memory of 2804	2620	chrome.exe	51
PID 2620 wrote to memory of 2804	2620	chrome.exe	51
PID 2620 wrote to memory of 2804	2620	chrome.exe	51
PID 2620 wrote to memory of 2804	2620	chrome.exe	51
PID 2620 wrote to memory of 2804	2620	chrome.exe	51
PID 2620 wrote to memory of 2804	2620	chrome.exe	51
PID 2620 wrote to memory of 2804	2620	chrome.exe	51
PID 2620 wrote to memory of 2804	2620	chrome.exe	51
PID 2620 wrote to memory of 2804	2620	chrome.exe	51
PID 2620 wrote to memory of 2804	2620	chrome.exe	51
PID 2620 wrote to memory of 2804	2620	chrome.exe	51
PID 2620 wrote to memory of 2804	2620	chrome.exe	51
PID 2620 wrote to memory of 2804	2620	chrome.exe	51
PID 2620 wrote to memory of 2804	2620	chrome.exe	51
PID 2620 wrote to memory of 2804	2620	chrome.exe	51
PID 2620 wrote to memory of 2804	2620	chrome.exe	51
PID 2620 wrote to memory of 2804	2620	chrome.exe	51
PID 2620 wrote to memory of 2804	2620	chrome.exe	51
PID 2620 wrote to memory of 2804	2620	chrome.exe	51

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ByClickDownloader-Setup.exe
"C:\Users\Admin\AppData\Local\Temp\ByClickDownloader-Setup.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Local\Temp\ByClickDownloader-Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\ByClickDownloader-Setup.exe" /i "C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.3.37\install\31B80DA\YouTube By Click.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\By Click Downloader" SECONDSEQUENCE="1" CLIENTPROCESSID="1520" AI_MORE_CMD_LINE=1
  2⤵
  - Enumerates connected drives
  - Modifies system certificate store
  PID:1040

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 03DFA34DA6DBC0AD6E42DCA8DCB73327 C
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:972
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 34D9DCA4DE51ADF5F129718C56B2C9DB
  2⤵
  - Loads dropped DLL
  PID:916
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 24E9B124637E88BD538559F858EC0003 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:804

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1552

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005B8" "00000000000003CC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:360

C:\Program Files (x86)\By Click Downloader\ByClickDownloader.exe
"C:\Program Files (x86)\By Click Downloader\ByClickDownloader.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://www.byclickdownloader.com/Welcome.php?source=main
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:812
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:812 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1076

C:\Program Files (x86)\By Click Downloader\ByClickDownloader.exe
"C:\Program Files (x86)\By Click Downloader\ByClickDownloader.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
PID:2220

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6469758,0x7fef6469768,0x7fef6469778
  2⤵
  PID:2644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1184 --field-trial-handle=1304,i,17719991918070777625,13018808299098901694,131072 /prefetch:2
  2⤵
  PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1472 --field-trial-handle=1304,i,17719991918070777625,13018808299098901694,131072 /prefetch:8
  2⤵
  PID:2784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1604 --field-trial-handle=1304,i,17719991918070777625,13018808299098901694,131072 /prefetch:8
  2⤵
  PID:2840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2228 --field-trial-handle=1304,i,17719991918070777625,13018808299098901694,131072 /prefetch:1
  2⤵
  PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2244 --field-trial-handle=1304,i,17719991918070777625,13018808299098901694,131072 /prefetch:1
  2⤵
  PID:2892

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\6cdedd.rbs

Filesize
13KB

MD5
07a1ea2b0dd6e1714e5e5b5e57de5b17

SHA1
c2fa9758a49694b7eea165bdb0ca8bb448aefa41

SHA256
2604c9ba6e492d03ce0e267587ce91f4c46aef17e55a6655bca5c29099b68a3d

SHA512
4878777ba81679aa4cd055af64f4034d7a463d9ba8fda472757692a0a6de933e05b965ef768b044a6971d1c126086b119c7d86f468a3e076136df0cbc78b2378

Download Submit
C:\Program Files (x86)\By Click Downloader\ByClickDownloader.exe

Filesize
216KB

MD5
06b72fda7337e05f5f26d8c140f149b2

SHA1
9ccd45a5ca7d566a98031108315358eda19a4a87

SHA256
c00d02f00b83c8c8ced54d86c7fcd917b961e9bb4cf2dbd6af75f93ea7e7e94c

SHA512
a57bf9e64bb706bd3eb6af20f4c44ca0299924de21acbc20069c37a8783ff8c1ef5470aea40cf3d7f787e687d0d616ed433b887cd8af131f3441a7df05613fe0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17

Filesize
2KB

MD5
f75369901cb6889e6ba029ee8da11fed

SHA1
563d9a239327f268fd2e8087edf0c7515956c959

SHA256
0f812d21674182e9711fc840b9e12faafd1fbbf448140515d8ba013c3567818a

SHA512
d1015fd64d2002410edd6f7032ac519c4fc6085576611ebd15b789da168bee956c7afa7a7e93c1e8777bb0df20ea996325a1e7f7a4bf7ff1e9bedffae03061e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
6afb8cc2273e0d3d3a36ead9920703db

SHA1
f6e5c1e128d4364ce183f0e90412b42dc9681376

SHA256
5bd07b5c45bd3b9a35e56c98ffcc979abe595c3dcbbb8fce89400401c5e1c5e6

SHA512
e4fcf1e47a30a732ae564e63b83354f4cc5d053a52ae27c03e8033a787217dfe74a39017fe2cec2a8102a91623495aba4ff2a20b57dfc57bd8afcdcdb4ae86a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D7833C286363AD25C70511661A83D581_51151F3894C6D8DE5216CA8F889633E4

Filesize
510B

MD5
14616aa677356a00c2d507a72a0d44f6

SHA1
a7aff2c855510afb0c7deae82b753e0ebaf84cc1

SHA256
69d69da734a23676fd96e53af7468cf0fb99da8e8e5e97cbcca2c97c77431d47

SHA512
7cf2884738b3e9e12ca2e86a693d06f64f5967cc2e99e66019afb0b9a326957787be42b365d332948458fe911972fed8df56c0f9c7bf49bf6a8a8c96b923acba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17

Filesize
488B

MD5
74b628abf1dd414f5b4830c8e6d4b094

SHA1
5fdae22228882e6ee62066aa15e79e98b27c1d9a

SHA256
376bc5ca078f85f21eb0846ad0adf783797b0e4822853ee3c05aa57343b85fc8

SHA512
c3b5be05056de3fa9369dad1057d9d24d21c3fe50e524bf0dace9cc38796c2e4a8820e978e2fa6ec1e716c250c64981f74d689303dcb9afbce25d11d233dd6ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9fabc8bbd946c765ccac3ed4f5aa21ed

