279c0f76b89e33f38127615c248c1a446d8090d5a88ecaf98d99aec437a2ac40

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ByClickDownloader-Setup.exe
Size

43.6MB
MD5

5744b12f945a38556cce524cfe2ccb6c
SHA1

f5ef13393eb8ad574ff12b77c493902b8d7b6548
SHA256

279c0f76b89e33f38127615c248c1a446d8090d5a88ecaf98d99aec437a2ac40
SHA512

77bf3856c6549773a8fd256af89b872e07926aca9b1c8f700042ed04b7c454bb7a3d8cbdf10e9a66dba96b71325d6802ac939fa74017f0bf806e4babd345708a
SSDEEP

786432:i9+zykLmz2c7XCuZuXuYS7Nvs0vPLFo30mMSdyh81eVEcg/e7gCf0HALv:i9+zykLmz37yKDYS7NvskjO3hdyWYVOy

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\A:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\X:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\T:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\U:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\N:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\Q:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\H:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\X:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\Z:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\B:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\E:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\I:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\S:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\H:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\Z:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\L:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\Q:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\G:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\K:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\U:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\V:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\W:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\W:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\E:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\M:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\J:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\P:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\P:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\Y:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\M:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	ByClickDownloader-Setup.exe
File opened (read-only)	\??\O:	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	ByClickDownloader-Setup.exe

Drops file in Program Files directory 32 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\By Click Downloader\ByClickDownloader.exe	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\System.Buffers.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\ClearScript.V8.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\ClearScript.Core.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\WpfAnimatedGif.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\Configuration.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\BouncyCastle.Crypto.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\ClearScriptV8.win-x64.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\System.Numerics.Vectors.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\Microsoft.WindowsAPICodePack.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\Microsoft.WindowsAPICodePack.Shell.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\Parser.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\rtmpdump.exe	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\System.Memory.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\ClearScript.V8.ICUData.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\Newtonsoft.Json.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\GUI.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\Interop.iTunesLib.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\ByClickDownloader.exe.config	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\AutoDetect.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\History.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\Ionic.Zip.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\System.Data.SQLite.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\taglib-sharp.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\ClearScriptV8.win-x86.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\NAudio.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\Core.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\SQLite.Interop.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\System.Runtime.CompilerServices.Unsafe.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\AuthenticationManager.dll	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\ffmpeg.exe	msiexec.exe
File created	C:\Program Files (x86)\By Click Downloader\UpdaterV2.exe	msiexec.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAB6F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB651.tmp	msiexec.exe
File created	C:\Windows\Installer\{F9195251-C35F-4744-B824-A1989333248B}\icon_1.exe	msiexec.exe
File created	C:\Windows\Installer\e58a9a9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58a9a9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAB9F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAC9A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAE13.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAAD1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAD95.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{F9195251-C35F-4744-B824-A1989333248B}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBCDC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB6BF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB99F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{F9195251-C35F-4744-B824-A1989333248B}\icon_1.exe	msiexec.exe
File created	C:\Windows\Installer\e58a9ab.msi	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
4544	ByClickDownloader.exe

