Overview
overview
7Static
static
3DAMsetup.exe
windows7-x64
7DAMsetup.exe
windows10-2004-x64
7$PLUGINSDI...er.dll
windows7-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3$PLUGINSDI...er.dll
windows7-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$PLUGINSDI...dl.dll
windows7-x64
3$PLUGINSDI...dl.dll
windows10-2004-x64
3$PLUGINSDI...ry.dll
windows7-x64
3$PLUGINSDI...ry.dll
windows10-2004-x64
3$TEMP/setupc.exe
windows7-x64
1$TEMP/setupc.exe
windows10-2004-x64
1DamBho.dll
windows7-x64
1DamBho.dll
windows10-2004-x64
1DamFirefox...Mz.dll
windows7-x64
1DamFirefox...Mz.dll
windows10-2004-x64
1DamFirefox...Mz.dll
windows7-x64
1DamFirefox...Mz.dll
windows10-2004-x64
1DamFirefox...25.dll
windows7-x64
1DamFirefox...25.dll
windows10-2004-x64
1DamFirefox...26.dll
windows7-x64
1DamFirefox...26.dll
windows10-2004-x64
1DamFirefox...27.dll
windows7-x64
1DamFirefox...27.dll
windows10-2004-x64
1Analysis
-
max time kernel
110s -
max time network
102s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
21-03-2024 15:02
Static task
static1
Behavioral task
behavioral1
Sample
DAMsetup.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
DAMsetup.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/Dialer.dll
Resource
win7-20240319-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/Dialer.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/DotNetChecker.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/DotNetChecker.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240220-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231129-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/nsisdl.dll
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/nsisdl.dll
Resource
win10v2004-20240319-en
Behavioral task
behavioral17
Sample
$PLUGINSDIR/registry.dll
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
$PLUGINSDIR/registry.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
$TEMP/setupc.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
$TEMP/setupc.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
DamBho.dll
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
DamBho.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
DamFirefox/components/DamMz.dll
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
DamFirefox/components/DamMz.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
DamFirefox/components2/DamMz.dll
Resource
win7-20240220-en
Behavioral task
behavioral26
Sample
DamFirefox/components2/DamMz.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral27
Sample
DamFirefox/components2/DamMz25.dll
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
DamFirefox/components2/DamMz25.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
DamFirefox/components2/DamMz26.dll
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
DamFirefox/components2/DamMz26.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
DamFirefox/components2/DamMz27.dll
Resource
win7-20240220-en
Behavioral task
behavioral32
Sample
DamFirefox/components2/DamMz27.dll
Resource
win10v2004-20240226-en
General
-
Target
DAMsetup.exe
-
Size
2.8MB
-
MD5
c4f6847c160205eaaba5af06dc3d5873
-
SHA1
74c1c9a22e85305cb21ff22e68800f96daaa8464
-
SHA256
5443b1c3aa80091b7e0d86681892e0871a7f1954dfa5cfd33318bc597116dd52
-
SHA512
997687ab9f5b1507690ffb6d474d7f3cb81d4204e5e7face86c5d1fb54030d8c7c53ad16e533650b5a88abbdf6ab84e58dd8b7d3adb6d049aa244d08d1a950bc
-
SSDEEP
49152:YKVrCbIS6kXtqMsSOqzw9iDxivzrp/SLyB+Lgyl8WLpqIDXssjromawYuwD:YKVry6ItqqkUVivXpGLLVpq3sPomy
Malware Config
Signatures
-
Executes dropped EXE 5 IoCs
pid Process 2424 setupc.exe 1252 DownloadAcceleratorManager.exe 2624 DownloadAcceleratorManager.exe 1012 DownloadAcceleratorManager.exe 1792 DownloadAcceleratorManager.exe -
Loads dropped DLL 23 IoCs
pid Process 2072 DAMsetup.exe 2072 DAMsetup.exe 2072 DAMsetup.exe 2072 DAMsetup.exe 2072 DAMsetup.exe 2072 DAMsetup.exe 2072 DAMsetup.exe 2072 DAMsetup.exe 980 RegAsm.exe 980 RegAsm.exe 980 RegAsm.exe 980 RegAsm.exe 572 mscorsvw.exe 2588 RegAsm.exe 2588 RegAsm.exe 2588 RegAsm.exe 2588 RegAsm.exe 2624 DownloadAcceleratorManager.exe 2072 DAMsetup.exe 2072 DAMsetup.exe 2072 DAMsetup.exe 1012 DownloadAcceleratorManager.exe 1792 DownloadAcceleratorManager.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun 1 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\ = "mscoree.dll" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\RuntimeVersion = "v2.0.50727" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\ThreadingModel = "Both" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\Assembly = "DamLinkHandler, Version=2.2.0.0, Culture=neutral, PublicKeyToken=fee9c3dcb8af2eba" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\RuntimeVersion = "v2.0.50727" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\CodeBase = "file:///C:/Program Files/Tensons/Download Accelerator Manager/DamLinkHandler.DLL" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\2.2.0.0\Class = "Tensons.Application.DownloadAcceleratorManager.LinkHandler" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\2.1.0.0\Class = "Tensons.Application.DownloadAcceleratorManager.BHO" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\2.1.0.0\RuntimeVersion = "v2.0.50727" RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32 RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\2.2.0.0 RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\2.2.0.0\RuntimeVersion = "v2.0.50727" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\2.2.0.0\CodeBase = "file:///C:/Program Files/Tensons/Download Accelerator Manager/DamLinkHandler.DLL" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\CodeBase = "file:///C:/Program Files/Tensons/Download Accelerator Manager/DamBho.DLL" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\Class = "Tensons.Application.DownloadAcceleratorManager.LinkHandler" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\Class = "Tensons.Application.DownloadAcceleratorManager.BHO" RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\2.1.0.0 RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\2.1.0.0\Assembly = "DamBho, Version=2.1.0.0, Culture=neutral, PublicKeyToken=fee9c3dcb8af2eba" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\2.1.0.0\CodeBase = "file:///C:/Program Files/Tensons/Download Accelerator Manager/DamBho.DLL" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\ = "mscoree.dll" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\2.2.0.0\Assembly = "DamLinkHandler, Version=2.2.0.0, Culture=neutral, PublicKeyToken=fee9c3dcb8af2eba" RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32 RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\ThreadingModel = "Both" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\Assembly = "DamBho, Version=2.1.0.0, Culture=neutral, PublicKeyToken=fee9c3dcb8af2eba" RegAsm.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000003-1118-11da-8cd6-0800200c9888} RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{00000003-1118-11da-8cd6-0800200c9888} RegAsm.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components\idammz.xpt DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz32.dll DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\ex\META-INF\mozilla.sf DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\uninstall.exe DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\damfhp.exe DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\damhlprf.exe DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\chrome.manifest DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\ex\install.rdf DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\dam.crx DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\chrome\dammz.jar DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\reset.reg DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz30.dll DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz40.dll DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\Rsc\Img\DAMchrome.gif DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\MediaGrabber.exe.config DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\cap.htm DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz35.dll DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz39.dll DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\DamBho.dll DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\WRCsetup.exe DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\MediaGrabber.exe DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\MgDll.dll DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\runMg.htm DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz42p.dll DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\ex\META-INF\manifest.mf DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\Rsc\Img\ultimate.gif DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\damfhp.exe.config DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\damhlprf.exe.config DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\Rsc\Img\mgrabber.gif DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\damhlpr.exe DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\components\dammz.dll DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\icon.png DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz.dll DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\ex\META-INF\mozilla.rsa DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\Rsc\Img\DAMfirefox.gif DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz26.dll DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\ex\chrome.manifest DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\help.chm DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\chrome.manifest DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\addUrl.htm DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\dhl DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components\DamMz.dll DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz31.dll DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz34.dll DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz38.dll DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\install.rdf DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\chrome\dammz.jar DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\DamLinkHandler.dll DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\Interop.SHDocVw.dll DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\components\idammz.xpt DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz37.dll DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\addAllUrls.htm DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\install.rdf DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\ex3\dam.zip DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\Rsc\Img\about.gif DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\bi.dat DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\ex\chrome\dammz.jar DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\dhlf DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz33.dll DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz36.dll DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz41.dll DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\ex\icon.png DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe DAMsetup.exe File created C:\Program Files\Tensons\Download Accelerator Manager\NpDam.dll DAMsetup.