SHA1
c7752d13ba0d36bed869be16542ccc8ed92f78c9

SHA256
3946e54d90498df37f13ad44ba6569aaa54ec8b6b784493da746d175b8ebd5b1

SHA512
eede1e831b5b1ddf03cb7bf6b17c521398afbd7e84d67105f7c2013ac8e16bb6368d6265edced9a470a98b7aa65f2c99ce2fea9fa33ee4a1e0a330caafec11b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00dd61ffd2f543b55b0c902ff2e77498

SHA1
efa9f85798a5057070a14dbc0a06ff3a87dff1f3

SHA256
3eb8abb175edd5fadad855c11ff8319b9347d13220ec511cb381ec90be127d03

SHA512
505d5cb130b4fc86b7c75406749b74dd2d2ce34d9460321c32c96ef82b103b6d68c52c05510ef2988c0dea247e845a9f9ffb5422c2f826e6f145911f7039dabb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86b013bb469bda078165ea8ee093bd86

SHA1
b044ade9b70dfc63a1c3b03b7063f09093c0b132

SHA256
8dbc9f2fbe21a25b943eb42e730ea92da7687b7be0d6310211d90147a54fb381

SHA512
5c94c28247fd4960413411ad7f29557b06df000d05ca7a12ed0a81c309ee397022e324c21924e94cba9261d27f0030e52f2bd7fc85289a495007141c3e9680e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f910edf7c9990305f352bbadf6f14a81

SHA1
375da9c7cc162e2e7daf365a5d5b0dc5343a6330

SHA256
936c96b8540c5fa64afdfa5949843c4d2b66c82a74ec473eed7e00ecdd3ca9f1

SHA512
fbd149896f67545303bdc04690544db6aece490eea4bbac8f205844be0bdb91f5ba7bbe4dab62453bb09a4bcf077fd108138431098eb6f1552d4fbd8f3a03c57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f5fac904b66d691b39f005e8a7cfd669

SHA1
3eb06126ead99c01726898298c47a119786d67de

SHA256
785eedb0a5f48458950452aac2c2803e0eea4f23a2d058ad23b9a93bb6a0d14d

SHA512
e5f2808f7a6a03a2f895945a2aee25347b22af72d64b70ed1f435bda90adb813310f25ba406e398f38ef3be34a21afab6dec5a1d93f9594c278618050038576a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b41238d43e83c37ee2715dcbdb2f8934

SHA1
4f53e406e4d8e8271ffa52fbcbb67e5afa22aded

SHA256
7a2b8628597ffdf6363acc9a7661125ecbeae5ed4e3f4a396fdf6fd30b164278

SHA512
e7453b8731af3ba66bb822acfbe09d4f06c9c3d9256f8c4521e35ee6f4d0119f84d2f634577fe2f2e678f9bc38327d55851ff5286a4e00ad8b64bf63c327cf5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1bc33f2ea268879d7ce6f5723b2fb5ca

SHA1
b9cb02844543e63d03bd4a7e2c6d39dbd8349ec0

SHA256
49684a02ac8f14d00de6221c8e5436ada89ef560cc2f1a019aa711fcb7aa7760

SHA512
edbc7b6adccc7a203c2771ab1f8b89359760ea631dede383eeaea7830c1e8fdd3bcc6bb9c73cde1c788f21db30534019ed2a8b1355e1e660113a495f24c6177c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b55f3586180cc7ba3f0d204b79b52817

SHA1
34df4e0d70e229c7b0f639b5bc362ed630b896a8

SHA256
e4d122ea0f8bc7b81687828527ffb323d6f053868e0a50c1ec01b236365898e3

SHA512
36a81b3389e9cf151edcdaf42fea368c7c264d39c8262ba7bdc8c7562300bd90093b32a6c87de779bea2d6c4acf20c5c680466e3a4afbc459c8adfae65724ecd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b23f52e4500bb7cd19407ae2a56dc632

SHA1
7e27a25ceaed6c822ef2effade2c8e2b0cc0e5eb

SHA256
28c6e3f146bfeaee67613ed23c3f3218f2936017cf06824b3e4256a4509bcf6b

SHA512
a1816690342fa64e48fad560b5c1d59984ffd4e4337fbbb7071f9db82070b8edbe0ad72aaf5edbe2c052dbce2b09e553ec1b0cbd2f0a48807b09af24ca8b8425

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cafbb3ce61828cf891f78ca9c8158011

SHA1
88aaf3208ed59b93ae618a4c2ed5b7c825cc1dbf

SHA256
e1493561125af7c12c72145cdc5c00f54c65cf1a3b543c3942091983a9832570

SHA512
3b5bb30c92e3fd06b4025f8df2ecf75579b3d17c89775dd073aeaf97892ff85ec823155efbc3930cd2fc69f8ee49c5101515d9cea6258ba1b07bbb3be9f8626f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
727eb8058c6fb66a93e6752ae3392663

SHA1
d7e127d1b9a75b3b381c09412bb3f401a1febafc

SHA256
edd8b2393ccea838b097c3e6f104489a2f320325117580a5ecacbd44f5a38de0

SHA512
da4b5d8fa3e8395683f59d7dfe4fe13a1cb6ac3b65f391147bc6f72238f3a4cd81add469c9a7e37e4ebbeaa79668261192242b75664a67fe47fe6b88a1064096

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
565613bd18637c1483cba3327efe768e

SHA1
0ae7cef8116300c491f0961f7713bcf5600d02bb

SHA256
19e2f9ca563f57dd81b5bb52bcac3b45e5271942b9b5a14056760abb4d8912a4

SHA512
ea459d64263ea1bcc9a525354a91d376161728bbb4c9a57189be84968d404af3ccee4aad0747f69214821208adde86442415f990e217f02db6937c08f6bd047c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
5c9177ba6f7ff557828c171a12de35cc

SHA1
06a3df4b94ca3b4603dfc740beed409ec2f612ea

SHA256
ed8b680f6170a58e243a1306bfccf3e79ed1f7f1abdc0a59cb6983f11dc798cb

SHA512
40dddfe3d165cc736b5c197a0f88d9d29eeb9b144e434fe2b6a90945bf52d8afdff34713778da77dee4c852333462fcf95904bc736ffe96d60c29791aabb7c98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D7833C286363AD25C70511661A83D581_51151F3894C6D8DE5216CA8F889633E4