Loads dropped DLL 40 IoCs

pid	Process
2300	MsiExec.exe
2300	MsiExec.exe
2300	MsiExec.exe
2300	MsiExec.exe
2300	MsiExec.exe
2300	MsiExec.exe
2300	MsiExec.exe
2300	MsiExec.exe
2300	MsiExec.exe
2300	MsiExec.exe
2300	MsiExec.exe
2300	MsiExec.exe
2300	MsiExec.exe
2300	MsiExec.exe
2300	MsiExec.exe
5080	MsiExec.exe
5080	MsiExec.exe
5080	MsiExec.exe
5080	MsiExec.exe
5080	MsiExec.exe
5080	MsiExec.exe
5080	MsiExec.exe
5080	MsiExec.exe
2336	MsiExec.exe
2300	MsiExec.exe
2300	MsiExec.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ByClickDownloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ByClickDownloader-Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ByClickDownloader-Setup.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f59c2d6185d8bf0c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f59c2d610000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f59c2d61000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df59c2d61000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f59c2d6100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1525919FF53C44748B421A89393342B8\Version = "33816589"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1525919FF53C44748B421A89393342B8\ProductIcon = "C:\\Windows\\Installer\\{F9195251-C35F-4744-B824-A1989333248B}\\icon_1.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1525919FF53C44748B421A89393342B8\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3DC15DAB06874F0489B3F00B75123B3F	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1525919FF53C44748B421A89393342B8\SourceList\PackageName = "YouTube By Click.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1525919FF53C44748B421A89393342B8\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1525919FF53C44748B421A89393342B8	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1525919FF53C44748B421A89393342B8\ProductName = "By Click Downloader"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1525919FF53C44748B421A89393342B8\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1525919FF53C44748B421A89393342B8\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1525919FF53C44748B421A89393342B8\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1525919FF53C44748B421A89393342B8\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\ByClick\\By Click Downloader 2.4.13\\install\\333248B\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1525919FF53C44748B421A89393342B8\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1525919FF53C44748B421A89393342B8\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1525919FF53C44748B421A89393342B8\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1525919FF53C44748B421A89393342B8\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1525919FF53C44748B421A89393342B8\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3DC15DAB06874F0489B3F00B75123B3F\1525919FF53C44748B421A89393342B8	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1525919FF53C44748B421A89393342B8	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1525919FF53C44748B421A89393342B8\PackageCode = "71E77D8AB4C4C8346ABA88C6FAD2FA1B"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1525919FF53C44748B421A89393342B8\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1525919FF53C44748B421A89393342B8\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\ByClick\\By Click Downloader 2.4.13\\install\\333248B\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1525919FF53C44748B421A89393342B8\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1525919FF53C44748B421A89393342B8\AuthorizedLUAApp = "0"	msiexec.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	ByClickDownloader-Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	ByClickDownloader-Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ByClickDownloader-Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ByClickDownloader-Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	ByClickDownloader-Setup.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
2300	MsiExec.exe
2300	MsiExec.exe
2300	MsiExec.exe
2300	MsiExec.exe
2880	msiexec.exe
2880	msiexec.exe
984	msedge.exe
984	msedge.exe
1268	msedge.exe
1268	msedge.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
3012	identity_helper.exe
3012	identity_helper.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe
4544	ByClickDownloader.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2880	msiexec.exe
Token: SeCreateTokenPrivilege	904	ByClickDownloader-Setup.exe
Token: SeAssignPrimaryTokenPrivilege	904	ByClickDownloader-Setup.exe
Token: SeLockMemoryPrivilege	904	ByClickDownloader-Setup.exe
Token: SeIncreaseQuotaPrivilege	904	ByClickDownloader-Setup.exe
Token: SeMachineAccountPrivilege	904	ByClickDownloader-Setup.exe
Token: SeTcbPrivilege	904	ByClickDownloader-Setup.exe
Token: SeSecurityPrivilege	904	ByClickDownloader-Setup.exe
Token: SeTakeOwnershipPrivilege	904	ByClickDownloader-Setup.exe
Token: SeLoadDriverPrivilege	904	ByClickDownloader-Setup.exe
Token: SeSystemProfilePrivilege	904	ByClickDownloader-Setup.exe
Token: SeSystemtimePrivilege	904	ByClickDownloader-Setup.exe
Token: SeProfSingleProcessPrivilege	904	ByClickDownloader-Setup.exe
Token: SeIncBasePriorityPrivilege	904	ByClickDownloader-Setup.exe
Token: SeCreatePagefilePrivilege	904	ByClickDownloader-Setup.exe
Token: SeCreatePermanentPrivilege	904	ByClickDownloader-Setup.exe
Token: SeBackupPrivilege	904	ByClickDownloader-Setup.exe
Token: SeRestorePrivilege	904	ByClickDownloader-Setup.exe
Token: SeShutdownPrivilege	904	ByClickDownloader-Setup.exe
Token: SeDebugPrivilege	904	ByClickDownloader-Setup.exe
Token: SeAuditPrivilege	904	ByClickDownloader-Setup.exe
Token: SeSystemEnvironmentPrivilege	904	ByClickDownloader-Setup.exe
Token: SeChangeNotifyPrivilege	904	ByClickDownloader-Setup.exe
Token: SeRemoteShutdownPrivilege	904	ByClickDownloader-Setup.exe
Token: SeUndockPrivilege	904	ByClickDownloader-Setup.exe
Token: SeSyncAgentPrivilege	904	ByClickDownloader-Setup.exe
Token: SeEnableDelegationPrivilege	904	ByClickDownloader-Setup.exe
Token: SeManageVolumePrivilege	904	ByClickDownloader-Setup.exe
Token: SeImpersonatePrivilege	904	ByClickDownloader-Setup.exe
Token: SeCreateGlobalPrivilege	904	ByClickDownloader-Setup.exe
Token: SeCreateTokenPrivilege	904	ByClickDownloader-Setup.exe
Token: SeAssignPrimaryTokenPrivilege	904	ByClickDownloader-Setup.exe
Token: SeLockMemoryPrivilege	904	ByClickDownloader-Setup.exe
Token: SeIncreaseQuotaPrivilege	904	ByClickDownloader-Setup.exe
Token: SeMachineAccountPrivilege	904	ByClickDownloader-Setup.exe
Token: SeTcbPrivilege	904	ByClickDownloader-Setup.exe
Token: SeSecurityPrivilege	904	ByClickDownloader-Setup.exe
Token: SeTakeOwnershipPrivilege	904	ByClickDownloader-Setup.exe
Token: SeLoadDriverPrivilege	904	ByClickDownloader-Setup.exe
Token: SeSystemProfilePrivilege	904	ByClickDownloader-Setup.exe
Token: SeSystemtimePrivilege	904	ByClickDownloader-Setup.exe
Token: SeProfSingleProcessPrivilege	904	ByClickDownloader-Setup.exe
Token: SeIncBasePriorityPrivilege	904	ByClickDownloader-Setup.exe
Token: SeCreatePagefilePrivilege	904	ByClickDownloader-Setup.exe
Token: SeCreatePermanentPrivilege	904	ByClickDownloader-Setup.exe
Token: SeBackupPrivilege	904	ByClickDownloader-Setup.exe
Token: SeRestorePrivilege	904	ByClickDownloader-Setup.exe
Token: SeShutdownPrivilege	904	ByClickDownloader-Setup.exe
Token: SeDebugPrivilege	904	ByClickDownloader-Setup.exe
Token: SeAuditPrivilege	904	ByClickDownloader-Setup.exe
Token: SeSystemEnvironmentPrivilege	904	ByClickDownloader-Setup.exe
Token: SeChangeNotifyPrivilege	904	ByClickDownloader-Setup.exe
Token: SeRemoteShutdownPrivilege	904	ByClickDownloader-Setup.exe
Token: SeUndockPrivilege	904	ByClickDownloader-Setup.exe
Token: SeSyncAgentPrivilege	904	ByClickDownloader-Setup.exe
Token: SeEnableDelegationPrivilege	904	ByClickDownloader-Setup.exe
Token: SeManageVolumePrivilege	904	ByClickDownloader-Setup.exe
Token: SeImpersonatePrivilege	904	ByClickDownloader-Setup.exe
Token: SeCreateGlobalPrivilege	904	ByClickDownloader-Setup.exe
Token: SeCreateTokenPrivilege	904	ByClickDownloader-Setup.exe
Token: SeAssignPrimaryTokenPrivilege	904	ByClickDownloader-Setup.exe
Token: SeLockMemoryPrivilege	904	ByClickDownloader-Setup.exe
Token: SeIncreaseQuotaPrivilege	904	ByClickDownloader-Setup.exe
Token: SeMachineAccountPrivilege	904	ByClickDownloader-Setup.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
904	ByClickDownloader-Setup.exe
904	ByClickDownloader-Setup.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe
1268	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2300	2880	msiexec.exe	91
PID 2880 wrote to memory of 2300	2880	msiexec.exe	91
PID 2880 wrote to memory of 2300	2880	msiexec.exe	91
PID 904 wrote to memory of 2432	904	ByClickDownloader-Setup.exe	107
PID 904 wrote to memory of 2432	904	ByClickDownloader-Setup.exe	107
PID 904 wrote to memory of 2432	904	ByClickDownloader-Setup.exe	107
PID 2880 wrote to memory of 1948	2880	msiexec.exe	114
PID 2880 wrote to memory of 1948	2880	msiexec.exe	114
PID 2880 wrote to memory of 5080	2880	msiexec.exe	116
PID 2880 wrote to memory of 5080	2880	msiexec.exe	116
PID 2880 wrote to memory of 5080	2880	msiexec.exe	116
PID 2880 wrote to memory of 2336	2880	msiexec.exe	117
PID 2880 wrote to memory of 2336	2880	msiexec.exe	117
PID 2880 wrote to memory of 2336	2880	msiexec.exe	117
PID 4544 wrote to memory of 1268	4544	ByClickDownloader.exe	121
PID 4544 wrote to memory of 1268	4544	ByClickDownloader.exe	121
PID 1268 wrote to memory of 4472	1268	msedge.exe	122
PID 1268 wrote to memory of 4472	1268	msedge.exe	122
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 3964	1268	msedge.exe	123
PID 1268 wrote to memory of 984	1268	msedge.exe	124
PID 1268 wrote to memory of 984	1268	msedge.exe	124
PID 1268 wrote to memory of 2728	1268	msedge.exe	125
PID 1268 wrote to memory of 2728	1268	msedge.exe	125
PID 1268 wrote to memory of 2728	1268	msedge.exe	125
PID 1268 wrote to memory of 2728	1268	msedge.exe	125