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log ngen.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat ngen.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat ngen.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\DownloadAccd9662b75#\8a68aa8d8ee2d06649a3735ce14c8d86\DownloadAcceleratorManager.ni.exe.aux.tmp mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat ngen.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat ngen.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log ngen.exe File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat ngen.exe File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat ngen.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\23c-0\DownloadAcceleratorManager.exe mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log ngen.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat ngen.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc23300000000020000000000106600000001000020000000dda16fe2849b3071695d3f26a1c778b83a0e8dd810e604f6934fe8135fb6e78e000000000e8000000002000020000000f1b7d509c55dc9521003f31f54da58b6de9f7fd4c1bf6de5b1edbec8bb580cce9000000080bf48f14fba6bfd108369f28672dcb049628a45d0e5ff719943ca942e71287bad382e7ad5a476abfc903933471cb67b551216a556e564947a55e3d84daa9b5b638196d9db7a72087cebccfba9b279863d403b020b5c71cf2b5c2c58e30b34c356c16cf9c88671fcef69b17892607d641346e4d4502722ed58decede95ab9f88ce7dc0084ae765e1fe7008b11d14e0a140000000765900a4bff2b6d6991604fb2869b74520a01ccaef0d18fe176f798d9e1b7cec4b0bdd0bda4adda5c70496ba6d3bbea520d97227b5a1489df168f58de56bfd54 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\Ⴓ\{e17d3efa-5297-4e7d-9650-0440a9921088} DownloadAcceleratorManager.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\Ⴅ\{871536d3-39af-4fd9-85d4-6b4f8307f8c2} DownloadAcceleratorManager.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\Ⴓ\{e17d3efa-5297-4e7d-9650-0440a9921089}\AppName = "MediaGrabber.exe" DownloadAcceleratorManager.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Download &All with DAM\contexts = "243" DownloadAcceleratorManager.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\Ⴓ\{e17d3efa-5297-4e7d-9650-0440a9921088}\AppPath = "C:\\Program Files\\Tensons\\Download Accelerator Manager\\" DownloadAcceleratorManager.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{00000003-1118-11da-8cd6-0800200c9888}" DownloadAcceleratorManager.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\&Grab Video/Music with DAM\contexts = "243" DownloadAcceleratorManager.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\&Grab Video/Music with DAM\ = "C:\\Program Files\\Tensons\\Download Accelerator Manager\\\\cap.htm" DownloadAcceleratorManager.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\Ⴓ\{e17d3efa-5297-4e7d-9650-0440a9921089}\Policy = "3" DownloadAcceleratorManager.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\&Download with DAM\ = "C:\\Program Files\\Tensons\\Download Accelerator Manager\\\\addUrl.htm" DownloadAcceleratorManager.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\&Download with DAM\contexts = "34" DownloadAcceleratorManager.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\Ⴅ\{871536d3-39af-4fd9-85d4-6b4f8307f8c2}\AppPath = "C:\\Program Files\\Tensons\\Download Accelerator Manager\\" DownloadAcceleratorManager.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\&Download with DAM DownloadAcceleratorManager.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\&Grab Video/Music with DAM DownloadAcceleratorManager.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5B800A31-E794-11EE-AD30-660F20EB2E2E} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\Ⴓ\{e17d3efa-5297-4e7d-9650-0440a9921088}\Policy = "3" DownloadAcceleratorManager.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\&Grab Video/Music with DAM\contexts = "243" DownloadAcceleratorManager.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt DownloadAcceleratorManager.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Download &All with DAM DownloadAcceleratorManager.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Download &All with DAM\contexts = "243" DownloadAcceleratorManager.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\DownloadUI = "{00000003-1118-11da-8cd6-0800200c9888}" DownloadAcceleratorManager.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\Ⴓ DownloadAcceleratorManager.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\Ⴅ\{871536d3-39af-4fd9-85d4-6b4f8307f8c2}\AppName = "DownloadAcceleratorManager.exe" DownloadAcceleratorManager.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\Ⴅ\{871536d3-39af-4fd9-85d4-6b4f8307f8c2}\Policy = "3" DownloadAcceleratorManager.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\&Download with DAM\ = "C:\\Program Files\\Tensons\\Download Accelerator Manager\\\\addUrl.htm" DownloadAcceleratorManager.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\&Download with DAM\contexts = "34" DownloadAcceleratorManager.