Filesize
480B

MD5
33244dd0b375af8feb0ea20fea29a66f

SHA1
5f52ea87c98c9b77fc227716b96e86139c03b3e3

SHA256
856c75f10f56bf73bf8c8f2ebcce2297953cd94b32b08e2b2bdc5efda51e6815

SHA512
bfe38d3d1bb62bd39ee9eb3d9ee1e169b04849a40cfd6d3e597b7991979b62c4290326105c9677c746c34898317a5d7f7c3025b03f2be7cc714d215ab3fc59c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NZTPJYNO\favicon[1].ico

Filesize
1KB

MD5
e2697e666f6d867def2998154e89a6e0

SHA1
f1e6ae8c016c96f0190c817f414d84a4cd14874f

SHA256
d44aa9a72da766f0343e4f95ad61f30d078323087839281bad7d5eb680e8c7ac

SHA512
e2444258570d1d1e9ea5d181413454be5bc93be95cdd4b3272e894fe247aad2c3ad94d3ff912b2ff45c22b371ef71bcb4dd8bc08497f41a6050663c9511632ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1520\background

Filesize
28KB

MD5
6c0ee49a7fd729049e4dd57a97242e62

SHA1
29bc6da2e1f568cb1c30993a4c4090d912079e01

SHA256
080c73382c5cb466ee27fcc5dc724becece17c20f7d3a87b59fc2df279a4647c

SHA512
359530f9b647f126dc723bcf6e7562903b6eefeae2d5a9b3d12d4e072fa938f1f8abcf69ddd030f8d788afea404440aa2fca65f4b6e229f004ac86b50ea27f74

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1520\exitbackground

Filesize
20KB

MD5
d682cf32d866500c87e4e2f6a1dbf870

SHA1
ff8620ab4011918551275235a1ec15c0c04f8e40

SHA256
ac53fb5f87fa500ad17a7b3aa171206d6126dd5f2f252932cdf065bf264b57ac

SHA512
6f02dae147a72e04d2c55ff8432d17941da8cb0c4c12cb22d6c14452c88fe2c434ddbb8860d4cdba14ff3637104c19f267bdd786c6464a160ffad49ba42d9c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab196D.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2234.tmp

Filesize
495KB

MD5
cfab78ac0d042a1d8ad7085a94328ef6

SHA1
b3070cc847ba2739450dc9bd05040df83e7d85d2

SHA256
17b10df05b4b92735b673914fe2bf0c0d7bbda5b4a8f9a7fc81a0efaa4380168

SHA512
647b909f1e833dd08d99aaa29a3404e64c58356dfa0a3abeb788768d74abb0948d2b612a6da62f2617270cd85110e8aa2b26e5e4558af0d0b84f920c40533438

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4500.tmp

Filesize
912KB

MD5
b15dbf4b35cd1460ba283795e24878c8

SHA1
327812be4bfdce7a87cb00fab432ecc0d8c38c1e

SHA256
0ac07db6140408e9586d46727eb32af8f8048cad535eca9052b6ef1149e63147

SHA512
95edc60c9658e0e8631604459969a406414902f297b7a14f2be6d3bc18878636167d202530d4ee3b4d7af189a9139a2183929250920196c48c08eda3d6dfdca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4781.tmp

Filesize
495KB

MD5
cfab78ac0d042a1d8ad7085a94328ef6

SHA1
b3070cc847ba2739450dc9bd05040df83e7d85d2

SHA256
17b10df05b4b92735b673914fe2bf0c0d7bbda5b4a8f9a7fc81a0efaa4380168

SHA512
647b909f1e833dd08d99aaa29a3404e64c58356dfa0a3abeb788768d74abb0948d2b612a6da62f2617270cd85110e8aa2b26e5e4558af0d0b84f920c40533438

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4781.tmp

Filesize
495KB

MD5
cfab78ac0d042a1d8ad7085a94328ef6

SHA1
b3070cc847ba2739450dc9bd05040df83e7d85d2

SHA256
17b10df05b4b92735b673914fe2bf0c0d7bbda5b4a8f9a7fc81a0efaa4380168

SHA512
647b909f1e833dd08d99aaa29a3404e64c58356dfa0a3abeb788768d74abb0948d2b612a6da62f2617270cd85110e8aa2b26e5e4558af0d0b84f920c40533438

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI482E.tmp

Filesize
495KB

MD5
cfab78ac0d042a1d8ad7085a94328ef6

SHA1
b3070cc847ba2739450dc9bd05040df83e7d85d2

SHA256
17b10df05b4b92735b673914fe2bf0c0d7bbda5b4a8f9a7fc81a0efaa4380168

SHA512
647b909f1e833dd08d99aaa29a3404e64c58356dfa0a3abeb788768d74abb0948d2b612a6da62f2617270cd85110e8aa2b26e5e4558af0d0b84f920c40533438

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI487D.tmp

Filesize
495KB

MD5
cfab78ac0d042a1d8ad7085a94328ef6

SHA1
b3070cc847ba2739450dc9bd05040df83e7d85d2

SHA256
17b10df05b4b92735b673914fe2bf0c0d7bbda5b4a8f9a7fc81a0efaa4380168

SHA512
647b909f1e833dd08d99aaa29a3404e64c58356dfa0a3abeb788768d74abb0948d2b612a6da62f2617270cd85110e8aa2b26e5e4558af0d0b84f920c40533438

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI491A.tmp

Filesize
912KB

MD5
b15dbf4b35cd1460ba283795e24878c8

SHA1
327812be4bfdce7a87cb00fab432ecc0d8c38c1e

SHA256
0ac07db6140408e9586d46727eb32af8f8048cad535eca9052b6ef1149e63147

SHA512
95edc60c9658e0e8631604459969a406414902f297b7a14f2be6d3bc18878636167d202530d4ee3b4d7af189a9139a2183929250920196c48c08eda3d6dfdca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4C07.tmp

Filesize
602KB

MD5
78b793e3f44b2c7849ffe70083c500c0

SHA1
9dcbb160c9f606bcdbee9ad572aaab1ad1b24d61

SHA256
fbcf7c3645d90621bfbbf38e660a510dd0731b02b6e7820b075116e944301174

SHA512
36d0fadd2a55231ce159519ca4bfb56fee038ee82bfbafa375faee17e11e2149ffffb4b364bc80e4ed950325e0c31e6a02244c591a0b983c7ccc039e94a3e9c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4C66.tmp

Filesize
495KB

MD5
cfab78ac0d042a1d8ad7085a94328ef6

SHA1
b3070cc847ba2739450dc9bd05040df83e7d85d2

SHA256
17b10df05b4b92735b673914fe2bf0c0d7bbda5b4a8f9a7fc81a0efaa4380168

SHA512
647b909f1e833dd08d99aaa29a3404e64c58356dfa0a3abeb788768d74abb0948d2b612a6da62f2617270cd85110e8aa2b26e5e4558af0d0b84f920c40533438