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ByClickDownloader-Setup.exe
"C:\Users\Admin\AppData\Local\Temp\ByClickDownloader-Setup.exe"
1⤵
- Enumerates connected drives
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:904
- C:\Users\Admin\AppData\Local\Temp\ByClickDownloader-Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\ByClickDownloader-Setup.exe" /i "C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.4.13\install\333248B\YouTube By Click.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\By Click Downloader" SECONDSEQUENCE="1" CLIENTPROCESSID="904" AI_MORE_CMD_LINE=1
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  PID:2432

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 39DD908EAA83A631A869B6C73B0446A3 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2300
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1948
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 426C3925D232511C85913A976A1A30FA
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5080
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E0F6C0756F42CBB15EBED130C661097C E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2336

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1792

C:\Program Files (x86)\By Click Downloader\ByClickDownloader.exe
"C:\Program Files (x86)\By Click Downloader\ByClickDownloader.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.byclickdownloader.com/Welcome.php?source=main
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff992ab46f8,0x7ff992ab4708,0x7ff992ab4718
    3⤵
    PID:4472
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,18077553987792263259,1797852046000744003,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
    3⤵
    PID:3964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,18077553987792263259,1797852046000744003,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,18077553987792263259,1797852046000744003,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
    3⤵
    PID:2728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,18077553987792263259,1797852046000744003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
    3⤵
    PID:396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,18077553987792263259,1797852046000744003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
    3⤵
    PID:816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,18077553987792263259,1797852046000744003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
    3⤵
    PID:3528
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,18077553987792263259,1797852046000744003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
    3⤵
    PID:1412
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,18077553987792263259,1797852046000744003,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 /prefetch:8
    3⤵
    PID:1820
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,18077553987792263259,1797852046000744003,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3012
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,18077553987792263259,1797852046000744003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
    3⤵
    PID:940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,18077553987792263259,1797852046000744003,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
    3⤵
    PID:3028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,18077553987792263259,1797852046000744003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
    3⤵
    PID:5252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,18077553987792263259,1797852046000744003,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
    3⤵
    PID:5260
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,18077553987792263259,1797852046000744003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
    3⤵
    PID:5800
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,18077553987792263259,1797852046000744003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
    3⤵
    PID:5876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,18077553987792263259,1797852046000744003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
    3⤵
    PID:6024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2212,18077553987792263259,1797852046000744003,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5076 /prefetch:8
    3⤵
    PID:5132
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2212,18077553987792263259,1797852046000744003,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3840 /prefetch:8
    3⤵
    PID:184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.youtube.com/
  2⤵
  PID:5724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff992ab46f8,0x7ff992ab4708,0x7ff992ab4718
    3⤵
    PID:5740