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Download &All with DAM\ = "C:\\Program Files\\Tensons\\Download Accelerator Manager\\\\addAllUrls.htm" DownloadAcceleratorManager.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\Ⴓ\{e17d3efa-5297-4e7d-9650-0440a9921088}\AppName = "DownloadAcceleratorManager.exe" DownloadAcceleratorManager.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\Ⴓ\{e17d3efa-5297-4e7d-9650-0440a9921089}\AppPath = "C:\\Program Files\\Tensons\\Download Accelerator Manager\\" DownloadAcceleratorManager.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Download &All with DAM\ = "C:\\Program Files\\Tensons\\Download Accelerator Manager\\\\addAllUrls.htm" DownloadAcceleratorManager.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{00000003-1118-11da-8cd6-0800200c9888}" DownloadAcceleratorManager.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\Ⴅ DownloadAcceleratorManager.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Tensons.Application.DownloadAcceleratorManager.BHO\ = "Tensons.Application.DownloadAcceleratorManager.BHO" RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32 RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29} RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Tensons.Application.DownloadAcceleratorManager.LinkHandler\CLSID\ = "{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\ = "mscoree.dll" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{24B1E5E0-1100-3737-A6A2-EA80239F9EF5}\2.2.0.0\Assembly = "DamLinkHandler, Version=2.2.0.0, Culture=neutral, PublicKeyToken=fee9c3dcb8af2eba" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\ = "Tensons.Application.DownloadAcceleratorManager.LinkHandler" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\2.2.0.0\Class = "Tensons.Application.DownloadAcceleratorManager.LinkHandler" RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29} RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Tensons.Application.DownloadAcceleratorManager.BHO\CLSID\ = "{00000003-1118-11DA-8CD6-0800200C9888}" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\CodeBase = "file:///C:/Program Files/Tensons/Download Accelerator Manager/DamLinkHandler.DLL" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\2.2.0.0\CodeBase = "file:///C:/Program Files/Tensons/Download Accelerator Manager/DamLinkHandler.DLL" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{24B1E5E0-1100-3737-A6A2-EA80239F9EF5}\2.2.0.0\RuntimeVersion = "v2.0.50727" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\2.1.0.0\CodeBase = "file:///C:/Program Files/Tensons/Download Accelerator Manager/DamBho.DLL" RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE} RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\Implemented Categories RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\ProgId RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\Class = "Tensons.Application.DownloadAcceleratorManager.LinkHandler" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\Assembly = "DamLinkHandler, Version=2.2.0.0, Culture=neutral, PublicKeyToken=fee9c3dcb8af2eba" RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\ProgId RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\ = "mscoree.dll" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\RuntimeVersion = "v2.0.50727" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\2.2.0.0\Class = "Tensons.Application.DownloadAcceleratorManager.LinkHandler" RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\2.1.0.0 RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\Implemented Categories RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Tensons.Application.DownloadAcceleratorManager.BHO RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\Assembly = "DamBho, Version=2.1.0.0, Culture=neutral, PublicKeyToken=fee9c3dcb8af2eba" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\RuntimeVersion = "v2.0.50727" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\CodeBase = "file:///C:/Program Files/Tensons/Download Accelerator Manager/DamBho.DLL" RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Tensons.Application.DownloadAcceleratorManager.LinkHandler RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\2.2.0.0\RuntimeVersion = "v2.0.50727" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Tensons.Application.DownloadAcceleratorManager.LinkHandler\CLSID\ = "{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}" RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{24B1E5E0-1100-3737-A6A2-EA80239F9EF5} RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{24B1E5E0-1100-3737-A6A2-EA80239F9EF5}\2.2.0.0\Class = "Tensons.Application.DownloadAcceleratorManager.LinkHandler+LinkType" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\Class = "Tensons.Application.DownloadAcceleratorManager.BHO" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\2.1.0.0\Class = "Tensons.Application.DownloadAcceleratorManager.BHO" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\ThreadingModel = "Both" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\2.2.0.0\CodeBase = "file:///C:/Program Files/Tensons/Download Accelerator Manager/DamLinkHandler.DLL" RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\ProgId RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32 RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{24B1E5E0-1100-3737-A6A2-EA80239F9EF5}\2.2.0.0\Class = "Tensons.Application.DownloadAcceleratorManager.LinkHandler+LinkType" RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Tensons.Application.DownloadAcceleratorManager.BHO\CLSID RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888} RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\Assembly = "DamBho, Version=2.1.0.0, Culture=neutral, PublicKeyToken=fee9c3dcb8af2eba" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\Assembly = "DamLinkHandler, Version=2.2.0.0, Culture=neutral, PublicKeyToken=fee9c3dcb8af2eba" RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29} RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{24B1E5E0-1100-3737-A6A2-EA80239F9EF5}\2.2.0.0\CodeBase = "file:///C:/Program Files/Tensons/Download Accelerator Manager/DamLinkHandler.DLL" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\ = "mscoree.dll" RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\2.1.0.0 RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\2.1.0.0\Assembly = "DamBho, Version=2.1.0.0, Culture=neutral, PublicKeyToken=fee9c3dcb8af2eba" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\ProgId\ = "Tensons.Application.DownloadAcceleratorManager.BHO" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\ = "mscoree.dll" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\Class = "Tensons.Application.DownloadAcceleratorManager.LinkHandler" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\ProgId\ = "Tensons.Application.DownloadAcceleratorManager.LinkHandler" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Tensons.Application.DownloadAcceleratorManager.BHO\CLSID\ = "{00000003-1118-11DA-8CD6-0800200C9888}" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\ThreadingModel = "Both" RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\Implemented Categories RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\2.1.0.0\Class = "Tensons.Application.DownloadAcceleratorManager.BHO" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Tensons.Application.DownloadAcceleratorManager.BHO\ = "Tensons.Application.DownloadAcceleratorManager.BHO" RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\2.2.0.0 RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{24B1E5E0-1100-3737-A6A2-EA80239F9EF5}\2.2.0.0\Assembly = "DamLinkHandler, Version=2.2.0.0, Culture=neutral, PublicKeyToken=fee9c3dcb8af2eba" RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE} RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{24B1E5E0-1100-3737-A6A2-EA80239F9EF5}\2.2.0.0\CodeBase = "file:///C:/Program Files/Tensons/Download Accelerator Manager/DamLinkHandler.DLL" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\ = "Tensons.Application.DownloadAcceleratorManager.BHO" RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2424 setupc.exe 2424 setupc.exe 2424 setupc.exe 2424 setupc.exe 2424 setupc.exe 2424 setupc.exe 2424 setupc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1792 DownloadAcceleratorManager.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2424 setupc.exe Token: SeDebugPrivilege 1792 DownloadAcceleratorManager.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1792 DownloadAcceleratorManager.exe 888 iexplore.exe 1792 DownloadAcceleratorManager.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1792 DownloadAcceleratorManager.exe 1792 DownloadAcceleratorManager.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 888 iexplore.exe 888 iexplore.exe 1796 IEXPLORE.EXE 1796 IEXPLORE.EXE 1796 IEXPLORE.EXE 1796 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 2072 wrote to memory of 2424 2072 DAMsetup.exe 30 PID 2072 wrote to memory of 2424 2072 DAMsetup.exe 30 PID 2072 wrote to memory of 2424 2072 DAMsetup.exe 30 PID 2072 wrote to memory of 2424 2072 DAMsetup.exe 30 PID 2072 wrote to memory of 1252 2072 DAMsetup.exe 31 PID 2072 wrote to memory of 1252 2072 DAMsetup.exe 31 PID 2072 wrote to memory of 1252 2072 DAMsetup.exe 31 PID 2072 wrote to memory of 1252 2072 DAMsetup.exe 31 PID 1252 wrote to memory of 700 1252 DownloadAcceleratorManager.exe 32 PID 1252 wrote to memory of 700 1252 DownloadAcceleratorManager.exe 32 PID 1252 wrote to memory of 700 1252 DownloadAcceleratorManager.exe 32 PID 1252 wrote to memory of 980 1252 DownloadAcceleratorManager.exe 34 PID 1252 wrote to memory of 980 1252 DownloadAcceleratorManager.exe 34 PID 1252 wrote to memory of 980 1252 DownloadAcceleratorManager.exe 34 PID 1252 wrote to memory of 980 1252 DownloadAcceleratorManager.exe 34 PID 1252 wrote to memory of 980 1252 DownloadAcceleratorManager.exe 34 PID 1252 wrote to memory of 980 1252 DownloadAcceleratorManager.exe 34 PID 1252 wrote to memory of 980 1252 DownloadAcceleratorManager.exe 34 PID 1252 wrote to memory of 2976 1252 DownloadAcceleratorManager.exe 36 PID 1252 wrote to memory of 2976 1252 DownloadAcceleratorManager.exe 36 PID 1252 wrote to memory of 2976 1252 DownloadAcceleratorManager.exe 36 PID 1252 wrote to memory of 664 1252 DownloadAcceleratorManager.exe 38 PID 1252 wrote to memory of 664 1252 DownloadAcceleratorManager.exe 38 PID 1252 wrote to memory of 664 1252 DownloadAcceleratorManager.exe 38 PID 1252 wrote to memory of 1244 1252 DownloadAcceleratorManager.exe 40 PID 1252 wrote to memory of 1244 1252 DownloadAcceleratorManager.exe 40 PID 1252 wrote to memory of 1244 1252 DownloadAcceleratorManager.exe 40 PID 1244 wrote to memory of 2932 1244 ngen.exe 42 PID 1244 wrote to memory of 2932 1244 ngen.exe 42 PID 1244 wrote to memory of 2932 1244 ngen.exe 42 PID 1244 wrote to memory of 572 1244 ngen.exe 43 PID 1244 wrote to memory of 572 1244 ngen.exe 43 PID 1244 