61c11fd68de2448e1c396b811052766d4dbaf1812079b0b5278478eda367efb0

Analysis

max time kernel
62s
max time network
65s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aTube_Catcher_FREE_9991.exe
Size

24.1MB
MD5

eec82d625010a7a177035dc6d7540824
SHA1

3ff6ef5202a0b2d35d7509f703e3ae6d79305acd
SHA256

61c11fd68de2448e1c396b811052766d4dbaf1812079b0b5278478eda367efb0
SHA512

0ceabe9034c87149148d47e5302a1ee2a33b0739c897d6c51a7ea865db7fdbcf23ce0599f7155820a92948f7522e2c4a7acff0a9b4e7fe48d4e0eeeda427ef94
SSDEEP

393216:AdrXnY1guAEElI9BUfibFyqpYCD8apON5AtWPm/v7xltQ/UiZdmuSngSLcGKrRi:iygx4UypVxpQAtKmHrtPBnRLcGKrRi

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

aTube_Catcher_FREE_9991.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	aTube_Catcher_FREE_9991.tmp

Executes dropped EXE 3 IoCs

Processes:

aTube_Catcher_FREE_9991.tmpeWorker.exeyct.exe

pid process

1572 aTube_Catcher_FREE_9991.tmp
1440 eWorker.exe
5040 yct.exe

pid	process
1572	aTube_Catcher_FREE_9991.tmp
1440	eWorker.exe
5040	yct.exe

Loads dropped DLL 45 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeyct.exe

pid	process
3772	regsvr32.exe
1512	regsvr32.exe
3020	regsvr32.exe
4184	regsvr32.exe
3528	regsvr32.exe
4208	regsvr32.exe
388	regsvr32.exe
4852	regsvr32.exe
5036	regsvr32.exe
4796	regsvr32.exe
4892	regsvr32.exe
4892	regsvr32.exe
4892	regsvr32.exe
2168	regsvr32.exe
4008	regsvr32.exe
4932	regsvr32.exe
4400	regsvr32.exe
4652	regsvr32.exe
4808	regsvr32.exe
408	regsvr32.exe
408	regsvr32.exe
4576	regsvr32.exe
3968	regsvr32.exe
3092	regsvr32.exe
3092	regsvr32.exe
3092	regsvr32.exe
4900	regsvr32.exe
2908	regsvr32.exe
4228	regsvr32.exe
1028	regsvr32.exe
4928	regsvr32.exe
2640	regsvr32.exe
5040	yct.exe
5040	yct.exe
5040	yct.exe
5040	yct.exe
5040	yct.exe
5040	yct.exe
5040	yct.exe
5040	yct.exe
5040	yct.exe
5040	yct.exe
5040	yct.exe
5040	yct.exe
5040	yct.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 10 IoCs

Processes:

aTube_Catcher_FREE_9991.tmprundll32.exeregsvr32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\DartSock.dll	aTube_Catcher_FREE_9991.tmp
File created	C:\Windows\SysWOW64\is-K7EH4.tmp	aTube_Catcher_FREE_9991.tmp
File opened for modification	C:\Windows\SysWOW64\fmcodec.DLL	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\ScrRecX.log	regsvr32.exe
File opened for modification	C:\Windows\SysWOW64\SETBC0D.tmp	rundll32.exe
File created	C:\Windows\SysWOW64\SETBC0D.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\DartSecure2.dll	aTube_Catcher_FREE_9991.tmp
File opened for modification	C:\Windows\SysWOW64\DartCertificate.dll	aTube_Catcher_FREE_9991.tmp
File created	C:\Windows\SysWOW64\is-E8AM3.tmp	aTube_Catcher_FREE_9991.tmp
File created	C:\Windows\SysWOW64\is-EL2BJ.tmp	aTube_Catcher_FREE_9991.tmp

Drops file in Program Files directory 64 IoCs

Processes:

aTube_Catcher_FREE_9991.tmpyct.exe

description	ioc	process
File created	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\Language\is-TRDQ1.tmp	aTube_Catcher_FREE_9991.tmp
File opened for modification	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\profiles\MP3_192.apf	yct.exe
File opened for modification	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\profiles\MP3_320.apf	yct.exe
File opened for modification	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\aTubeRawSocket.dll	aTube_Catcher_FREE_9991.tmp
File created	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\Profiles\is-0PHV8.tmp	aTube_Catcher_FREE_9991.tmp
File opened for modification	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\profiles\APPLETV.apf	yct.exe
File opened for modification	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\profiles\RMVB.apf	yct.exe
File created	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\Profiles\is-59MGI.tmp	aTube_Catcher_FREE_9991.tmp
File created	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\Profiles\is-H9KVC.tmp	aTube_Catcher_FREE_9991.tmp
File opened for modification	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\profiles\BBCELLH320x240.apf	yct.exe
File opened for modification	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\profiles\IPHONE320x240.apf	yct.exe
File opened for modification	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\profiles\MPEG4HQANDROID.apf	yct.exe
File opened for modification	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\profiles\SVCDNTSC.apf	yct.exe
File created	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\is-OBAR0.tmp	aTube_Catcher_FREE_9991.tmp
File created	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\is-NKAHF.tmp	aTube_Catcher_FREE_9991.tmp
File created	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\Profiles\is-GO7J0.tmp	aTube_Catcher_FREE_9991.tmp
File created	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\Profiles\is-3RCHH.tmp	aTube_Catcher_FREE_9991.tmp
File opened for modification	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\profiles\VCDNTSC.apf	yct.exe
File opened for modification	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\aTubeRec.dll	aTube_Catcher_FREE_9991.tmp
File created	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\Profiles\is-306D3.tmp	aTube_Catcher_FREE_9991.tmp
File created	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\is-C13MC.tmp	aTube_Catcher_FREE_9991.tmp
File created	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\Profiles\is-IJRS2.tmp	aTube_Catcher_FREE_9991.tmp
File created	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\is-OV4E8.tmp	aTube_Catcher_FREE_9991.tmp
File created	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\Profiles\is-9PHK6.tmp	aTube_Catcher_FREE_9991.tmp
File created	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\Profiles\MP3\is-0K9D0.tmp	aTube_Catcher_FREE_9991.tmp
File created	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\Language\is-BSM19.tmp	aTube_Catcher_FREE_9991.tmp
File opened for modification	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\profiles\WIIMJPEG.apf	yct.exe
File created	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\is-BAA10.tmp	aTube_Catcher_FREE_9991.tmp
File created	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\is-J9379.tmp	aTube_Catcher_FREE_9991.tmp
File created	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\is-0GLQT.tmp	aTube_Catcher_FREE_9991.tmp
File created	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\Profiles\is-R5SPG.tmp	aTube_Catcher_FREE_9991.tmp
File opened for modification	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\profiles\AVIDIVX.apf	yct.exe
File opened for modification	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\profiles\FLV.apf	yct.exe
File opened for modification	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\profiles\MOV.apf	yct.exe
File created	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\Profiles\BDR\is-FMLIV.tmp	aTube_Catcher_FREE_9991.tmp
File created	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\is-7C8I5.tmp	aTube_Catcher_FREE_9991.tmp
File opened for modification	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\profiles\CELLH320x240.apf	yct.exe
File created	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\Profiles\is-I641F.tmp	aTube_Catcher_FREE_9991.tmp
File created	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\Profiles\is-DGV6N.tmp	aTube_Catcher_FREE_9991.tmp
File opened for modification	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\profiles\OGG.apf	yct.exe
File opened for modification	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\viscomdvdimg.dll	aTube_Catcher_FREE_9991.tmp
File created	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\Language\is-9TM09.tmp	aTube_Catcher_FREE_9991.tmp
File opened for modification	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\Language\english.txt	yct.exe
File opened for modification	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\Language\galician.txt	yct.exe
File opened for modification	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\WnASPI32.dll	aTube_Catcher_FREE_9991.tmp
File created	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\is-BD1D9.tmp	aTube_Catcher_FREE_9991.tmp
File created	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\is-OPL9G.tmp	aTube_Catcher_FREE_9991.tmp
File created	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\Profiles\is-HC2L6.tmp	aTube_Catcher_FREE_9991.tmp
File created	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\Profiles\is-P0909.tmp	aTube_Catcher_FREE_9991.tmp
File opened for modification	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\profiles\AVIXVID.apf	yct.exe
File opened for modification	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\profiles\FLAC.apf	yct.exe
File opened for modification	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\profiles\MP3_128.apf	yct.exe
File created	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\is-9EGG5.tmp	aTube_Catcher_FREE_9991.tmp
File created	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\Profiles\is-9J60O.tmp	aTube_Catcher_FREE_9991.tmp
File created	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\Profiles\is-SGUQI.tmp	aTube_Catcher_FREE_9991.tmp
File created	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\Language\is-RR7ON.tmp	aTube_Catcher_FREE_9991.tmp
File opened for modification	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\profiles\VOB.apf	yct.exe
File opened for modification	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\viscomaudioprocess.dll	aTube_Catcher_FREE_9991.tmp
File opened for modification	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\rtmpdump.exe	aTube_Catcher_FREE_9991.tmp
File created	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\Language\is-S791Q.tmp	aTube_Catcher_FREE_9991.tmp
File opened for modification	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\viscomwaveform.dll	aTube_Catcher_FREE_9991.tmp
File opened for modification	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\StarBurn.dll	aTube_Catcher_FREE_9991.tmp
File opened for modification	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\tsmuxer.exe	aTube_Catcher_FREE_9991.tmp
File created	C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\is-L69R6.tmp	aTube_Catcher_FREE_9991.tmp

Drops file in Windows directory 3 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\INF\SETBBFD.tmp	rundll32.exe
File created	C:\Windows\INF\SETBBFD.tmp	rundll32.exe
File opened for modification	C:\Windows\INF\fmcodec.INF	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