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1668

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x308 0x310
1⤵
PID:5240

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58a9aa.rbs

Filesize
15KB

MD5
1c61996bf1b75145a61735deafd0f74c

SHA1
12eb998b3c4260918dc726e84768f2e501cbd350

SHA256
9aa7018ef21082d7f188a147014cc596a95d240c6d9393f5ffe6e9a51a4a35b0

SHA512
1b4cae7041d6ed1cb7cf12e9b9152d71d49dea0d2cc5a4ec80b544019940794a655715e30bae0696df078d72cdec9706710e14f701e6a995c37b81695ed28a8a

Download Submit
C:\Program Files (x86)\By Click Downloader\ByClickDownloader.exe

Filesize
216KB

MD5
848056bcc022d88fafd02a9c30326202

SHA1
e49889704e7cbfe3e570d27a37e2d3afc7b7a007

SHA256
6990a784f5ccbd72271af571e170f16a42a5b329258d56027a7bae5b6bc225cd

SHA512
14000b6d6cf8cede48ee062e09cab5befc3273a3ab310151d2e7ea77c25abbca143b420279ed20f45d235cfb1d1c12c37f2de0de959fbb94c088f1b8f2f41982

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17

Filesize
2KB

MD5
aaf2a85d011883480d54ea8194b4d950

SHA1
1387c53c2effc6209a1669a4ae2b969c2d4fb8f2

SHA256
568db501936a27458da92dea13193b61b871a89c761e945e4c0b4c4a4abe7d23

SHA512
6fd9e9642d4ac3d45f308922eab9ac6a2aa69f4a70d22bf88075745bb64124f1abcabf87a20eb4063044dfbac814a78c6afa0c3ffcef87fe145be3d5183013ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
01e7519cfc7a7f8078386dad88727fd0

SHA1
4d2f5c5d846490a87b0c4e2217e8413fff208b5d

SHA256
9236556c2e982a8ce635d68300a4855e5a008e29642f0571e9059ec60d5ef3c0

SHA512
6f211c5a89a366c8a34540cc0422c48c2899924164ed58773b5059fa60fd470ec908858d7ced887e02c6d295676a67dd7c4b71f39a7426512c68a7f484b3ceff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D7833C286363AD25C70511661A83D581_51151F3894C6D8DE5216CA8F889633E4

Filesize
510B

MD5
590292127f3d3afb88656ad1b7ef48dd

SHA1
67ccbabe810ddebda3d64ada4c1b66fa8c3a23d6

SHA256
78e582326d8479486bef5ba92deee6e2144dc78e064d743b5ee47aa89c1b68c4

SHA512
2b5c3b29ec498e83b3481497719c71c04ea96ffd33e68dbea1dd5381068bed2207cedc45c2668911b6e13e185fec91f3fdac178045a544cf397e7fda30704d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17

Filesize
488B

MD5
2625fee28835f6298f06a5db52c663c5

SHA1
fea1b11246ccc0d3c216ac3707eb2dfa351f911e

SHA256
2f55c6f39e1d664ee7c5ca6f6a31fae4a715da0abd42acdf51aed53de0dd58dd

SHA512
e7f102daf71b5f9ca36b1e3105ca08ff2bb1fb68efa0d0a141f598c8592874ccf8c00dc0304ebb9e740433af578eb0f8bb529a70736c999a47616d1a6444bfd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
aa319dbeb7c3daa675a5ebaafd06e0ce

SHA1
58d3407c0a1ac7051a487cdf38e18421691b2780

SHA256
41aacd2d61d7160903db22acec45a52f410fbdbfb020694ec4df5324781d732b

SHA512
58582b7ed6bc5c0bf35dbf304251e6e50636ef8c586cfc87899d3c982fa5a549bf77333d015c348825eb7a2431ac3c8500d64abac390b66cac6a625596cf2a9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D7833C286363AD25C70511661A83D581_51151F3894C6D8DE5216CA8F889633E4

Filesize
480B

MD5
45727652ff25121055d52220854bafdf

SHA1
5be5c2b71cf87842f8a1733b957c94f76fcd597b

SHA256
14e43568fcb44447c8a7feb9263409ef1ba27b2a904a87400291ced3f9014631

SHA512
61d2336a5fa73119a6fdd1f32fc48a56f0d66a31bc5e9ccad5e253e77c85f3d02078073f062ee48a2106097e4c0b52db5b2ea4d21e94fc5f4d39861d1f8eed4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
696B

MD5
18f2fb5e6fc7e53162fc8d00e626abe4

SHA1
5eb17e90717920acdf03dddb378edd4054086084

SHA256
0d83d25c9749e5251cfd741d0e861cf4ddd210551809d1aff58862564610db2e

SHA512
6ce34614e8f261d9c19fa6eca614c95cf6a56e03051fecfe89451057ea8f25cb70018c6aa84cc3911d66e41c08ca0784195d72bfacf2c5e08188698a3a8a62e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
1d12900df8a2efc6021ba0a194bf9e05