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4CE4.tmp

Filesize
495KB

MD5
cfab78ac0d042a1d8ad7085a94328ef6

SHA1
b3070cc847ba2739450dc9bd05040df83e7d85d2

SHA256
17b10df05b4b92735b673914fe2bf0c0d7bbda5b4a8f9a7fc81a0efaa4380168

SHA512
647b909f1e833dd08d99aaa29a3404e64c58356dfa0a3abeb788768d74abb0948d2b612a6da62f2617270cd85110e8aa2b26e5e4558af0d0b84f920c40533438

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1B44.tmp

Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1D32.tmp

Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.3.37\install\31B80DA\AuthenticationManager.dll

Filesize
34KB

MD5
822b775f9b2a67cd92cc3f038654121d

SHA1
44d01abe15b363978abe861279b87c0d87907628

SHA256
c7fd1050bc4ad0ade21ab2554d1a38d8278f0171196456ba45c4eabdc27fff45

SHA512
d3f0aa4fdeb76ceb7f768b12dd0e680ebd120f1663f4eba46f3baad2e0966899e8e0ce5306f1fb1068b0f84b47674bd15b7c96cfdc89866d725112d885d7c34b

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.3.37\install\31B80DA\AutoDetect.dll

Filesize
20KB

MD5
35ff062733b50b0f916900454053b16e

SHA1
d857ac667c2c28b76c9c8a875f591d739c7c0857

SHA256
15ef5c32c8fceadc426bb7d7d12658bf0ae0843720292c9ca7a31798b696d29a

SHA512
31bb4c6b7bd9a0011bf88b18ac5dd59b9c27fcb89ccca5bf0112ff05564d120edc26993dedd0df90d1e6457d6440da6f182186d4a4a1c42cfbc563e5c534c055

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.3.37\install\31B80DA\ByClickDownloader.exe

Filesize
216KB

MD5
06b72fda7337e05f5f26d8c140f149b2

SHA1
9ccd45a5ca7d566a98031108315358eda19a4a87

SHA256
c00d02f00b83c8c8ced54d86c7fcd917b961e9bb4cf2dbd6af75f93ea7e7e94c

SHA512
a57bf9e64bb706bd3eb6af20f4c44ca0299924de21acbc20069c37a8783ff8c1ef5470aea40cf3d7f787e687d0d616ed433b887cd8af131f3441a7df05613fe0

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.3.37\install\31B80DA\ByClickDownloader.exe.config

Filesize
416B

MD5
4f8997b30fddd9502bba0659d6b4b525

SHA1
9b9b527103c2bc5952c18ce01b34cf303916c184

SHA256
0116eb1b3eca542cfe2050b1feb73ca4d8e0f3d3dab6f916a49b1056969a68ae

SHA512
c80ba84a4b056bcbcea75dce1568ffa88f14e815e619c8ed3187cdd967b2a04bbe7fa0a7cda204a8080efc417eac016c3b0a6283e66384dc93abdec4d183bd0f

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.3.37\install\31B80DA\Configuration.dll

Filesize
39KB

MD5
9b2967693d8def0179d6c0809ca46ae3

SHA1
9862341b7dc2b6638d03d34bce50d7779a80bfba

SHA256
8522bc80048b36520fd65988aae5dd4c1d5037ac67581b44890486f562f11b24

SHA512
2d546e0929a77bab957750ae14397e679107a4e242275fad2c89a5688e1fbfe71878505b1c2635e308cc2722380d8df486ce7a3577058786177a800dc8b31781

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.3.37\install\31B80DA\Core.dll

Filesize
15KB

MD5
8b9f3ff0f80dc281fd0dec306c902873

SHA1
c2499ed38261690e45da2fd8c4cd40c4c3de3d02

SHA256
78eee8fff117366cbed4d5ba6995f5579c1fedc89b7b71ddfb7f038b5837b75d

SHA512
99c0951bc2f589beefc46c263d6a59bf9a4265c73e268def5d82bfd8ec64f50efa7210bc904b5392a5660feb26a8bea044945773159af67a003e5f0274dc9a16

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.3.37\install\31B80DA\GUI.dll

Filesize
1.9MB

MD5
196926bb75d171053c9ebb2b8569fc73

SHA1
dd85520e3d2b7548eff0df7bebfe3d5ea430907a

SHA256
e9ef4af18a4e1a1a74ede2a5f51e55462cfc93f71998c29b9de587984d7e0be2

SHA512
cd1c892481c57b30340ba50f52ebe1b320afc2c0fa369f7e0f7ea6ea10f9b5bde0ee5e44a2acbabc4a4ac84d699c7ec665ef2a516479e1a894db9e163109e713

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.3.37\install\31B80DA\History.dll

Filesize
7KB

MD5
4ec787f4ebdc0c024088d04a566b6ff1

SHA1
c32c1c60f857d8c7fa22765af483eb4fc6b5ef34

SHA256
4bd5416c166e444cf624229d8d7d28c90c50e23e29402391aaaa4e52ecfb467f

SHA512
fc6b38c2547ca3b4a9db9bef8f537b2711d57e2b477342aea676f32c50cc596d3f7060a1c6a15567b37743594e0bac62a53974dd9e23640fc8499c113c492f3a

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.3.37\install\31B80DA\Interop.iTunesLib.dll

Filesize
67KB

MD5
c89198d3a53e6d1158962d03f14f7186

SHA1
f010c4c05bcaeedea7d7cdc8d7b99217a0d7f541

SHA256
e86883a4033204ef5db738bfc6b2abfb80be82324470ca8c69d58b4b512e20a9

SHA512
53595d200b8413f066bdf98bf726c3074ca0e49cb96e6310656c4414297d7a47cd7d3dc408ae3d48f7991cbc359d45cf79097584f7fda671c80d749aa0019fda

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.3.37\install\31B80DA\Ionic.Zip.dll

Filesize
223KB

MD5
e1db6c3c8be9f4a7a4af7cc9e235058b

SHA1
9d8da7fd75edf38626e71bec234d734e8e6cad68

SHA256
f7866db2e72acadecd5249b913f3d6d1148d3bbc99e341e937d883fad6eb8722

SHA512
076c8e934bb0f2caa81e1a9c9e6c20a08faac13dcabea08a0a7807135472bcfe3aa749ef6558c57459ebf9fdec8a4c9a13e7cb8832028e022c8853e15d9ed370

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.3.37\install\31B80DA\Microsoft.WindowsAPICodePack.Shell.dll