runonce.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

692 taskkill.exe
3144 taskkill.exe
640 taskkill.exe

pid	process
692	taskkill.exe
3144	taskkill.exe
640	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 48 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{979127D3-7D01-4FDE-AF65-A698091468AF}\AlternateCLSID = "{CCDB0DF2-FD1A-4856-80BC-32929D8359B7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{24B224E0-9545-4A2F-ABD5-86AA8A849385}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{24B224E0-9545-4A2F-ABD5-86AA8A849385}\AlternateCLSID = "{9A948063-66C3-4F63-AB46-582EDAA35047}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}\AlternateCLSID = "{8B2ADD10-33B7-4506-9569-0A1E1DBBEBAE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}\AlternateCLSID = "{556C2772-F1AD-4DE1-8456-BD6E8F66113B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}\AlternateCLSID = "{0B314611-2C19-4AB4-8513-A6EEA569D3C4}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F91CAF91-225B-43A7-BB9E-472F991FC402}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}\AlternateCLSID = "{585AA280-ED8B-46B2-93AE-132ECFA1DAFC}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F91CAF91-225B-43A7-BB9E-472F991FC402}\AlternateCLSID = "{556C2772-F1AD-4DE1-8456-BD6E8F66113B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{996BF5E0-8044-4650-ADEB-0B013914E99C}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{627C8B79-918A-4C5C-9E19-20F66BF30B86}\AlternateCLSID = "{585AA280-ED8B-46B2-93AE-132ECFA1DAFC}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}\AlternateCLSID = "{95F0B3BE-E8AC-4995-9DCA-419849E06410}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{979127D3-7D01-4FDE-AF65-A698091468AF}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{979127D3-7D01-4FDE-AF65-A698091468AF}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}\AlternateCLSID = "{A0E7BF67-8D30-4620-8825-7111714C7CAB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F91CAF91-225B-43A7-BB9E-472F991FC402}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{996BF5E0-8044-4650-ADEB-0B013914E99C}\AlternateCLSID = "{CCDB0DF2-FD1A-4856-80BC-32929D8359B7}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{627C8B79-918A-4C5C-9E19-20F66BF30B86}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}\AlternateCLSID = "{9A948063-66C3-4F63-AB46-582EDAA35047}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}\AlternateCLSID = "{95F0B3BE-E8AC-4995-9DCA-419849E06410}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\AlternateCLSID = "{CCDB0DF2-FD1A-4856-80BC-32929D8359B7}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{996BF5E0-8044-4650-ADEB-0B013914E99C}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{627C8B79-918A-4C5C-9E19-20F66BF30B86}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{24B224E0-9545-4A2F-ABD5-86AA8A849385}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\AlternateCLSID = "{87DACC48-F1C5-4AF3-84BA-A2A72C2AB959}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}\AlternateCLSID = "{8B2ADD10-33B7-4506-9569-0A1E1DBBEBAE}"	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeeWorker.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF4DF009-0001-41ED-BABB-5B4967515601}\Insertable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25B6AD70-DD2A-4DCE-ACF4-8D837AB2A939}\ToolboxBitmap32\ = "C:\\PROGRA~2\\DSNETC~1\\ATUBEC~1.0\\AUDIOC~1.OCX, 1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7DF74538-EF2C-4205-8901-16D95E03C1B1}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Chilkat_9_5_0.Socket	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Chilkat_9_5_0.Csv\CurVer\ = "Chilkat_9_5_0.Csv.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{64EE89E4-01AD-4865-8B40-E80CDDF2783B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DSNCLiteTimer.CLiteTimer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CEDB6B70-ED7D-4F9E-A0BC-66AFB42F7735}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D1EC207F-F466-4114-A304-DF34751223A1}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35053A20-8589-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D28787CF-B448-4F71-86ED-6395AAD45E32}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{371D0742-7A57-11D2-AD5A-00105A17B608}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A0FA677-D32D-4A7D-A809-9E39F6CB7E88}\MiscStatus	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DF65A40-F292-4D8D-8738-4814084CCD6B}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{213E5C00-A18B-4748-8F47-AD5F76FB62E6}\ = "IPktXPacketX"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ED1FE6E1-F4C6-42D3-8365-9256509AAF77}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1960C2CF-0779-4C86-950B-A62588E94424}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3AF3E09D-AEB4-42FE-8ED3-FBD2DDC68707}\TypeLib\ = "{65D9132C-B295-42A0-8421-B8B1DA27C5CE}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StarBurnX.DataFolder	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8A3DC00-8593-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5540F1E5-82FE-11D3-B327-00C04F79563A}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{26377592-38BD-42DC-9C8B-CB38900F250B}\TypeLib\ = "{004CB902-F437-4D01-BD85-9E18836DA5C2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E5E3435-8F73-417E-A57D-293A0A3AFC94}\Version	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0B314611-2C19-4AB4-8513-A6EEA569D3C4}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Chilkat_9_5_0.Task\CLSID\ = "{EFA96FEC-9371-4C3B-AB6D-DA9CDEF3CC41}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92B5CBD6-68B3-4C17-A717-696CC27D893E}\AppID = "{77317069-C4A6-4489-BEB9-757AA9525B31}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58BD963E-12A4-427E-9500-3A4FCEB545B2}\ = "Spider v9.5.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{681B2E28-45AB-4E08-9983-0D7A00F80010}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78EBC21F-0841-4D47-9DD4-E324F122205F}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39FFE2A9-BBF3-48ED-AB97-11F202615954}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{07530635-48E4-4E43-B3C5-7BF9FF08C2C5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{18BB6D37-D35B-4EEF-B351-74245E6FA6E4}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9916356C-DC63-4470-9759-6E25DEEC683D}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3AF3E09D-AEB4-42FE-8ED3-FBD2DDC68707}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ABC37F7C-0423-42E4-BBD2-E713B8BD3BA1}\InprocServer32\ = "C:\\Program Files (x86)\\DsNET Corp\\aTube Catcher 2.0\\ChilkatAx-9.5.0-win32.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0652E658-CB05-447B-95E5-0FB06EB8C23B}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D6CEA276-E79C-4026-BD46-933E3C8F88D8}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C74190B4-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCEF59D9-0417-414E-925A-96D20BA89EB4}\TypeLib\ = "{65D9132C-B295-42A0-8421-B8B1DA27C5CE}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5968F990-ECED-40C1-B461-C0C8540BF607}\MiscStatus\1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C754C4B4-6B0A-4664-ADDD-45467F0BCB7E}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StarBurnX.Sessions.12\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95F0B3BE-E8AC-4995-9DCA-419849E06410}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{51F37CDE-2D78-495D-8B30-D57ABDA60369}\1.0\0\win32\ = "C:\\Program Files (x86)\\DsNET Corp\\aTube Catcher 2.0\\ImageThumbnailCP.ocx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{371D0742-7A57-11D2-AD5A-00105A17B608}\ = "IUdp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{540054E6-D577-4E92-B730-86E83ADD9172}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D73DD88D-0428-47D2-9D60-79619E42F5B2}\ = "IBootImage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4995C839-42F3-4D4F-8A08-1BA24B5F5E8F}\ = "IChilkatGlobal"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C819F76-4B5C-4E9C-A49A-D6BF2190C09C}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A886A6F1-AB8C-4544-A6DF-22DEF28281A3}\TypeLib	eWorker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C74190B4-8589-11D1-B16A-00C0F0283628}\ = "ITreeView"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D19854F7-0896-4D86-8EC0-8C8A0A618E5D}\ = "IOleEventParam"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8AB62D2D-BD35-4745-9055-639B958399C7}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32BD32D3-66EA-4EE6-A684-20CE86F757C1}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Chilkat_9_5_0.Mailboxes.1\ = "Mailboxes v9.5.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CEEE8DF2-338E-4DD5-BE3B-314B03BE82CC}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CD3B5CD4-869B-4004-BFAF-94297DB58411}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Chilkat_9_5_0.PublicKey	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Chilkat_9_5_0.HttpResponse.1\Insertable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A0FA677-D32D-4A7D-A809-9E39F6CB7E88}\ProgID\ = "Chilkat_9_5_0.XmlDSig.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2701FB1F-7865-4CD0-8E1B-2BB97F701946}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CAACAB0-6D9B-476C-88CE-5359DEC7CFBD}	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