SHA1
00c06a532985e2b36e3aab765a579c7587f11c65

SHA256
560cd822dc89e3303f70b86e7f25f56c8856f52651cfe7468ddc1d2ccf1211c9

SHA512
bba4f1ad9a594e14e1480dd25a5c4624da099f69a8c63388c052e6b01ba7844bbf6881ab5e8835bbd02d664b883358ec12d3078710d495b4bce0d6d6c6c94474

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Platform Notifications\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d9d139e1505200b7567fe6a964f7af96

SHA1
6841b8d97dc84072987f3d4128557a79fcf01d11

SHA256
92df8857f4932c348ddaa1c916488f13b6ffa6630ce6f8baf1613bf86b5fc8c2

SHA512
9fb180126cc0993026b8ffa7580f88e459d94ac2dbd70d80948f3ee2a58dd7d7980d6b17176e7ca301af147e8ff47283b115e24bd6ee8d74a30f00cc8354d742

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ca0f965fa8bb1aad38e66cdbe6ef519f

SHA1
487c036f4112634b917a0bc63d4f5ee1e72a7dd6

SHA256
a043df7b1fb5c595b1c21d43210a07b0e36764263616855c2379445013558e86

SHA512
a4789a6827a7422494927a137e6b092d7d93ce1e847db7dee2e524b5ca859abd0528dc1e126b401547d96f93cbbf0dc46ad9031169e9a16b99ea56519ab351aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
20f0f7cc01ae7428a941267fcc1ae3d0

SHA1
2239a2cbb1fd6c9fb17aa5e58fa7043a04b2f624

SHA256
72ce90ce2e884791092b6403618a8d30d003749580d88794ce11f6f768dc6361

SHA512
b74002c79dfce588feee8bdec168a24b22b12a9a3c62660291eaa4a5337f18435ad6a4159a312383826b3e7f1ac154e7f76e42cc96e0ceada27b009d8162b51d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\f297fcc2-2321-4c25-8dbb-d8ae2952ccd8\index-dir\the-real-index

Filesize
2KB

MD5
81bec448e0b67523a3d5543c763bb132

SHA1
f620ff604dac77f05f0ec4f54e161bfb7b09f52e

SHA256
364ec48db4477cdd5aab5b034b3d0e7a3af9eddf90b7253e28a06a9d8f1ecc6a

SHA512
3ef6613004dab26c35f45edbf7db74bebc74f694570317782947f84497edbe291c2c6a1b0e71067af70c5d95d0d55de3cad29eb4cd6d7d333fb438eeeb8fb4a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\f297fcc2-2321-4c25-8dbb-d8ae2952ccd8\index-dir\the-real-index~RFe596f6a.TMP

Filesize
48B

MD5
c0c5634097be5a11dd3ad67548c03416

SHA1
2f094e144f27827723597858d64816115b259006

SHA256
76f9b139f1f53df32ca03c080c50c361a4e4c17bfbbebaed943434267be2bbb1

SHA512
d8721a345e953abdfb008540775ca95e44443aedcde597adf3b4d610073e4bbc4b45ead536521bc86dcf2a8c48e6183b57369ec002731d1bd4440cdf41b6a461

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
7e2160b3d1eeec29d860a68d1db6811e

SHA1
4eeb1dfec49ce4f0ed607105cf1b508f4fe4380f

SHA256
d69aa774b841587ea04f88c29f5ca6d4c64281cb8c0d725edf0b0c95fd96ceff

SHA512
51cbd310d15fd57897b98ae5ae726c6f5734f95f831512fef4b02ab40952af49f88c9adfb1dc7b7414de63ad1f41d53aca875733b1a25e2ec03a6781f1c94cfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
81f8283eefbeb7df9ceca6d7254d92a7

SHA1
7a0e3931d2cdf0a453b2be155da9f085d466c1d3

SHA256
b5cf3841ad766e9dcac1d6ad358a90afaa940483c4d45c3154c1ed95112150af

SHA512
db7d4335926a3c23cd0da0f1cd0de2826780f5d065689d09d232f0ebe2868f26ccbb9529d2866e788ab66f473842549906df0ae064de01cc8ef8d3151c309629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
26421bdb4fed572406f9528ce91d518d

SHA1
9ec0f58f1a72096183c451011dd572582a3d9e2f

SHA256
b00d988a67d2936c986d6154f3c26e78d1af262d452f97966e127a58cf3facf4

SHA512
90071c02bdf939380ad867b5b7f7254e0aa932a19c2f50803ac520a14c8b397b834ea2903d0072376ae5993a9846bfa48dce23ece92b44a5c31e8c11f2f9be2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
7d38b1aa6da0cabe26de1a8cc710c0ae

SHA1
20895cee4acf33d546ac1e89d41eb4e9c419ea1f

SHA256
04ca3bae98c3509aaa80f1d557c09103a574243884508be97ef1a39c58039d68

SHA512
cf12c168140a7b595dab26c904bca2ee5295efb6af18b6ad10a10aa37b7a131f876f37af51223d11385a2c97893df253b3490633abc38196a76760b63e269dc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
ccbfadbfaca2050ca6535bff11081a15

SHA1
9e956f21bea7b2de0ffd8cc4fe7412f83a6ed442

SHA256
223d1fc120368d339a38418e7574e8ce64f7217f7986cc2b9a1800680f16c07a

SHA512
1cc3daf35c3134330979eb8f7117413fde93baccaa5a9485656a4ed9fc99ed18f8c2d84a497bf691fb42f2c588b6454c2d333e399e1f5eb7754c90bff4690802

