Analysis Overview
SHA256
5443b1c3aa80091b7e0d86681892e0871a7f1954dfa5cfd33318bc597116dd52
Threat Level: Shows suspicious behavior
The file DAMsetup.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Registers COM server for autorun
Checks installed software on the system
Installs/modifies Browser Helper Object
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Program crash
NSIS installer
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-21 15:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral25
Detonation Overview
Submitted
2024-03-21 15:02
Reported
2024-03-21 15:06
Platform
win7-20240220-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2292 wrote to memory of 2304 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2292 wrote to memory of 2304 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2292 wrote to memory of 2304 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2292 wrote to memory of 2304 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2292 wrote to memory of 2304 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2292 wrote to memory of 2304 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2292 wrote to memory of 2304 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz.dll,#1
Network
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-03-21 15:02
Reported
2024-03-21 15:06
Platform
win7-20240221-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3036 wrote to memory of 2956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3036 wrote to memory of 2956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3036 wrote to memory of 2956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3036 wrote to memory of 2956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3036 wrote to memory of 2956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3036 wrote to memory of 2956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3036 wrote to memory of 2956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz26.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz26.dll,#1
Network
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-03-21 15:02
Reported
2024-03-21 15:06
Platform
win7-20240220-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2360 wrote to memory of 2348 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2360 wrote to memory of 2348 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2360 wrote to memory of 2348 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2360 wrote to memory of 2348 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2360 wrote to memory of 2348 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2360 wrote to memory of 2348 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2360 wrote to memory of 2348 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz27.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz27.dll,#1
Network
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-03-21 15:02
Reported
2024-03-21 15:06
Platform
win10v2004-20240226-en
Max time kernel
143s
Max time network
156s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2044 wrote to memory of 3140 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2044 wrote to memory of 3140 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2044 wrote to memory of 3140 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz27.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz27.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 5.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 182.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-21 15:02
Reported
2024-03-21 15:06
Platform
win10v2004-20231215-en
Max time kernel
90s
Max time network
150s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe
"C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 2.17.5.133:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsb4AF5.tmp\registry.dll
| MD5 | 24a7a119e289f1b5b69f3d6cf258db7c |
| SHA1 | fec84298f9819adf155fcf4e9e57dd402636c177 |
| SHA256 | ae53f8e00574a87dd243fdf344141417cfe2af318c6c5e363a030d727a6c75d1 |
| SHA512 | fdbbedcc877bf020a5965f6ba8586ade48cfbe03ac0af8190a8acf077fb294ffd6b5a7ae49870bff8cacd9e33d591be63b5b3d5c2e432c640212bdcd0c602861 |
C:\Users\Admin\AppData\Local\Temp\nsb4AF5.tmp\UAC.dll
| MD5 | acfb66ee6fc1f4266229ec6098fe1740 |
| SHA1 | e1aeb31b11996015d7f17308e2f2bbe69d4e1476 |
| SHA256 | 6d7e8070fa09cc4bb66fb99c2b88d0f5419602fa64a519437f430d9378300b1e |
| SHA512 | bf0b5b22c57c08c88b4cbdd75bdf0c8eac433d42b4d163349391b71bc44d913e4d0e28e0826a7c27b418e6d2aa37c08c90577b56baa946a8f129486fbe01c303 |
C:\Users\Admin\AppData\Local\Temp\nsb4AF5.tmp\System.dll
| MD5 | b0c77267f13b2f87c084fd86ef51ccfc |
| SHA1 | f7543f9e9b4f04386dfbf33c38cbed1bf205afb3 |
| SHA256 | a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77 |
| SHA512 | f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e |
C:\Users\Admin\AppData\Local\Temp\nsb4AF5.tmp\ioSpecial.ini
| MD5 | cb19f50a458d9f2d4d30bfdbb286100d |
| SHA1 | a23609a1dd3a1b94745391eeb8173630557e8885 |
| SHA256 | c764c814b232e5970a16bd9c1572c57ae0ef8ed7abc2d4d1431ca65db46f3ed6 |
| SHA512 | aa3593034560e8411b22acda4c63b56e89978bf1223ed9fea1d21ae541c9847bac303e75885c99d6381a41d3648e01c77b1ef7272d4cf39d2c1a83d24c7ddd7e |
C:\Users\Admin\AppData\Local\Temp\nsb4AF5.tmp\InstallOptions.dll
| MD5 | 8d5a5529462a9ba1ac068ee0502578c7 |
| SHA1 | 875e651e302ce0bfc8893f341cf19171fee25ea5 |
| SHA256 | e625dcd0188594b1289891b64debddeb5159aca182b83a12675427b320bf7790 |
| SHA512 | 101da2c33f47bd85b8934318e0f0b72f820afc928a2a21e2c7823875e3a0e830f7c67f42b4c2f30596eaa073617790c89700c0d95b7949ec617e52800b61d462 |
Analysis: behavioral15
Detonation Overview
Submitted
2024-03-21 15:02
Reported
2024-03-21 15:06
Platform
win7-20240221-en
Max time kernel
122s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 220
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-03-21 15:02
Reported
2024-03-21 15:06
Platform
win10v2004-20240319-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3148 wrote to memory of 3048 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3148 wrote to memory of 3048 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3148 wrote to memory of 3048 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3048 -ip 3048
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 628
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1328 --field-trial-handle=2260,i,11662483365823245381,11064702639240765741,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| GB | 13.105.221.15:443 | tcp | |
| GB | 13.105.221.15:443 | tcp | |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.246.116.51.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-03-21 15:02
Reported
2024-03-21 15:06
Platform
win10v2004-20240226-en
Max time kernel
139s
Max time network
128s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3344 wrote to memory of 3848 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3344 wrote to memory of 3848 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3344 wrote to memory of 3848 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components\DamMz.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components\DamMz.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-03-21 15:02