aTube_Catcher_FREE_9991.tmp

pid process

1572 aTube_Catcher_FREE_9991.tmp
1572 aTube_Catcher_FREE_9991.tmp
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 692 taskkill.exe
Token: SeDebugPrivilege 3144 taskkill.exe
Token: SeDebugPrivilege 640 taskkill.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

aTube_Catcher_FREE_9991.tmp

pid process

1572 aTube_Catcher_FREE_9991.tmp
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

yct.exe

pid process

5040 yct.exe
5040 yct.exe
5040 yct.exe

pid	process
1572	aTube_Catcher_FREE_9991.tmp
1572	aTube_Catcher_FREE_9991.tmp

description	pid	process
Token: SeDebugPrivilege	692	taskkill.exe
Token: SeDebugPrivilege	3144	taskkill.exe
Token: SeDebugPrivilege	640	taskkill.exe

pid	process
1572	aTube_Catcher_FREE_9991.tmp

pid	process
5040	yct.exe
5040	yct.exe
5040	yct.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

aTube_Catcher_FREE_9991.exeaTube_Catcher_FREE_9991.tmp

description	pid	process	target process
PID 3004 wrote to memory of 1572	3004	aTube_Catcher_FREE_9991.exe	aTube_Catcher_FREE_9991.tmp
PID 3004 wrote to memory of 1572	3004	aTube_Catcher_FREE_9991.exe	aTube_Catcher_FREE_9991.tmp
PID 3004 wrote to memory of 1572	3004	aTube_Catcher_FREE_9991.exe	aTube_Catcher_FREE_9991.tmp
PID 1572 wrote to memory of 692	1572	aTube_Catcher_FREE_9991.tmp	taskkill.exe
PID 1572 wrote to memory of 692	1572	aTube_Catcher_FREE_9991.tmp	taskkill.exe
PID 1572 wrote to memory of 692	1572	aTube_Catcher_FREE_9991.tmp	taskkill.exe
PID 1572 wrote to memory of 3144	1572	aTube_Catcher_FREE_9991.tmp	taskkill.exe
PID 1572 wrote to memory of 3144	1572	aTube_Catcher_FREE_9991.tmp	taskkill.exe
PID 1572 wrote to memory of 3144	1572	aTube_Catcher_FREE_9991.tmp	taskkill.exe
PID 1572 wrote to memory of 640	1572	aTube_Catcher_FREE_9991.tmp	taskkill.exe
PID 1572 wrote to memory of 640	1572	aTube_Catcher_FREE_9991.tmp	taskkill.exe
PID 1572 wrote to memory of 640	1572	aTube_Catcher_FREE_9991.tmp	taskkill.exe
PID 1572 wrote to memory of 3772	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 3772	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 3772	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 1512	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 1512	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 1512	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 3020	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 3020	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 3020	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 4184	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 4184	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 4184	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 3528	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 3528	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 3528	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 4208	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 4208	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 4208	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 388	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 388	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 388	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 4852	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 4852	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 4852	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 5036	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 5036	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 5036	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 4796	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 4796	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 4796	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 4892	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 4892	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 4892	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 2168	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 2168	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 2168	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 4008	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 4008	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 4008	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 4932	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 4932	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 4932	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 4400	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 4400	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 4400	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 4652	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 4652	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 4652	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 4808	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 4808	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 4808	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe
PID 1572 wrote to memory of 408	1572	aTube_Catcher_FREE_9991.tmp	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\aTube_Catcher_FREE_9991.exe
"C:\Users\Admin\AppData\Local\Temp\aTube_Catcher_FREE_9991.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Local\Temp\is-RHSLR.tmp\aTube_Catcher_FREE_9991.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-RHSLR.tmp\aTube_Catcher_FREE_9991.tmp" /SL5="$6018C,24704281,141824,C:\Users\Admin\AppData\Local\Temp\aTube_Catcher_FREE_9991.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /f /im "yct.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:692
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /f /im "ffmpeg.dll"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3144
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /f /im "eworker.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:640
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\aTubeRawSocket.dll"
    3⤵
    - Loads dropped DLL
    PID:3772
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\aTubeRec.dll"
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    PID:1512
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\mscomctl.OCX"
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:3020
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\msscript.OCX"
    3⤵
    - Loads dropped DLL
    PID:4184
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\PacketX.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:3528
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\dsnaic.ocx"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:4208
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\DSNTabCtrl.ocx"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:388
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\ExGrid.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:4852
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\ExButton.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:5036
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\DSNCLiteTimer.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:4796
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\dvdauthor.ocx"
    3⤵
    - Loads dropped DLL
    PID:4892
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\ImageThumbnailCP.ocx"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:2168
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\cshtpax9.ocx"
    3⤵
    - Loads dropped DLL
    PID:4008
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\DartSock.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:4932
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\DartCertificate.dll"
    3⤵
    - Loads dropped DLL
    PID:4400
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\DartSecure2.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:4652
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\ChilkatAx-9.5.0-win32.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:4808
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\StarBurnX12.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:408
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\lame_enc.dll"
    3⤵
    - Loads dropped DLL
    PID:4576
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\viscomaudio.dll"
    3⤵
    - Loads dropped DLL
    PID:3968
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\viscomaudiodata.dll"
    3⤵
    - Loads dropped DLL
    PID:3092
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\viscomaudioencoder.dll"
    3⤵
    - Loads dropped DLL
    PID:4900
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\viscomaudioprocess.dll"
    3⤵
    - Loads dropped DLL
    PID:2908
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\viscomspeaker.dll"
    3⤵
    - Loads dropped DLL
    PID:4228
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\viscomwave.dll"
    3⤵
    - Loads dropped DLL
    PID:1028
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\viscomwaveform.dll"
    3⤵
    - Loads dropped DLL
    PID:4928
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\AudioCapture.ocx"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:2640
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" setupapi,InstallHinfSection DefaultInstall 132 C:\Users\Admin\AppData\Local\Temp\is-36VGA.tmp\codecstp9376\fmcodec.inf
    3⤵
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:3068
  - - C:\Windows\SysWOW64\runonce.exe
      "C:\Windows\system32\runonce.exe" -r
      4⤵
      Checks processor information in registry
      PID:560
    - - C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        5⤵
        