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe59671d.TMP

Filesize
48B

MD5
de592613fbec850ff304bca87cd43298

SHA1
ffb12b657d4d637a3803f6ea2364035202198047

SHA256
9724289b7f955d20f49aae63d4a63d6ceace5fc7216f67dba1e53aae6ff9edcf

SHA512
8c6da2ac1ce262b2d1bff4021ae4bd73502ebe14fb51918fee5d251541d9e54f697f4877e5c2af5ec86a70a7c15768b40ded973c39ac0043d92e1fa962e1d67e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e0d910525a91bedd4592ab84f5f45d99

SHA1
3498318a8209cedd4aba28a967f3e7c527aff0d1

SHA256
d0b9bb571885bbd500e85d1786a502f3b0785104778a771e57c2e7fddcb7f17f

SHA512
860035b8a6bc34a38797c4205d8209873936a73ed583b5ee7fceda0f2516635d8f7be289e79fd9ce10c4834b8f2bfadb9a56f12f132a0fb33a386866eb650ef9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe593771.TMP

Filesize
371B

MD5
8a421144a0f5a76adc6fc5595386875d

SHA1
12ab11fa6d451df7213d7f9a7f8a4fb1659893e6

SHA256
1ec60545e1e6aa3781aca511ce99cdb0a0d89ef70c7796a5ac9c311f35806aba

SHA512
915c113e057ef3f45a9709a6c2a7a5be3b4210a65c28f7c733a7600435e7e68e7f5cc0c822dcb5fa4647c0d7a4938a7aa4aa793b629e9093605761b272add6f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8a0dc3309ca3098b65355a0f200d6df9

SHA1
259b889e7e5696af5339efbcc28048c02252d274

SHA256
b6b7e83551f073d90d2ea5ced355fd7e8e629e9a501acf965ef335fbe8c8baf0

SHA512
e7df1790e925736a24326abdcc2318ad54d2b63b0c97508fcbc6a86a7c76d658258f9539f87eb78386ef40d6561d7ca380574b2cc7e8e82e99264a5427570de9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2e4c8bac22742e97d41bc3756a85225c

SHA1
4818d7886df147813bd3811777f588b9e18311ba

SHA256
09ee585ac54e6f0f204364710a10d73597f38939284e6d5243ace4398e3143c4

SHA512
47cfe61bde66f8a9e9c4d0f96cffe28dd2173e3f6876a8986dcf54d5bd67d8d7e0d058d72765b5d8d10b43fb121e4b17fea58a8e921cca85f4c32e183a9c03bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_904\applogoicon

Filesize
76KB

MD5
758eaf9ee46be5d4232a682eae020626

SHA1
38ade89391420a5e4e37157ec6d39503cc0a98cd

SHA256
37167b6ab6c4143fc61e541880dbe1b9c943d7496c6d65c538b2fd7b42c47de3

SHA512
db1b355c0d0d9cd13091b67a17c742fd88aeda77a8c8434212bdf08de1d7284f53089254e492dcb4ab4393f3b11cc89ca307ee83c5449460d8d4dab82fd0fe83

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_904\background

Filesize
28KB

MD5
6c0ee49a7fd729049e4dd57a97242e62

SHA1
29bc6da2e1f568cb1c30993a4c4090d912079e01

SHA256
080c73382c5cb466ee27fcc5dc724becece17c20f7d3a87b59fc2df279a4647c

SHA512
359530f9b647f126dc723bcf6e7562903b6eefeae2d5a9b3d12d4e072fa938f1f8abcf69ddd030f8d788afea404440aa2fca65f4b6e229f004ac86b50ea27f74

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_904\exitbackground

Filesize
20KB

MD5
d682cf32d866500c87e4e2f6a1dbf870

SHA1
ff8620ab4011918551275235a1ec15c0c04f8e40

SHA256
ac53fb5f87fa500ad17a7b3aa171206d6126dd5f2f252932cdf065bf264b57ac

SHA512
6f02dae147a72e04d2c55ff8432d17941da8cb0c4c12cb22d6c14452c88fe2c434ddbb8860d4cdba14ff3637104c19f267bdd786c6464a160ffad49ba42d9c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI687.tmp

Filesize
1.1MB

MD5
834b14d594a4e5d32b2c6a8a2b9c9e9d

SHA1
e23f0522085d11eaa9f7de30dd87508f9a15e777

SHA256
e5aff7492b86b6461591e93213b33c639db991b04ac63b5d07240d1777e554ff

SHA512
b054bb31911557461d7f86eeddd2028d1326d43826f95da958478640fc667b8389de61606e9f3b431baa20c27fed0fd54d93fc3534a19b81e5a6f1634b82d7d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7C0.tmp

Filesize
881KB

MD5
1dfd211901db1786649a911dfedc3f7f

SHA1
5785489170086bbfa69ac1c324b3437ca337d926

SHA256
7f4713f31958704586a9173759dc568dd48b21de022eeae19e5152ae2d011b4d

SHA512
4c7cd03d9067ce17f15df2ddb6073aa372999d00a4475dbc04b947232357b8cca27aaae1630a5a58959ade379d2b073c2df6b0e41fd97e7ded5bf8ab5ade93eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIEC55.tmp