wrote to memory of 572 1244 ngen.exe 43 PID 1252 wrote to memory of 2032 1252 DownloadAcceleratorManager.exe 44 PID 1252 wrote to memory of 2032 1252 DownloadAcceleratorManager.exe 44 PID 1252 wrote to memory of 2032 1252 DownloadAcceleratorManager.exe 44 PID 1252 wrote to memory of 2588 1252 DownloadAcceleratorManager.exe 46 PID 1252 wrote to memory of 2588 1252 DownloadAcceleratorManager.exe 46 PID 1252 wrote to memory of 2588 1252 DownloadAcceleratorManager.exe 46 PID 1252 wrote to memory of 2588 1252 DownloadAcceleratorManager.exe 46 PID 1252 wrote to memory of 2588 1252 DownloadAcceleratorManager.exe 46 PID 1252 wrote to memory of 2588 1252 DownloadAcceleratorManager.exe 46 PID 1252 wrote to memory of 2588 1252 DownloadAcceleratorManager.exe 46 PID 2072 wrote to memory of 2624 2072 DAMsetup.exe 48 PID 2072 wrote to memory of 2624 2072 DAMsetup.exe 48 PID 2072 wrote to memory of 2624 2072 DAMsetup.exe 48 PID 2072 wrote to memory of 2624 2072 DAMsetup.exe 48 PID 2072 wrote to memory of 1012 2072 DAMsetup.exe 50 PID 2072 wrote to memory of 1012 2072 DAMsetup.exe 50 PID 2072 wrote to memory of 1012 2072 DAMsetup.exe 50 PID 2072 wrote to memory of 1012 2072 DAMsetup.exe 50 PID 2072 wrote to memory of 1792 2072 DAMsetup.exe 51 PID 2072 wrote to memory of 1792 2072 DAMsetup.exe 51 PID 2072 wrote to memory of 1792 2072 DAMsetup.exe 51 PID 2072 wrote to memory of 1792 2072 DAMsetup.exe 51 PID 2072 wrote to memory of 888 2072 DAMsetup.exe 52 PID 2072 wrote to memory of 888 2072 DAMsetup.exe 52 PID 2072 wrote to memory of 888 2072 DAMsetup.exe 52 PID 2072 wrote to memory of 888 2072 DAMsetup.exe 52 PID 888 wrote to memory of 1796 888 iexplore.exe 54 PID 888 wrote to memory of 1796 888 iexplore.exe 54 PID 888 wrote to memory of 1796 888 iexplore.exe 54 PID 888 wrote to memory of 1796 888 iexplore.exe 54
Processes
-
C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe"C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Users\Admin\AppData\Local\Temp\setupc.exeC:\Users\Admin\AppData\Local\Temp\setupc.exe DownloadAcceleratorManager MediaGrabber damfhp damhlpr firefox chrome iexplore2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe"C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe" /ia C:\Program Files\Tensons\Download Accelerator Manager2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe" /s /codebase "C:\Program Files\Tensons\Download Accelerator Manager\DamLinkHandler.dll"3⤵
- Registers COM server for autorun
- Modifies registry class
PID:700
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" /s /codebase "C:\Program Files\Tensons\Download Accelerator Manager\DamLinkHandler.dll"3⤵
- Loads dropped DLL
- Modifies registry class
PID:980
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" /delete dam3⤵
- Drops file in Windows directory
PID:2976
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" /delete DownloadAcceleratorManager3⤵
- Drops file in Windows directory
PID:664
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" /nologo /silent "C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe"3⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"4⤵PID:2932
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 160 -InterruptEvent 0 -NGENProcess f4 -Pipe 164 -Comment "NGen Worker Process"4⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:572
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe" /register /codebase /silent "C:\Program Files\Tensons\Download Accelerator Manager\\DamBho.dll"3⤵
- Registers COM server for autorun
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2032
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" /register /codebase /silent "C:\Program Files\Tensons\Download Accelerator Manager\\DamBho.dll"3⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2588
-
-
-
C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe"C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe" /iu C:\Program Files\Tensons\Download Accelerator Manager2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
PID:2624
-
-
C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe"C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe" /iu C:\Program Files\Tensons\Download Accelerator Manager2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
PID:1012
-
-
C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe"C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1792
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://install.tensons.com/?pid=003&v=5.6.02⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:888 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1796
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD52cac7bdbcd895a3b2216fbff08f87799
SHA1ae20d356c897fa271a712a429ea7368cf379c55c
SHA256a391a059943274d82a89dc0eb069a57f8984c56cb3c4cded13388d4873985f16
SHA51213937d63facaf2c661dde15b456cb0c062712165acf9054171f3a47711eba78729d83ea54bf55e443bd55c83478660ffb4c49bb2a28a966bb30ca4eeda934dfc
-
Filesize
43KB
MD5d37ae62d7ae1d1d29742b37b5e5a65ec
SHA152ca247535c8d2df65d1072370a2b7ab320b11f9
SHA25616c65138a398e626cb4e3c5440b89fb8c9c8c08fed7292c0b67a481f6fc6c1f5
SHA51230771626d02c6380ff6ea0022eccc09e9d142f7b819036cf3a0ea9eb9fea24b9c6a7404af9964d5f82aa7cfb26ca4320114ad91bd94469808a0509f6c8460f74
-
Filesize
38KB
MD5d7a4d039966466bdbbb2dedb6026c582
SHA12fa913238de077e63543742f75d8193c20a85349
SHA2569520ba714da28958015dbdefc5cff31c392e7f6b5c66e5d2df4c4c48f7e58223
SHA512262398a377bd72d081b64291960374b802394bdcc96025f260f08889011ed6ae6a024176cf35e5e3cb44c6ad2d039c08f0ac9221b7caec4135cc7970f707361c