        PID:4480
- - C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\eWorker.exe
    "C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\eWorker.exe" /RegServer
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:1440
- - C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\yct.exe
    "C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\yct.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\AudioCapture.ocx

Filesize
164KB

MD5
9e547d542c334f0aa201f917f58c451f

SHA1
703c64efee37f2d6d7d0627384f9caa9aacd6e90

SHA256
b9ebb9caf9130276bb560e47c47fd97529cc81c9c601ba9b0f8cabf896c90080

SHA512
ebce8562f3b97a20e52c377099b90fd51970440911b04e3c8be34db142ce465a4de62bb0cbaabbdbb4e22f0a8a745626a4d610c710d390078f080e480fa0bda5

Download Submit
C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\ChilkatAx-9.5.0-win32.dll

Filesize
9.6MB

MD5
9bb055a4c9d2af94d4f364558ffdd773

SHA1
d327b19f689b1e02be92516d85c10fbff1c5f8e1

SHA256
f8d54b00cb2ed337443e02eb5704b4c3edbf703cfb6297d0a95681369d061ff2

SHA512
e1f4246b32ba71ff157dba9eb8e0eb870686ae78e2c2ec1ceab454b010eeda6b4c5dd9acd33ea29683d1c3c194fb53dac771b2d44cd79b3387d8b3599ed8c99d

Download Submit
C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\DSNCLiteTimer.dll

Filesize
28KB

MD5
72ec4057191f8ba5e9b6204d2f939642

SHA1
2f56e8a912253d95021394eace3f11d385ac9bd2

SHA256
5399e7cf6efa190657e6cffd5cd53b007afc1b452575dee6f4d64e90b73e97ba

SHA512
be4b0d94a20dbbe3e23cfef36f1e06380e76f24374999a39f21839186af6320bc88b65aa2424360e59fc79639d7872ec1ccd54af3da313301c3ce5213c544730

Download Submit
C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\DSNTabCtrl.ocx

Filesize
136KB

MD5
0e21d5dd0949a0720fae0d2995d96a61

SHA1
d51505c0ed2c200e3b4f8b1ff59d028b6f8c4efb

SHA256
a701a90e409a79ee17e6423dcbeae12b33381e63d23333343ce0589fef21ee2c

SHA512
0eeb8f1a41131ba921a60471ee6d5939871453fe118c9bfe507dca35554a10d6b703b08dea2e807519df890bc84c9140376906c56b5fe1f07cdb6265444a46f7

Download Submit
C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\ExButton.dll

Filesize
1004KB

MD5
0be6d3393ac857acecfaaf964c81515d

SHA1
6229a6bcec185ecb8fe2740e90710f700baa5e29

SHA256
c5464549d420879c2467401f0488a8406623a79008d3492ffdb33e131cf61864

SHA512
07295de0a1f4785dcce606648e187d1bb7d12831040a0cbdb23a5598c342bbde7db24653f1b2dbae1b98fa333900c1cfe44cbc8ea5076947f9177a8434f815db

Download Submit
C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\ExGrid.dll