Filesize
530KB

MD5
6d8deb7be7360761fd43ec9ddcaa0811

SHA1
b45482a37b381de2a0293b6be48c4cdef04aebff

SHA256
aa5d80cdc0da52970031309b457e3e3fd505bb1ac13fb79801d15bfbb4a700b2

SHA512
c400812dcdec40e4bce3ebfd1a3d472dbe27fb5bccd22e198f870f418c003d121135fa82e6699c581167f48393cacfc4876eb2e50f51104bcd9d322a5641f75c

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.3.37\install\31B80DA\Microsoft.WindowsAPICodePack.dll

Filesize
103KB

MD5
56e013e924822c9d02329b15b03ede73

SHA1
085dacfcd1ffa398b795d096833d16367b0d2886

SHA256
7b88388b8367f0d873d0e3b66f533869c24e346fb6f0b2c6c783f931cc9a1631

SHA512
ea0020ee32e0c7e7323f5858a462bf762f65013509012147430f0d8f665eb86f534d2491ca9f737c15bf6f995a8d3e0172537129a0dc8628cf7bf0d0f48457d1

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.3.37\install\31B80DA\NAudio.dll

Filesize
460KB

MD5
8298c971e8a367499cd9fbeee08d0472

SHA1
a3b8e87d2975b8b7cb5656a16d3794e85aeb8166

SHA256
332d9caf9c0172aabd7ff8ca909967d31dc17329b64b65d1fb13b84c6ca5a729

SHA512
46541667deefe0956dba5b158ce4f42e899a23f397c840edad12ebd8853bdd1ab7a2df15eafa9a832b25e2200702e2928e9321cffaf1ba9d02dc9fa016667b41

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.3.37\install\31B80DA\Newtonsoft.Json.dll

Filesize
478KB

MD5
8d6860fe26c7fdd1b80381c22979238c

SHA1
7f4e98ed0ed3686d234ed94bfdf395924266ca03

SHA256
0516d4109263c126c779e4e8f5879349663fa0a5b23d6d44167403e14066e6f9

SHA512
cff6df3d1c66912bbb4ab0e97ac4aed82705cad4c7aabcf5b5a3f5a5833995e168699f4b32e7711477171769937157a7a79ae0da716522e9d1c972260669cd0f

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.3.37\install\31B80DA\Parser.dll

Filesize
331KB

MD5
5d8a006c90acdccf0295e9283b5b3193

SHA1
b946df4d146464a481b56b978c4d83d79532b790

SHA256
2401190c5dd4d8dc7e6e1a32d6b0112f9c228fb580cf5cef0e190b6aae5b3e94

SHA512
b8d6cdccaa7ea300ee7247a17a2f83c1877e6de5cc2dae5d0825352043d03e729e1f39797bca2691102752e44d51c10f819ac0e8f36431fb279b5378941d9419

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.3.37\install\31B80DA\SQLite.Interop.dll

Filesize
1.2MB

MD5
0a6de5fa6ec9a63cabcdd4050daa551b

SHA1
db8cb1009f21c10f2509df1ec0ce736c89a78446

SHA256
29397546eb8dc57f7c0dc4132ca454c0eabb4047eb69eb104baf4603a16829df

SHA512
8755968550fed89235a0d97df8dad807d1bf77198ac3eb354ed6fa258622fe8c7b104116755cdeddfb987801dbc14b5cd08b262031a055928a413ab528d22428

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.3.37\install\31B80DA\System.Data.SQLite.dll

Filesize
355KB

MD5
fd3874b6c0733eabe7e9c8df6cfb4d6b

SHA1
8f75a506baea72293485bfa3f77d221957011cb2

SHA256
93bb35bb3bc74bfa8016eb335a18fd89a8b3678bd4073108122d5d9af94e655e

SHA512
169a1eb4952f037d6dbd53a9b74e6671770a2c6d000776c497c34586c494f616c3b9325e1fe75fea00bc23268d02a8c5f895bb05290f9d159c8e7d8087d3f80d

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.3.37\install\31B80DA\UpdaterV2.exe

Filesize
160KB

MD5
3a384420fa45ba57116610eeaff2d0d9

SHA1
cec74c23af259ecb7927e2e02369b3bfb2d9989d

SHA256
14ef726505ae07e9a68797351f34ad1dddf53ece81a9b1cd0be3f3acc490500e

SHA512
8b8d0f0646880742359e839c096df82ca5d4448fd7b2c1bddc9f6adb199f96183fa3ab57224f312d52f111a66b5f8814d505b702d405ed1d454434818755b2d5

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.3.37\install\31B80DA\WpfAnimatedGif.dll

Filesize
37KB

MD5
fea7d5fc4ab6bd0013f08992144cd4df

SHA1
62bf492c0725e2993990afa52b4dfa772a61ed21

SHA256
6e4857203ae663d9b608b27d6586f15fbfbc5373de3ed16bc0789b0efe8e8079

SHA512
c4a59c15b679fb1d0511d07ba22031addfe787af822c552d134206418cf214e238559a80b45e38ed17ba4a2dc09865898ca128f1aec818840184960b49dde2c4

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.3.37\install\31B80DA\YouTube By Click.msi

Filesize
3.8MB

MD5
39051b3ccc11dbde8ac9ff343d8eeaa5

SHA1
600a61e4d8fefb34bda6626ac2460dc896086dd7

SHA256
7cb15820b11fc3db7bd527ad4d3a3b4547851624de58e0332d9ffed9d2414606

SHA512
6f53f4663c67740858003a0dcf1e62bd34883149492f5fefa18a3656c281bfcb462247ed74384eb276ba660023309dbf2505cebcd7cba8a2043cfa3bccc7b855

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.3.37\install\31B80DA\YouTube By Click.msi

Filesize
3.8MB

MD5
39051b3ccc11dbde8ac9ff343d8eeaa5

SHA1
600a61e4d8fefb34bda6626ac2460dc896086dd7

SHA256
7cb15820b11fc3db7bd527ad4d3a3b4547851624de58e0332d9ffed9d2414606

SHA512
6f53f4663c67740858003a0dcf1e62bd34883149492f5fefa18a3656c281bfcb462247ed74384eb276ba660023309dbf2505cebcd7cba8a2043cfa3bccc7b855

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.3.37\install\31B80DA\ffmpeg.exe

Filesize
75.3MB

MD5
d1c71a7aac3c17e2fbd1e72fc8c58a28

SHA1
7b98c24d9e02687a9377028857e64184aa04d996

SHA256
89346faaae4beb428478623b3aabf260064033b3821153c5d1095e8cac15f76f

SHA512
2733d331b0d813d8bc8b7c9c7ef0ecc28703e5fdac812e6f36ea17846c43ebe9d600ee2294cdde9b978a8585ac2ec1fa25ccd38fdf637e5958ce73154e36d046