-
Filesize
144B
MD57ed00198dff303eefb49e046562b5b7d
SHA1f2a14ec5d2b7717061b77769067f93295f1fbc8b
SHA256f4ffcc01ea1c06be63c18d343187ccb5f2f5885f1780218780f92214415e9c74
SHA51271a2e8769e28a7dfe6d387bf3bfb0961af69d5bda7b6acc37ad6095581f02254e8d3be5b9583dfb39e34566f37c4fc54aa08f39e68ed705485519e7096b35ef9
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD53087d58a7aca35d19cf8f63da013b94b
SHA1fb72bfb5f4588952ccb67ea9b581ec61989c694b
SHA256f571f268913b3011154b6630ab049550b7f91e198484b4fd2a2c279fac6c0e1d
SHA5127282b49e7128106d2bc699d422436a00600ffd146f14ec400182e9c98ef76587590133a1fe3711bebcfb50cae4e0ecd744c9cb930cad55cb1b6b1078d43edc92
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD54e99ae47a71f0ec540abdbcbe54ff09f
SHA154b0b4269167cc98cfe3d63c4c2d622ea120d49d
SHA25633c7b95dfb9a758b75a5b528016265ed8ee08272b6a01fe252c5b1ea1826d9d5
SHA512d100a6e704f8fe224f382197889b9d2a20d4689c6e4acc49adc784ae83ab4579166ee7971ac17fe35ce725ae3ea144003535f4f6524911e14da5e25bb0e28ac6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a74cb50222acec4aa5d3b6382c6929ea
SHA16aa832f48b6c147ae236e9ade1fac4bb4cb5a0be
SHA2567b5a7405039c47712fb6d71a3a8b212da995c2186abedffb1cf4590cdc8b65c5
SHA512430714bbf7669a88f12541240eedbd3db3e8bbcaf1b0b29586f6dcf43d2ccb94ebaea2ac288eb377c587625ac1d38a0cac2dedc669273c3c9af57e47db23a6a0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5363679474c283daae8efe8decf67a945
SHA19fd65bb3a536b4b8a5644c6b0cd24549e4e5109e
SHA25698b3e2e57e33a3356b69ddea8c96d4f80101c11acfc8e8c35b76e1899878460b
SHA512c3dc07b41d082bac87d312125f708babf79df413b26aebed9a3a96e759cb5f8dc15fe21a474564e263f9cc129204c16250ec9931012ef99f766d70b94fe396c0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD554a6dcd1504d430d468672d49be788ee
SHA135716d305feb6036ff99c3aafc4e87442cbca832
SHA256c34f1c984b35ce764f0510c9da317bc1d86b58db4a73005977444170af6258ee
SHA512288937fbf6bd6e148d2358145ddfb77e44aac457a4c300c042c8c781adbaaffadab30b2dde6fb181cc5e2700ad470521f7b9864981f6e602406ed7d8d57e2111
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD51bd51ddda647e20ecf42bb2d61ef8744
SHA1f9b7f2e6f07b7f892e18cc147b71153ac20253bb
SHA256e8e736f9eeccad95d48c9af202af321ea21a69d7feb0ee56d033d482658f7c0c
SHA51219f5e8ca8d661ce13d1c4b01b6e9fea330e09f2950090bcb79f42416bd006ee397a83fb57f7085027490ac4962d5fc45b3bb2736af9e55f85334225ab610af81
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD594120d305370a4733cd225d6267caebd
SHA18fc4245b925bbfd9f313a3fe81fdf4e1d3124af9
SHA256a4c8f27c5c627a1c391360856260bad61392394503349a7aa27b602fb393aeb5
SHA5121bc03bbdc367a842aecac52a6e3e4007507e4fc7a26fc77dc1ad61c305554f55149a7fc94ce5f26c07bf86fa70692c229fc133fa0e01a21158611199fcd7366d
-
Filesize
1KB
MD52985cd5b754357ff82f520ac6dcf14b7
SHA10d1f305aa9c739dcf169d7127fee3231fa43e105
SHA2563ce36167494268ae81594f68aedd4f97003a126a4c491ed24aa9d30371163e7e
SHA512d5591f86584819cd113c9f1b72daa6a0e64f203ed82adcd590da28bc532512bc38aa2fb52e45d4ccc65d6af547e03f7dee1a3c93a0ff656d28a0a8831584e17d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\icon[1].gif
Filesize1KB
MD516c4bbfc8c0e2faef5c9e575f8e5db10
SHA1e6df34e00fe5e6c4cb543c18b344c58e5c050530
SHA256dbb001b04b242f857d9a2dfa1fbe9ae246b6153a67749dec208658f1a0d24f32
SHA512026ef36d08740977c256db8ba34fa51205bd0079cd94cede98bce6afb4b5977c48d0c3b7ab0abeeed819e8233aac4232420ea39a7a577e76dcff1875623fa6b8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\favicon[1].htm
Filesize180B
MD59f1a72ec482631417808575cc932bd5a
SHA18492455bad3a0b904bddcf88d2816d26f281c742
SHA25629f0a779e085b38cb38f41c2608c2af21e89e81b0dfc6665feca5b3ae3fb83ec
SHA512dda3e0c922d3b214aeb3e00e087c9fe6f09dc8548104dead19c02eb5973a6de90870a3b2eae9e4fb59b34cf30954cfe4c9ab5bcf76e129a5ecfeb551d057b3ee
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
Filesize
801B
MD57fa5a3a0e3892c0ede0e7cf0feeb52db
SHA1e3e617d63ed0ad707f3e23747eea0c132d98556d
SHA2566da1d876cbe106704612f0ed75e5cb01a44f58eb081c5e76991a1d12d12c3c7e
SHA512e04719fa763a7966940c7b538ca6a6c4e1d308581d7b438cf61f9340bc7e1968d281b19660de2acfd14da8bff71b6d020db9fc3a5fb77cd5ca5ecdea3b699cd7
-
Filesize
840B
MD551705c7a434922cb5f94515fb9764b03
SHA16b9a5ae64ade667aa4af50f15c3eb6f6edb3a306
SHA2562e52228430fffe78de7cee8306addb94a6292ab042897a0978bf77be081ca44a
SHA5120362c6faca3b1a3600662a6e78e3432b8d0c930f1d7f7c6257ad6b74d68d930aeb0d1555bc642847577f1ce5264fbbfd3680b0cd1cb25b071a9edc5f239242f7
-
Filesize
849B
MD52f462c1a7320b2dc24659195e50be662
SHA1aa22599c41b2efc405532496989dadcb90dddfa0
SHA2562ddde12755d567628bb87a8f6908ab98e5a6fa4f899d944f032cffd86f609196
SHA51254c717b2f295830d9377a0daf7c18390548ae35ed2749676898e36d5019ad48ac413128af69aaabb39ccddae532756b79d7dd7ebb466e4d543d23fe15787ddfc
-
Filesize
762B
MD5e71b6d96350c05001d4b8149d34d06f0
SHA172f04f8cc9b74527d5b31e80dc5a3ca3d31fc971
SHA25616e1895e8a0e15fc376e7e191751c07210835ec586ecbe61d9170b14e293396e
SHA5122bd7c133f00fade07883f1f43330f6e74455f8af2f57a86e2955beb0ae77e73c53070931582ea82770991ee71404875dab6c5a7dfaf3ca12a095d3dbbae01a77
-
Filesize
807B
MD51f79a896ff2f4d42d2242946865581de
SHA1e0181bcb8fa6aeba65f3687064b9b4e2293b387f
SHA2569cc8815672baa28d73ba01f6d426145b62e3e2661062ac24a5878c2ef4765df8
SHA51240f63e64fdbc2e4e0270f61491cb36038df6a0d4b6644e406143140b95632562a8eec3da55af9bc1206da5431d9ac51c1df0f787635cf46c40c456b134a24e57
-
Filesize
820B
MD53ce8d909302d1065dcb295f03829c278
SHA186923fc2b15e5cc83719c3a17725c1f8fb202a94
SHA2568c440a018411f402f95a12b9b65c17d5403938c4bb8ae8a10ee77c41633350fe