Filesize
2.8MB

MD5
62fda32453e109681380d44e4e7d14b8

SHA1
df4f1dad2a8c59a2634530235c9d97023281bd3c

SHA256
9d76c1a03541a035bd0ec54f5338ef800dc828054c0a767da3c82be2b3d37192

SHA512
82613d22ea713e3dadef6c73499dfa6e064c843b6db8b3c4a700271494283cf8956704e39b31a8ace2752b636c73497868d10341c9f485c796d5f14e333ecc96

Download Submit
C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\ImageThumbnailCP.ocx

Filesize
1.7MB

MD5
1fa5e6b4f2f80d3fe17bfd21e045c146

SHA1
d4cdd4fd3a68d863cc8f23e4e995c63ccb5ab0ae

SHA256
15c8a8ee89e2f09565798204d39e4bcf2c5c73fa86b39e44577b5ec8c0ad7dd9

SHA512
ca1ebce8004fda036eb9d25bdcf0f6c425fb69d7c6468d0db47202f7247a3cb479d8216ff67d8dfd0bf6bc974f7ec6edc7e1bd28451b4aab5f24086379c9220e

Download Submit
C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\PacketX.dll

Filesize
384KB

MD5
bf2de16e19f971efb99799a6f771761a

SHA1
3f0908e0a38512d2a4fb05a824aa0f6cf3ba3b71

SHA256
9f755c46d30e8c9627fc4bf6fd55212bb58b1077fc3d47d8bbff7b92cbce7bc8

SHA512
8376a566bcd182856fb10a9a970b4feb71e6c976550c23d884bc0d64a0be72e61790f207d16ce4309a471dc3b344fe65084e893b9d9245e794dd462c851d1acc

Download Submit
C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\StarBurn.dll

Filesize
3.4MB

MD5
fade7ca68771c6b2607633fa5c9e1f7f

SHA1
f3d23f4b89ace5f7b4ccb6c6d21f97ddb8ef3953

SHA256
ee516ef6a7d48ff945d82628deb8d99220ef81f3ca930deb20b3a22125cbb91f

SHA512
0d52ee18a75a2561e9c7a344e49ab1870a9e2a557ba34b1cc0bf77a74b36a96b17c616c8468de9ebcc350751cc7623e62928e118baa3999afaf33a4f790a369a

Download Submit
C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\StarBurnX12.dll

Filesize
1.7MB

MD5
e7b108f6deb7ab8f01d81aa9777866e1

SHA1
20db8ca3db1157506ade714cd565abe9223a5d2c

SHA256
c26f2e3113de4516591ee99fc2f3937a0eca1855fbe4f3105c654999ef496d0a

SHA512
9d17c48bded1ef75768ca565c4d57fe1bc4918836a3d594323bfeefe9e15a7b7c265c549bac66d2895313f734217615632b7840a6052c87b9a08ce546ccccc6b

Download Submit
C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\aTubeRawSocket.dll

Filesize
68KB

MD5
469801780d43c76c35b087b18541764e

SHA1
7771cd32bdd4da7c77c49aa94d8e56fb02c7cedb

SHA256
e6c6a4c894da9232ace480d015e3b52250622bfb5a6a97d1a41908400b531137

SHA512
47eaca40b404774515cd167f5fb8fc0a63c5d0d5b1041951508cbbbc17de92ad2ef93fcc397b508634fa4e50707175b39f62a9d14d7941636cce756b80f0fbe0

Download Submit
C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\aTubeRec.dll

Filesize
780KB

MD5
354c32f891ba99c32359ea74b168bb59

SHA1
83168fdba507c59664cf57c08e8775a84363302f

SHA256
83828e4f59b6aa28706b1c05ee41ac6bd6f0922913398595db65575c0f01c632

SHA512
5285095c0155c7e2257a36b727c7e8de098300ffad34f1e784185d6e6a12a0a61835c39e75bce211f9a02cbc63c9ac908d329a15110aad9f6c3000775a0d1269

Download Submit
C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\cshtpax9.ocx

Filesize
441KB

MD5
c1768153c6b8bb4d390db4fea45c5077

SHA1
2e3f471bffe1147c2cc6e94e4e5700796758a035

SHA256
cd25107b5fd9ccc92a286252b256af521090c07b072835abb304ee5f9803639f

SHA512
c64cccc32599268fcfa4673ed4ac51d148e0c47d4482b2f33a573997d1438aaa4691b755dc22db5b84b8a6781d6c7f5d01238e53677234dde623f79a79c6ab2d

Download Submit
C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\dsnaic.ocx

Filesize
344KB

MD5
a6a46feb22f998fa35e0e6158be00569

SHA1
5b559328d37d44224a17b30537391a0f135bc136

SHA256
0a19a9491f60b82080ec3cde1f820ae57575efddfa790f23c6548d53b3165b2b

SHA512
66feb8abf67fbcdd7e6bd999302ab5e013176e4c6003d42227160e26284a2f8dcf68fc630f22a132703beb5fc5e3d5efbb7c8ccdc2eabaa2c9056d9adf93ca37

Download Submit
C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\dvdauthor.ocx

Filesize
328KB

MD5
6f7f62505e12ef84ba141aed1b188d5b

SHA1
a8e54e9deaa7d0d2aa728f93a2315283bc01f47f

SHA256
45b5f2db8bdb0790651c81833fa42e45787feac3bc7a856198f42e414ecaab47

SHA512
60821ab12fcfa120b7b65d37a5ad58e822f73f52253a01f70b26a06571cc7cd34a4a2f61586153e741c35a72962ed0c482542f7b93189a52155a1a13c22329d6