Filesize
936KB

MD5
13056f6fc48a93c1268d690e554f4571

SHA1
b83de3638e8551a315bb51703762a9820a7e0688

SHA256
aeda49baf2d79da2f7a9266f1fb7884111c2620e187090321f5278af5131c996

SHA512
ca828b4248e399178a8614f941332d159a30bad0156df0d5f4c4ca9d74d0ccb61fac59f34c945f5f914e22ec639bd97718f76d21b452825b07fe4041d1a44824

Download Submit
C:\Users\Admin\AppData\Local\Temp\shi6CBF.tmp

Filesize
4.8MB

MD5
77d6c08c6448071b47f02b41fa18ed37

SHA1
e7fdb62abdb6d4131c00398f92bc72a3b9b34668

SHA256
047e2df9ccf0ce298508ee7f0db0abcb2ff9cff9916b6e8a1fbd806b7a9d064b

SHA512
e1aeb8e8b441d755a119f45a465ca5660678f4131984322252bfb6d2cec52e7ee54d65a64b98429b23915eb5707b04b5cd62a85446c60de8842314130a926dbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\shiAFA.tmp

Filesize
4.3MB

MD5
6c7cdd25c2cb0073306eb22aebfc663f

SHA1
a1eba8ab49272b9852fe6a543677e8af36271248

SHA256
58280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705

SHA512
17344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\shiB0A.tmp

Filesize
81KB

MD5
125b0f6bf378358e4f9c837ff6682d94

SHA1
8715beb626e0f4bd79a14819cc0f90b81a2e58ad

SHA256
e99eab3c75989b519f7f828373042701329acbd8ceadf4f3ff390f346ac76193

SHA512
b63bb6bfda70d42472868b5a1d3951cf9b2e00a7fadb08c1f599151a1801a19f5a75cfc3ace94c952cfd284eb261c7d6f11be0ebbcaa701b75036d3a6b442db2

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.4.13\install\333248B\AuthenticationManager.dll

Filesize
34KB

MD5
75394e67beb054c00d3b77fe607908b3

SHA1
c95649890a7a1e95f7277061c37ff8ffaab80f22

SHA256
faa22a955b14e21460ffffc6f0abd45514cbda29eb6fa805f89402b60b18252f

SHA512
45559b045dfd3b76d74cae5323ed00e50b146537d415800263c37a5d5495af446533b66b435eef19f873086cc02f5da7e17c789b1e86e719ed06365f00e04c0c

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.4.13\install\333248B\AutoDetect.dll

Filesize
20KB

MD5
b7ed76077108adc074aad0aa1bb34bf1

SHA1
51f542d8a3eec19b34756ffbe82b242cf19706bc

SHA256
69c35ed09d7ed48044d1113fa4e1e3022588dad625541888df5852e07582b607

SHA512
e20d5ac2eb3f1f45f6b46265835d9996603cc4998096de5a89f50dff3719b167c61951b82b50bb0d6cc0b8d83e02f610ad7d03c2d5f31c6665c0edce7a18d7eb

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.4.13\install\333248B\Configuration.dll

Filesize
33KB

MD5
e2527f155570f13318da643f96eed839

SHA1
b95f9b49287dde7452941cad6ea5b29ccf75795a

SHA256
3e92fff6a8687b247d3bd4ed2f0a95824e4db63c1ac4e96de38babad219df7be

SHA512
8d4571990f77350b4d3e7cb84b4c61a5c7f2ea9fd49538ca723c2b03c1020a9de417dc85d7e0872525455edc18f9a8a88c9eda4784d8d075eac69b4fd8c3cce3

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.4.13\install\333248B\Core.dll

Filesize
15KB

MD5
288323b6cc8cd58ce8699279658e5e92

SHA1
71b3158fd589f5a5ae875021fb74fb079410a49a

SHA256
0d1ae5bcb7284eabbe915399a0311b62b884a422f23fa5bb2032c60d4ae674bf

SHA512
714f93e5a295e1eacd3a100a259cd4355486632993e72e85038aab186e16d121605376c06354325bdd1bb4743be39085ec3bd4eb26ffe6d9b09cfdc39b68c643

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.4.13\install\333248B\GUI.dll

Filesize
1.9MB

MD5
59a1aacfaff91cbf0164d124327efcd7

SHA1
5fefc3e6e7885990a07db7496c1e3548771aaa93

SHA256
2f5cb7bf2fc968491c217adffc8c74be6588bf7b0b500caa8710815de612b22e

SHA512
219aaef9ff80dc909123875ce3a608b649aeaf1dd39310fd8893c27a1c7749487fd743c3a8a48b3a13eb2f6e755ac56b5089ea9b50463f718b473671520cb6ef

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.4.13\install\333248B\History.dll

Filesize
7KB

MD5
260a19a3a2772cad7238ca686ea783b2

SHA1
a533406639fc2d3f50ca298b062ab685f3de408a

SHA256
bf6fa2ae4c165af6b4760720371f5be2fccabe332d7afce9b95a2f915e98eb15

SHA512
61493a408a4dd3fa4f3f88dbc026fc088aca0a3b075c7a0d709e054f328564f2cd4d55562b39ff48b9d0a6d5e5e829d9a759c2e7b82394c6b18eeb1cfcae49ca

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.4.13\install\333248B\Interop.iTunesLib.dll