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.3.37\install\31B80DA\rtmpdump.exe

Filesize
476KB

MD5
cf9c3dc663b49d1af68e95d9e683edfa

SHA1
a97159dad2c7b3bae2ebbc3a470b3c8379090911

SHA256
578723be936856b24038fa4ef451a4eba7871aa8d46fa58272e133298aacb232

SHA512
5d741e3567db1caef79d831f4fee7a579b7deccd39dd8000751fc7fa5149e2cf5db4cab4f14173f439e6e7ba7757b817949a4588748f42b542a334faa559bcb8

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.3.37\install\31B80DA\taglib-sharp.dll

Filesize
417KB

MD5
d5cf1c053da90266cde151b7748b4f47

SHA1
96ead44cbef46a202e42d1d76620144c8c6a0fb1

SHA256
5fd1f810e8e4bfeef32c9a1c882e2980f5158f6c813147bf4c185517b7581734

SHA512
5a819438a005e38387e34cf6297b6eb4874f8d9650fd1692d7d43572251edff970ea6d63802119eaac3048e39af370190506bd4923d749330652ef5efedd30d8

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.3.37\install\decoder.dll

Filesize
206KB

MD5
899944fb96ccc34cfbd2ccb9134367c5

SHA1
7c46aa3f84ba5da95ceff39cd49185672f963538

SHA256
780d10eda2b9a0a10bf844a7c8b6b350aa541c5bbd24022ff34f99201f9e9259

SHA512
2c41181f9af540b4637f418fc148d41d7c38202fb691b56650085fe5a9bdba068275ff07e002e1044760754876c62d7b4fc856452af80a02c5f5a9a7dc75b5e0

Download Submit
C:\Windows\Installer\MSIE092.tmp

Filesize
495KB

MD5
cfab78ac0d042a1d8ad7085a94328ef6

SHA1
b3070cc847ba2739450dc9bd05040df83e7d85d2

SHA256
17b10df05b4b92735b673914fe2bf0c0d7bbda5b4a8f9a7fc81a0efaa4380168

SHA512
647b909f1e833dd08d99aaa29a3404e64c58356dfa0a3abeb788768d74abb0948d2b612a6da62f2617270cd85110e8aa2b26e5e4558af0d0b84f920c40533438

Download Submit
C:\Windows\Installer\MSIE3BE.tmp

Filesize
602KB

MD5
78b793e3f44b2c7849ffe70083c500c0

SHA1
9dcbb160c9f606bcdbee9ad572aaab1ad1b24d61

SHA256
fbcf7c3645d90621bfbbf38e660a510dd0731b02b6e7820b075116e944301174

SHA512
36d0fadd2a55231ce159519ca4bfb56fee038ee82bfbafa375faee17e11e2149ffffb4b364bc80e4ed950325e0c31e6a02244c591a0b983c7ccc039e94a3e9c8

Download Submit
C:\Windows\Installer\MSIE45B.tmp

Filesize
495KB

MD5
cfab78ac0d042a1d8ad7085a94328ef6

SHA1
b3070cc847ba2739450dc9bd05040df83e7d85d2

SHA256
17b10df05b4b92735b673914fe2bf0c0d7bbda5b4a8f9a7fc81a0efaa4380168

SHA512
647b909f1e833dd08d99aaa29a3404e64c58356dfa0a3abeb788768d74abb0948d2b612a6da62f2617270cd85110e8aa2b26e5e4558af0d0b84f920c40533438

Download Submit
C:\Windows\Installer\MSIE7C6.tmp

Filesize
602KB

MD5
78b793e3f44b2c7849ffe70083c500c0

SHA1
9dcbb160c9f606bcdbee9ad572aaab1ad1b24d61

SHA256
fbcf7c3645d90621bfbbf38e660a510dd0731b02b6e7820b075116e944301174

SHA512
36d0fadd2a55231ce159519ca4bfb56fee038ee82bfbafa375faee17e11e2149ffffb4b364bc80e4ed950325e0c31e6a02244c591a0b983c7ccc039e94a3e9c8

Download Submit
C:\Windows\Installer\MSIE7C6.tmp

Filesize
602KB

MD5
78b793e3f44b2c7849ffe70083c500c0

SHA1
9dcbb160c9f606bcdbee9ad572aaab1ad1b24d61

SHA256
fbcf7c3645d90621bfbbf38e660a510dd0731b02b6e7820b075116e944301174

SHA512
36d0fadd2a55231ce159519ca4bfb56fee038ee82bfbafa375faee17e11e2149ffffb4b364bc80e4ed950325e0c31e6a02244c591a0b983c7ccc039e94a3e9c8

Download Submit
C:\Windows\Installer\MSIF0FA.tmp

Filesize
495KB

MD5
cfab78ac0d042a1d8ad7085a94328ef6

SHA1
b3070cc847ba2739450dc9bd05040df83e7d85d2

SHA256
17b10df05b4b92735b673914fe2bf0c0d7bbda5b4a8f9a7fc81a0efaa4380168

SHA512
647b909f1e833dd08d99aaa29a3404e64c58356dfa0a3abeb788768d74abb0948d2b612a6da62f2617270cd85110e8aa2b26e5e4558af0d0b84f920c40533438

Download Submit
C:\Windows\Installer\MSIF3C9.tmp

Filesize
495KB

MD5
cfab78ac0d042a1d8ad7085a94328ef6

SHA1
b3070cc847ba2739450dc9bd05040df83e7d85d2

SHA256
17b10df05b4b92735b673914fe2bf0c0d7bbda5b4a8f9a7fc81a0efaa4380168

SHA512
647b909f1e833dd08d99aaa29a3404e64c58356dfa0a3abeb788768d74abb0948d2b612a6da62f2617270cd85110e8aa2b26e5e4558af0d0b84f920c40533438

Download Submit
\Users\Admin\AppData\Local\Temp\MSI2234.tmp

Filesize
495KB

MD5
cfab78ac0d042a1d8ad7085a94328ef6

SHA1
b3070cc847ba2739450dc9bd05040df83e7d85d2

SHA256
17b10df05b4b92735b673914fe2bf0c0d7bbda5b4a8f9a7fc81a0efaa4380168

SHA512
647b909f1e833dd08d99aaa29a3404e64c58356dfa0a3abeb788768d74abb0948d2b612a6da62f2617270cd85110e8aa2b26e5e4558af0d0b84f920c40533438