Download Submit
C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\lame_enc.dll

Filesize
256KB

MD5
2ad765c76147369070e712b4bb3f5c14

SHA1
baf543dd3722a0b13f35c8d4b4446fa15d6439cb

SHA256
dd81ff58adc8994aff0eccb0f43c9eaad9d1b106069928b0a6b5c0a466c885ef

SHA512
a1bb5cdd99990bcac7a9714449db56a1f680b69482358f64e81373bde41618e3c0fd3839ac4e4985895d05e6b60724247539d3e0d04d8604fc6db2a86c76ead1

Download Submit
C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\mscomctl.OCX

Filesize
1.0MB

MD5
e52859fcb7a827cacfce7963184c7d24

SHA1
35c4ae05d90f610c0520933faaca2a8d39e1b2a1

SHA256
45b6eef5bbf223cf8ff78f5014b68a72f0bc2cceaed030dece0a1abacf88f1f8

SHA512
013e6bf4762b1f90650ee6a1cb275607d1cad9df481362f42606a37f3a6f63de5cd0cdb0e9739df141b58f67ac079cf27be4ffe4937371972dd14eae18c58a94

Download Submit
C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\msscript.OCX

Filesize
101KB

MD5
bacce4e044212e8e57bd8946abca9072

SHA1
d91aeed0c9f2e97ce61c24698b7029c8275e8e59

SHA256
a647c88171f5051f8ecec4d65c2cb57f96e378cbd562b08758b6273b27758791

SHA512
f91851f4ac592487691a915e553c2c60f6c4231180722aa4ccb9463acdd1b141551f175a05a8332c96e9c60bacd0adb02860ed2b07fc4a9e9dcc03e584c92bc2

Download Submit
C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\viscomaudio.dll

Filesize
100KB

MD5
77a4ca4de85629a0f3c64a632fac3c32

SHA1
9dab43ac031a82c60ad0d32fad2ee303dfae0023

SHA256
8fde2a88cc426ead96867ca7a38af6a25475609a7ac7a2917023032b80a620e9

SHA512
06f4571a737aaa8d93ddb7b6a23c074c589f8981919c3a3131cdfac6d13de00956cd9d9573ccfefec37876b3a773ba4863efef394d4a7e0df0bdb7e031421729

Download Submit
C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\viscomaudiodata.dll

Filesize
92KB

MD5
ed60fb3b0a0ae5ce21300a927a06b131

SHA1
ce5d2f71f8a1770afbf4d3d35d4f355f629d36db

SHA256
4831f6ffdeb612cc1b928098d63a819f4c48848521d827e238eeeb66222cf57a

SHA512
01c13cfb0eb8a890180252b733cb99ef9b4647115258f3444bcd178eb81184cbdec50771157ce554d5a3c696ce1a690fb857a7a2e174f4bb92e66ea6cea56a09

Download Submit
C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\viscomaudioencoder.dll

Filesize
108KB

MD5
849aaf23d5932cc8c3585309aeb8a3a4

SHA1
4c14d6a6ec10d060a862a18147e589fe35886666

SHA256
f54e53ed208acc509d4bb9f5b58ab136b4c45f8b7e08818d28e986e089249049

SHA512
c1cc5f9f22d179e5ff8008cde568504873a1ca6ff1dc4f01d57052c16f5d5407f5b6051b00da6a624a0edd2a1a7717dc8bfe0ee16919c116526f11cc30773994

Download Submit
C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\viscomaudioprocess.dll

Filesize
68KB

MD5
632bb782309d2a09cad7b35ac8dc98fc

SHA1
6c4581f984d5dbba09f959ac6cdfd12eb3e235b1

SHA256
851240c7d42ab8cd5a27211d2198158c4086ddf2346b818c01d8503a32a80b75

SHA512
9a0b1acbe8c3ac2121ca5267d3b6aa12feac0a1baadad17b49a372ba8a83bed53071b0a260916a5999d67e24867dff35d991330b0d1613e65b8d66f0c84e5f24

Download Submit
C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\viscomdvdimg.dll

Filesize
228KB

MD5
6c5e7b0ce88c91f31eece36ddc001f35

SHA1
f128ada2e7d8831561c8bde71e04dc18fdb5a737

SHA256
5f563497a38c931cad637cf1a86f008c82f0257df90bb731261e147c2b0f539c

SHA512
b85507d3f0e8951a98f36701d8dddaa8ff10e24c50658a92ca7c4da57df32b251e676d38cfb8a317ea5a801376b63d3fc821c74b41d10ef726c7111438ce9e5f

Download Submit
C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\viscomspeaker.dll

Filesize
116KB

MD5
b94c6085c37d15a559538593f106f5f9

SHA1
4f1964f7f72c0f11edfa7bdea40e9b2c583ebc7b

SHA256
cbc9fe0fa98c54e54350c4d8ac73aeda25e4f5c7de12d35e6b9da14b41fb1177

SHA512
aa3739cf24c82be378f81a123fdabe466095c8772f5d5dc773149e88f901dc7406d986cfe3648fa9084f9a5e81290dcc584df31b6a6477982b779addf93823f1

Download Submit
C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\viscomwave.dll

Filesize
80KB

MD5
29fb91549d3e63b279ab09124275ae64

SHA1
c96d9098074d401540be945fdbb96f0a7d9fd6af

SHA256
d9fbd7b3263c914d153e5be1652550612d16dadc16c212abc446f6cd41441589

SHA512
21d3ca8ebbad40b68cc6a76e86be006f010ffad05a4694b6d69ed177ab22d12e46d79196e9e337f0ee50dd8563c7ef8d554d79646a68abe59974b605c9cf3c2d