Filesize
67KB

MD5
c89198d3a53e6d1158962d03f14f7186

SHA1
f010c4c05bcaeedea7d7cdc8d7b99217a0d7f541

SHA256
e86883a4033204ef5db738bfc6b2abfb80be82324470ca8c69d58b4b512e20a9

SHA512
53595d200b8413f066bdf98bf726c3074ca0e49cb96e6310656c4414297d7a47cd7d3dc408ae3d48f7991cbc359d45cf79097584f7fda671c80d749aa0019fda

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.4.13\install\333248B\Ionic.Zip.dll

Filesize
223KB

MD5
e1db6c3c8be9f4a7a4af7cc9e235058b

SHA1
9d8da7fd75edf38626e71bec234d734e8e6cad68

SHA256
f7866db2e72acadecd5249b913f3d6d1148d3bbc99e341e937d883fad6eb8722

SHA512
076c8e934bb0f2caa81e1a9c9e6c20a08faac13dcabea08a0a7807135472bcfe3aa749ef6558c57459ebf9fdec8a4c9a13e7cb8832028e022c8853e15d9ed370

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.4.13\install\333248B\Microsoft.WindowsAPICodePack.Shell.dll

Filesize
530KB

MD5
6d8deb7be7360761fd43ec9ddcaa0811

SHA1
b45482a37b381de2a0293b6be48c4cdef04aebff

SHA256
aa5d80cdc0da52970031309b457e3e3fd505bb1ac13fb79801d15bfbb4a700b2

SHA512
c400812dcdec40e4bce3ebfd1a3d472dbe27fb5bccd22e198f870f418c003d121135fa82e6699c581167f48393cacfc4876eb2e50f51104bcd9d322a5641f75c

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.4.13\install\333248B\Microsoft.WindowsAPICodePack.dll

Filesize
103KB

MD5
56e013e924822c9d02329b15b03ede73

SHA1
085dacfcd1ffa398b795d096833d16367b0d2886

SHA256
7b88388b8367f0d873d0e3b66f533869c24e346fb6f0b2c6c783f931cc9a1631

SHA512
ea0020ee32e0c7e7323f5858a462bf762f65013509012147430f0d8f665eb86f534d2491ca9f737c15bf6f995a8d3e0172537129a0dc8628cf7bf0d0f48457d1

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.4.13\install\333248B\NAudio.dll

Filesize
460KB

MD5
8298c971e8a367499cd9fbeee08d0472

SHA1
a3b8e87d2975b8b7cb5656a16d3794e85aeb8166

SHA256
332d9caf9c0172aabd7ff8ca909967d31dc17329b64b65d1fb13b84c6ca5a729

SHA512
46541667deefe0956dba5b158ce4f42e899a23f397c840edad12ebd8853bdd1ab7a2df15eafa9a832b25e2200702e2928e9321cffaf1ba9d02dc9fa016667b41

Download Submit
C:\Users\Admin\AppData\Roaming\ByClick\By Click Downloader 2.4.13\install\333248B\YouTube By Click.msi

Filesize
5.6MB

MD5
f34dbad2b0bd78d0cf063ef344371410

SHA1
5f4ca219504319e1981bd0580e6a8b1071575c82

SHA256
1e784e3888dc7b292a483cde4e25d53d665bd40f8f0207ba5ca72e0b1db3c792

SHA512
c3e345c44c3c570aaef99bf158e0a8504884e8f93a64ebed3bb3f0b40857466871e4d665071fbafa36e16a2c230bb13e5d9bda4a16d61bd722ab73d035fe3678

Download Submit
memory/4544-375-0x0000000007240000-0x00000000072AE000-memory.dmp

Filesize
440KB

Download
memory/4544-351-0x0000000000C50000-0x0000000000C8A000-memory.dmp

Filesize
232KB

Download
memory/4544-370-0x0000000005FD0000-0x0000000005FE0000-memory.dmp

Filesize
64KB

Download
memory/4544-371-0x00000000060E0000-0x000000000613C000-memory.dmp

Filesize
368KB

Download
memory/4544-368-0x0000000006500000-0x0000000006AA4000-memory.dmp

Filesize
5.6MB

Download
memory/4544-367-0x0000000005B50000-0x0000000005B5E000-memory.dmp

Filesize
56KB

Download
memory/4544-366-0x0000000005B60000-0x0000000005D48000-memory.dmp

Filesize
1.9MB

Download
memory/4544-372-0x0000000005FF0000-0x0000000005FFC000-memory.dmp

Filesize
48KB

Download
memory/4544-369-0x0000000006040000-0x00000000060D2000-memory.dmp

Filesize
584KB

Download
memory/4544-374-0x0000000007160000-0x00000000071C6000-memory.dmp

Filesize
408KB

Download
memory/4544-381-0x0000000005680000-0x0000000005688000-memory.dmp

Filesize
32KB

Download
memory/4544-376-0x0000000007150000-0x000000000715A000-memory.dmp

Filesize
40KB

Download
memory/4544-377-0x0000000007200000-0x000000000720A000-memory.dmp

Filesize
40KB

Download
memory/4544-378-0x00000000072B0000-0x00000000072DE000-memory.dmp

Filesize
184KB

Download
memory/4544-391-0x0000000007AD0000-0x0000000007B08000-memory.dmp

Filesize
224KB

Download
memory/4544-392-0x0000000007AB0000-0x0000000007ABE000-memory.dmp

Filesize
56KB

Download