SHA512e5756bd9ee4386717dc0ee8f48704612f161203e0da51c29b4af60fe81b283381a21cd1befe01c5aa654c2372c8d933477fe11c52f7a46c367c8ed233c6ae89e
-
Filesize
16KB
MD5b0a1f1d96381bc2b658feb57792ade6e
SHA10960364751aac785566f8278c363bc481c9370f6
SHA256089f176703d3238a6038d40a58a85260298e78f3a31b6ba14f7032ffbbc0e245
SHA512c4fee497851d449879cbb26beaaa778b1fc2a3bbe7a026f25ad6eba94119667e4d5e2fdbd52f0b18f51dc1aea58c99f81f9b7f2e4349611463ca9c9c1a1f488b
-
Filesize
107KB
MD50c116067cb44edfda18538b5c3dd2775
SHA17ca5e7973d15ade6df7b0e37572bfc1ca58579cf
SHA256602351ea3a43b7b1547027f43cd41ea2536bb259e096edc82596ba8a10259eed
SHA512627195492735b66dfe77e496925795a5bb1b695c0ae4b79af6656c10c6e303788ad0c1735f945ddab37052974716e6ece93db4895aa8f876adda12e22c92d150
-
Filesize
107KB
MD575bd49c3d3addac04aa2138f3f8f117b
SHA104bcd1b0a2ce7c06648f1cc5e5f8b28694b4a2ed
SHA256c1137bbf8e8360af6c0129db4a6e985031c9d6a3f6ec77a9c5cfe7dad783f88e
SHA512e4fda4cf368081ce91c7a879d35e003c1aeeca46b80e0c2a56c4c88fc6a6d8ccf2663f3863777ab72a5a7f0fc195fed82b4a81db30e175d37427d146605c905a
-
Filesize
108KB
MD5277aec4e9dcd33baa9edd8076e8b4250
SHA14733fba00f6ece193dc8bbce652fc79580a220f3
SHA256980563f709604b8f9a7a143dc4c566cb5ea7b3a38c622c037833a09549f83dad
SHA5126ed0eef9fc1e344dd2d67865d09a8f82aadf2dabd7e46c3916048be7c7406eca10fdf66f6227e833eb3196ff959bb79ddb6ede531fd204b5b6488fb97172fe69
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\DownloadAccd9662b75#\8a68aa8d8ee2d06649a3735ce14c8d86\DownloadAcceleratorManager.ni.exe
Filesize2.8MB
MD54b43463d7fed7e2c13ce35789ca2b03d
SHA165ca208297d967b6ed966b6316db3b1ee7d42273
SHA256f3f55b3161f43ed96b5739b94816db53d09b782ad869433db0141c7c6a23c0a9
SHA512d953918c5112cf0307879fd185af61b1feea5a883ccafbf18caf9100ec0695e224eef8405b60aa889873fd8a0eba64cafe34a2957680f6821d7dfae2755beb0a
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\DownloadAccd9662b75#\8a68aa8d8ee2d06649a3735ce14c8d86\DownloadAcceleratorManager.ni.exe.aux
Filesize2KB
MD5c23aaffb596604c6369caf3b1291a4b8
SHA107118497eb8eb907fdb5d784ff2fd19fe8423928
SHA2564f90393872408dfb22e85f4468e4d4f6aa14ab4aaf45b015aaddbe176cdb3a4a
SHA512b318dbb96c3ed72e27c5ce233bdda3070cbc8c3432a02e97c89416a487d2528b3402756f5b7e79e9da0ccf57e161dfef3bc34091414d1b6e9fb02477b5c5b17e
-
Filesize
1.1MB
MD5c9a97774f133b25b2c5db91d5b34bac2
SHA155091d710765145164295c5f77fc93d76f957677
SHA2561d4d500bacc5dbc232d162dffe25287571a049082c554fb07d920733f5336f7e
SHA512a2e54b471d897d38ae366a2e5f1061a6c05236cdf7af1058e31f893039541799924de25adbfe412253fc568cf7730aaa3153eff8604f3c17bc7d43abad14c2e9
-
Filesize
294KB
MD50e617f91a119dfad00de19adc57231f4
SHA174b5d97612740d8f90f6f199f543ef2df1c3832e
SHA2569927c743ba8ce0ce8b59983693a7242cf9ca46d93630cf5c36fdde32e96cb150
SHA512a17b1c1a0e91e4b657b8cf144af91b693eb723ec1ece96cdf9992178df353b4da545155fddd779330ade21d899fcce0502289ed6b0da1dcfa191a9fddd6406f0
-
Filesize
815KB
MD583b493e0bc0cf1105ce25d9bd5d1c2b9
SHA11813bcb2a4384bd2a134bec29bd978f0b5c4e1b4
SHA2563f7bed61a1f5ad0c0a468363c4f2974c2674fd018ce2aabd40b5a16604c2d4cd
SHA5123aaccda41b5822d8eca0f8fb01c060151a1a19038c35905c937949491edc803ad7399f71ea7d56fded69394e4abb3f6266b3b3a8bcf644ef4bccb3406e3c2769
-
Filesize
14KB
MD58d5a5529462a9ba1ac068ee0502578c7
SHA1875e651e302ce0bfc8893f341cf19171fee25ea5
SHA256e625dcd0188594b1289891b64debddeb5159aca182b83a12675427b320bf7790
SHA512101da2c33f47bd85b8934318e0f0b72f820afc928a2a21e2c7823875e3a0e830f7c67f42b4c2f30596eaa073617790c89700c0d95b7949ec617e52800b61d462
-
Filesize
11KB
MD5b0c77267f13b2f87c084fd86ef51ccfc
SHA1f7543f9e9b4f04386dfbf33c38cbed1bf205afb3
SHA256a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77
SHA512f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e
-
Filesize
16KB
MD5acfb66ee6fc1f4266229ec6098fe1740
SHA1e1aeb31b11996015d7f17308e2f2bbe69d4e1476
SHA2566d7e8070fa09cc4bb66fb99c2b88d0f5419602fa64a519437f430d9378300b1e
SHA512bf0b5b22c57c08c88b4cbdd75bdf0c8eac433d42b4d163349391b71bc44d913e4d0e28e0826a7c27b418e6d2aa37c08c90577b56baa946a8f129486fbe01c303
-
Filesize
16KB
MD524a7a119e289f1b5b69f3d6cf258db7c
SHA1fec84298f9819adf155fcf4e9e57dd402636c177
SHA256ae53f8e00574a87dd243fdf344141417cfe2af318c6c5e363a030d727a6c75d1
SHA512fdbbedcc877bf020a5965f6ba8586ade48cfbe03ac0af8190a8acf077fb294ffd6b5a7ae49870bff8cacd9e33d591be63b5b3d5c2e432c640212bdcd0c602861
-
Filesize
6KB
MD562738e8892a6d7b05cbb3b8a192afe9b
SHA16546f3fc2b4d1301bbc57ea98e57ebdabcc4b9cd
SHA25655e37ec9db608c9dd898e3fd23975503e079a6f5ab82e0f9106014851ea2411f
SHA512b88a231bfaad80f9c50dead56287d4e2bd445d5471267dcf39805c42abe692225696f7afbafa4fbbf0b4046de38e6f9edf03bed24f039a6d054a29aed4951762
-
\Windows\assembly\NativeImages_v4.0.30319_64\DownloadAccd9662b75#\8a68aa8d8ee2d06649a3735ce14c8d86\DownloadAcceleratorManager.ni.exe
Filesize4.5MB
MD5e4ab1f6ea57467d9acdcaa0dedcc7f16
SHA1dd9c187f6036eadb9d30ceef94b38b8681a58087
SHA25677a174455ae1eeca7efcf6d85a4d91c871e294342d0fc9b63e7308b1e8363b9f
SHA51275f3faa0de407f595e323058ad6f961ab529699b07d0c7c5b6c5d89d6c472ae551d9cb0f705dfa1d629f4c0bdba88612f3268d34e0edcc5d47f47367409520ef
-
\Windows\assembly\NativeImages_v4.0.30319_64\DownloadAccd9662b75#\8a68aa8d8ee2d06649a3735ce14c8d86\DownloadAcceleratorManager.ni.exe
Filesize1.7MB
MD52449b8c5529f8c3896d04db90e15e586
SHA1fd1512866db0c28f1c138a983e542832f63bf151
SHA256f66a07292cd66881c6eb176cf6cb53fb934cf1262ebe8ba144d742e4c188cb11
SHA51200cd9c7026541e21cd1cfea5b37b8c1533e5dab73e1eed67ced4c99ddfb075f8fd661d51b41b18cc76b06dc030bbcf3e77f7631932a5445d9951e57e18bad7c3