Download Submit
C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\viscomwaveform.dll

Filesize
152KB

MD5
6c03c1cb5d90e620299009b942855f7e

SHA1
b3b26f783dd3f4e8ff92a6d3ba5b4f4fa897d083

SHA256
8c230b0ae294729728e3a4853feb56f13bd86f9aa2d072e4cfb288a314072000

SHA512
b13b28699c562bfc99f8ab86eeefda92ea4f730950928c01e6d5ad221510b569efd4b6e3bbc87be04b816e4f665f9d620402212c5b04a9e29956183a611a53f1

Download Submit
C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\yct.exe

Filesize
6.5MB

MD5
15276954206c36e875d8c5cab0b08df2

SHA1
ee7a229024fdca47c5c771b24c4530c891d445a4

SHA256
cdc13b1c75f4d4c00958b73d4665c5720f2f28667618c9db6e9f1ef19f1b6727

SHA512
dda02b76113e5a680e120d769cb5cdfba45f2c87e171f47c560663152ebea96747d29909be6669d7394d60e73580a28df99176754ba51af0e48ca11d90d05cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-36VGA.tmp\codecstp9376\fmcodec.inf

Filesize
1KB

MD5
5070f76c2a37abcc32625328a5536c5f

SHA1
eacbe1153c115e8acbe1052bd74918d39278f440

SHA256
a0a515ca7ecca5c9b7534d0c3ba7711f8d9fd821f1a5d3ceecae9af372681a8d

SHA512
fcaa758274531e327786eda2635f18213cd1857ffce50ca1ec679baaf295f7ddbe346bcb39f2bf6e40ee8a6517f9b667877ab3491e7553b8262d59147d28c2e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RHSLR.tmp\aTube_Catcher_FREE_9991.tmp

Filesize
1.2MB

MD5
db1676059e94b886c062a4fe2ed6e194

SHA1
2d6fd279c1eea4438638aab11bc286aea3b8aaba

SHA256
955a7b3d2a8416084550ff6f8918c148b071613ff9391fd6be6f9e7b5f2acf1a

SHA512
0cbbac993100f1c4cd022e4fe5d2eb50ae7a5eb3afcc2dcb984252029f04b0d05f549b999603cce3acd7a234b51d5f1c8a49bdd425f1e635c1c1c9450ca5e205

Download Submit
C:\Windows\SysWOW64\DartCertificate.dll

Filesize
244KB

MD5
cded5c5ef0b224fe8e696b66426bc2c3

SHA1
e7190ce965882c68da5ee3678db0a26c9a882c7a

SHA256
33d9547e861ef85c66ce5afb325a0b8d31cc8a674c9f184b98e6ae907c84a89e

SHA512
90e8d5b89f5d6bffd76c1988073285eeed3926588a0d7e11417a9c912e9100655f21c74f377809be1f287cc488a4b1231ca0d3916f00ca51260ba752f7b3690d

Download Submit
C:\Windows\SysWOW64\DartSecure2.dll

Filesize
392KB

MD5
82709dca75e8ead5574ffad16e65c4b9

SHA1
5d2fb7708dbb4499ba0f8b3f73301bd5685037fd

SHA256
b10ac240a1184bb0bc3f674799b2555b6c32a2f60807927893b948a552953eb8

SHA512
502d12c04eafe25a1883122cf80bc915a70d6ffc5ba17768ce0c429e27054d7c04128824644f05761376bef331a2bb824c62a134ab62607fa638d1db5587b73b

Download Submit
C:\Windows\SysWOW64\DartSock.dll

Filesize
430KB

MD5
855c04bdeade5ea0be6892419568b13b

SHA1
8eb18fa861f22b0f7b48fa1f3bb3a98dcaeedebd

SHA256
1125a92cb1af37340cb1b0fd54c38aa058a3e67bc4f5c7f09e09d90337f27970

SHA512
0a44e54b410e06afa4029dac8428336197255f0f7bbf16ff135b5652e3aeca1d19175eab580d5dfaae8d4f9a2bae455a16ae548ff7ea182249b80b617fbee718

Download Submit
C:\Windows\SysWOW64\fmcodec.DLL

Filesize
76KB

MD5
5c8874ee321f4623fff7a1315039ddbc

SHA1
d6931f0240d577dd439a0d92095f1c7609f584bc

SHA256
03a1426ddda7e9187e52ad5def652e9201fc6829bff09ff99b34032b14778f28

SHA512
60bff4ed9da714985a4382c714c785bdb324a0301fad2a8a3d0c4b9f0fbacc2cf9c7c53b1b12ab6fd2ed24f33ca9f5df64061cd5cd418e2ce01a4e91c4b289e1

Download Submit
memory/1572-10-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/1572-363-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/1572-12-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/1572-6-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/1572-347-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/1572-351-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/3004-9-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3004-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3004-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/3004-364-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3092-325-0x0000000002730000-0x00000000027A2000-memory.dmp

Filesize
456KB

Download
memory/4892-299-0x0000000000BB0000-0x0000000000BED000-memory.dmp

Filesize
244KB

Download
memory/5040-357-0x00000000044A0000-0x00000000045A0000-memory.dmp

Filesize
1024KB

Download
memory/5040-365-0x0000000008710000-0x0000000008733000-memory.dmp

Filesize
140KB

Download