Download Submit
\Users\Admin\AppData\Local\Temp\MSI4500.tmp

Filesize
912KB

MD5
b15dbf4b35cd1460ba283795e24878c8

SHA1
327812be4bfdce7a87cb00fab432ecc0d8c38c1e

SHA256
0ac07db6140408e9586d46727eb32af8f8048cad535eca9052b6ef1149e63147

SHA512
95edc60c9658e0e8631604459969a406414902f297b7a14f2be6d3bc18878636167d202530d4ee3b4d7af189a9139a2183929250920196c48c08eda3d6dfdca4

Download Submit
\Users\Admin\AppData\Local\Temp\MSI4781.tmp

Filesize
495KB

MD5
cfab78ac0d042a1d8ad7085a94328ef6

SHA1
b3070cc847ba2739450dc9bd05040df83e7d85d2

SHA256
17b10df05b4b92735b673914fe2bf0c0d7bbda5b4a8f9a7fc81a0efaa4380168

SHA512
647b909f1e833dd08d99aaa29a3404e64c58356dfa0a3abeb788768d74abb0948d2b612a6da62f2617270cd85110e8aa2b26e5e4558af0d0b84f920c40533438

Download Submit
\Users\Admin\AppData\Local\Temp\MSI482E.tmp

Filesize
495KB

MD5
cfab78ac0d042a1d8ad7085a94328ef6

SHA1
b3070cc847ba2739450dc9bd05040df83e7d85d2

SHA256
17b10df05b4b92735b673914fe2bf0c0d7bbda5b4a8f9a7fc81a0efaa4380168

SHA512
647b909f1e833dd08d99aaa29a3404e64c58356dfa0a3abeb788768d74abb0948d2b612a6da62f2617270cd85110e8aa2b26e5e4558af0d0b84f920c40533438

Download Submit
\Users\Admin\AppData\Local\Temp\MSI487D.tmp

Filesize
495KB

MD5
cfab78ac0d042a1d8ad7085a94328ef6

SHA1
b3070cc847ba2739450dc9bd05040df83e7d85d2

SHA256
17b10df05b4b92735b673914fe2bf0c0d7bbda5b4a8f9a7fc81a0efaa4380168

SHA512
647b909f1e833dd08d99aaa29a3404e64c58356dfa0a3abeb788768d74abb0948d2b612a6da62f2617270cd85110e8aa2b26e5e4558af0d0b84f920c40533438

Download Submit
\Users\Admin\AppData\Local\Temp\MSI491A.tmp

Filesize
912KB

MD5
b15dbf4b35cd1460ba283795e24878c8

SHA1
327812be4bfdce7a87cb00fab432ecc0d8c38c1e

SHA256
0ac07db6140408e9586d46727eb32af8f8048cad535eca9052b6ef1149e63147

SHA512
95edc60c9658e0e8631604459969a406414902f297b7a14f2be6d3bc18878636167d202530d4ee3b4d7af189a9139a2183929250920196c48c08eda3d6dfdca4

Download Submit
\Users\Admin\AppData\Local\Temp\MSI4C07.tmp

Filesize
602KB

MD5
78b793e3f44b2c7849ffe70083c500c0

SHA1
9dcbb160c9f606bcdbee9ad572aaab1ad1b24d61

SHA256
fbcf7c3645d90621bfbbf38e660a510dd0731b02b6e7820b075116e944301174

SHA512
36d0fadd2a55231ce159519ca4bfb56fee038ee82bfbafa375faee17e11e2149ffffb4b364bc80e4ed950325e0c31e6a02244c591a0b983c7ccc039e94a3e9c8

Download Submit
\Users\Admin\AppData\Local\Temp\MSI4C66.tmp

Filesize
495KB

MD5
cfab78ac0d042a1d8ad7085a94328ef6

SHA1
b3070cc847ba2739450dc9bd05040df83e7d85d2

SHA256
17b10df05b4b92735b673914fe2bf0c0d7bbda5b4a8f9a7fc81a0efaa4380168

SHA512
647b909f1e833dd08d99aaa29a3404e64c58356dfa0a3abeb788768d74abb0948d2b612a6da62f2617270cd85110e8aa2b26e5e4558af0d0b84f920c40533438

Download Submit
\Users\Admin\AppData\Local\Temp\MSI4CE4.tmp

Filesize
495KB

MD5
cfab78ac0d042a1d8ad7085a94328ef6

SHA1
b3070cc847ba2739450dc9bd05040df83e7d85d2

SHA256
17b10df05b4b92735b673914fe2bf0c0d7bbda5b4a8f9a7fc81a0efaa4380168

SHA512
647b909f1e833dd08d99aaa29a3404e64c58356dfa0a3abeb788768d74abb0948d2b612a6da62f2617270cd85110e8aa2b26e5e4558af0d0b84f920c40533438

Download Submit
\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.3.37\install\decoder.dll

Filesize
206KB

MD5
899944fb96ccc34cfbd2ccb9134367c5

SHA1
7c46aa3f84ba5da95ceff39cd49185672f963538

SHA256
780d10eda2b9a0a10bf844a7c8b6b350aa541c5bbd24022ff34f99201f9e9259

SHA512
2c41181f9af540b4637f418fc148d41d7c38202fb691b56650085fe5a9bdba068275ff07e002e1044760754876c62d7b4fc856452af80a02c5f5a9a7dc75b5e0

Download Submit
\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.3.37\install\decoder.dll

Filesize
206KB

MD5
899944fb96ccc34cfbd2ccb9134367c5

SHA1
7c46aa3f84ba5da95ceff39cd49185672f963538

SHA256
780d10eda2b9a0a10bf844a7c8b6b350aa541c5bbd24022ff34f99201f9e9259

SHA512
2c41181f9af540b4637f418fc148d41d7c38202fb691b56650085fe5a9bdba068275ff07e002e1044760754876c62d7b4fc856452af80a02c5f5a9a7dc75b5e0

Download Submit
\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.3.37\install\decoder.dll

Filesize
206KB

MD5
899944fb96ccc34cfbd2ccb9134367c5

SHA1
7c46aa3f84ba5da95ceff39cd49185672f963538

SHA256
780d10eda2b9a0a10bf844a7c8b6b350aa541c5bbd24022ff34f99201f9e9259

SHA512
2c41181f9af540b4637f418fc148d41d7c38202fb691b56650085fe5a9bdba068275ff07e002e1044760754876c62d7b4fc856452af80a02c5f5a9a7dc75b5e0

Download Submit
\Windows\Installer\MSIE092.tmp

Filesize
495KB

MD5
cfab78ac0d042a1d8ad7085a94328ef6

SHA1
b3070cc847ba2739450dc9bd05040df83e7d85d2

SHA256
17b10df05b4b92735b673914fe2bf0c0d7bbda5b4a8f9a7fc81a0efaa4380168

SHA512
647b909f1e833dd08d99aaa29a3404e64c58356dfa0a3abeb788768d74abb0948d2b612a6da62f2617270cd85110e8aa2b26e5e4558af0d0b84f920c40533438

Download Submit
\Windows\Installer\MSIE3BE.tmp

Filesize
602KB

MD5
78b793e3f44b2c7849ffe70083c500c0

SHA1
9dcbb160c9f606bcdbee9ad572aaab1ad1b24d61

SHA256
fbcf7c3645d90621bfbbf38e660a510dd0731b02b6e7820b075116e944301174

SHA512
36d0fadd2a55231ce159519ca4bfb56fee038ee82bfbafa375faee17e11e2149ffffb4b364bc80e4ed950325e0c31e6a02244c591a0b983c7ccc039e94a3e9c8

Download Submit
\Windows\Installer\MSIE45B.tmp

Filesize
495KB

MD5
cfab78ac0d042a1d8ad7085a94328ef6

SHA1
b3070cc847ba2739450dc9bd05040df83e7d85d2

SHA256
17b10df05b4b92735b673914fe2bf0c0d7bbda5b4a8f9a7fc81a0efaa4380168

SHA512
647b909f1e833dd08d99aaa29a3404e64c58356dfa0a3abeb788768d74abb0948d2b612a6da62f2617270cd85110e8aa2b26e5e4558af0d0b84f920c40533438

Download Submit
\Windows\Installer\MSIE7C6.tmp

Filesize
602KB

MD5
78b793e3f44b2c7849ffe70083c500c0

SHA1
9dcbb160c9f606bcdbee9ad572aaab1ad1b24d61

SHA256
fbcf7c3645d90621bfbbf38e660a510dd0731b02b6e7820b075116e944301174

SHA512
36d0fadd2a55231ce159519ca4bfb56fee038ee82bfbafa375faee17e11e2149ffffb4b364bc80e4ed950325e0c31e6a02244c591a0b983c7ccc039e94a3e9c8

Download Submit
\Windows\Installer\MSIF0FA.tmp

Filesize
495KB

MD5
cfab78ac0d042a1d8ad7085a94328ef6

SHA1
b3070cc847ba2739450dc9bd05040df83e7d85d2

SHA256
17b10df05b4b92735b673914fe2bf0c0d7bbda5b4a8f9a7fc81a0efaa4380168

SHA512
647b909f1e833dd08d99aaa29a3404e64c58356dfa0a3abeb788768d74abb0948d2b612a6da62f2617270cd85110e8aa2b26e5e4558af0d0b84f920c40533438

Download Submit
\Windows\Installer\MSIF3C9.tmp

Filesize
495KB

MD5
cfab78ac0d042a1d8ad7085a94328ef6

SHA1
b3070cc847ba2739450dc9bd05040df83e7d85d2

SHA256
17b10df05b4b92735b673914fe2bf0c0d7bbda5b4a8f9a7fc81a0efaa4380168

SHA512
647b909f1e833dd08d99aaa29a3404e64c58356dfa0a3abeb788768d74abb0948d2b612a6da62f2617270cd85110e8aa2b26e5e4558af0d0b84f920c40533438

Download Submit
memory/972-438-0x0000000000730000-0x0000000000732000-memory.dmp

Filesize
8KB

Download
memory/1516-729-0x0000000001000000-0x0000000001040000-memory.dmp

Filesize
256KB

Download
memory/1516-472-0x0000000001000000-0x0000000001040000-memory.dmp

Filesize
256KB

Download
memory/1516-487-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/1516-482-0x0000000000A30000-0x0000000000A3A000-memory.dmp

Filesize
40KB

Download
memory/1516-483-0x0000000000A30000-0x0000000000A3A000-memory.dmp

Filesize
40KB

Download
memory/1516-728-0x0000000001000000-0x0000000001040000-memory.dmp

Filesize
256KB

Download
memory/1516-481-0x0000000001000000-0x0000000001040000-memory.dmp

Filesize
256KB

Download
memory/1516-730-0x0000000000A30000-0x0000000000A3A000-memory.dmp

Filesize
40KB

Download
memory/1516-480-0x0000000000B80000-0x0000000000B8A000-memory.dmp

Filesize
40KB

Download
memory/1516-479-0x0000000004890000-0x00000000048FE000-memory.dmp

Filesize
440KB

Download
memory/1516-477-0x0000000000A20000-0x0000000000A2C000-memory.dmp

Filesize
48KB

Download
memory/1516-476-0x0000000004830000-0x000000000488A000-memory.dmp

Filesize
360KB

Download
memory/1516-475-0x0000000000A10000-0x0000000000A1E000-memory.dmp

Filesize
56KB

Download
memory/1516-474-0x00000000009E0000-0x00000000009F0000-memory.dmp

Filesize
64KB

Download
memory/1516-473-0x0000000004DF0000-0x0000000004FE2000-memory.dmp

Filesize
1.9MB

Download
memory/1516-486-0x0000000001000000-0x0000000001040000-memory.dmp

Filesize
256KB

Download
memory/1516-1123-0x0000000001000000-0x0000000001040000-memory.dmp

Filesize
256KB

Download
memory/1516-441-0x0000000001120000-0x000000000115A000-memory.dmp

Filesize
232KB

Download
memory/1520-62-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1520-250-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2220-1161-0x0000000004B50000-0x0000000004B90000-memory.dmp

Filesize
256KB

Download
memory/2220-1162-0x0000000004B50000-0x0000000004B90000-memory.dmp

Filesize
256KB

Download
memory/2220-1163-0x0000000004B30000-0x0000000004B3A000-memory.dmp

Filesize
40KB

Download
memory/2220-1164-0x0000000004B30000-0x0000000004B3A000-memory.dmp

Filesize
40KB

Download
memory/2220-1166-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/2220-1165-0x0000000004B50000-0x0000000004B90000-memory.dmp

Filesize
256KB

Download
memory/2220-1167-0x0000000004B50000-0x0000000004B90000-memory.dmp

Filesize
256KB

Download
memory/2220-1168-0x0000000004B50000-0x0000000004B90000-memory.dmp

Filesize
256KB

Download
memory/2220-1169-0x0000000004B30000-0x0000000004B3A000-memory.dmp

Filesize
40KB

Download
memory/2220-1182-0x0000000004B50000-0x0000000004B90000-memory.dmp

Filesize
256KB

Download