Reported
2024-03-21 15:06
Platform
win10v2004-20240226-en
Max time kernel
140s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1160 wrote to memory of 4564 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1160 wrote to memory of 4564 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1160 wrote to memory of 4564 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4564 -ip 4564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 612
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2628 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 21.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 105.193.132.51.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-03-21 15:02
Reported
2024-03-21 15:06
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
158s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMP\setupc.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\setupc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 182.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.189.79.40.in-addr.arpa | udp |
Files
memory/2584-1-0x00007FFCADAC0000-0x00007FFCAE461000-memory.dmp
memory/2584-2-0x00007FFCADAC0000-0x00007FFCAE461000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-03-21 15:02
Reported
2024-03-21 15:06
Platform
win7-20240221-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamBho.dll,#1
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-03-21 15:02
Reported
2024-03-21 15:06
Platform
win7-20240221-en
Max time kernel
120s
Max time network
129s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 244
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-03-21 15:02
Reported
2024-03-21 15:06
Platform
win7-20231129-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 220
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-03-21 15:02
Reported
2024-03-21 15:06
Platform
win7-20240221-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 224
Network
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-03-21 15:02
Reported
2024-03-21 15:06
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
153s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2068 wrote to memory of 4636 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2068 wrote to memory of 4636 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2068 wrote to memory of 4636 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz26.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz26.dll,#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3096 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| NL | 172.217.168.202:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 202.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 105.246.116.51.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-21 15:02
Reported
2024-03-21 15:05
Platform
win7-20240220-en
Max time kernel
110s
Max time network
102s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setupc.exe | N/A |
| N/A | N/A | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
| N/A | N/A | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
| N/A | N/A | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
| N/A | N/A | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\ = "mscoree.dll" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\RuntimeVersion = "v2.0.50727" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\ThreadingModel = "Both" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\Assembly = "DamLinkHandler, Version=2.2.0.0, Culture=neutral, PublicKeyToken=fee9c3dcb8af2eba" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\RuntimeVersion = "v2.0.50727" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\CodeBase = "file:///C:/Program Files/Tensons/Download Accelerator Manager/DamLinkHandler.DLL" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\2.2.0.0\Class = "Tensons.Application.DownloadAcceleratorManager.LinkHandler" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\2.1.0.0\Class = "Tensons.Application.DownloadAcceleratorManager.BHO" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\2.1.0.0\RuntimeVersion = "v2.0.50727" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\2.2.0.0 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\2.2.0.0\RuntimeVersion = "v2.0.50727" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\2.2.0.0\CodeBase = "file:///C:/Program Files/Tensons/Download Accelerator Manager/DamLinkHandler.DLL" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\CodeBase = "file:///C:/Program Files/Tensons/Download Accelerator Manager/DamBho.DLL" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\Class = "Tensons.Application.DownloadAcceleratorManager.LinkHandler" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\Class = "Tensons.Application.DownloadAcceleratorManager.BHO" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\2.1.0.0 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\2.1.0.0\Assembly = "DamBho, Version=2.1.0.0, Culture=neutral, PublicKeyToken=fee9c3dcb8af2eba" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\2.1.0.0\CodeBase = "file:///C:/Program Files/Tensons/Download Accelerator Manager/DamBho.DLL" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\ = "mscoree.dll" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\2.2.0.0\Assembly = "DamLinkHandler, Version=2.2.0.0, Culture=neutral, PublicKeyToken=fee9c3dcb8af2eba" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\ThreadingModel = "Both" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\Assembly = "DamBho, Version=2.1.0.0, Culture=neutral, PublicKeyToken=fee9c3dcb8af2eba" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000003-1118-11da-8cd6-0800200c9888} | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{00000003-1118-11da-8cd6-0800200c9888} | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components\idammz.xpt | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz32.dll | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\ex\META-INF\mozilla.sf | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\damfhp.exe | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\damhlprf.exe | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\chrome.manifest | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\ex\install.rdf | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\dam.crx | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\chrome\dammz.jar | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\reset.reg | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz30.dll | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz40.dll | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\Rsc\Img\DAMchrome.gif | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\MediaGrabber.exe.config | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\cap.htm | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz35.dll | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz39.dll | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\DamBho.dll | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\WRCsetup.exe | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\MediaGrabber.exe | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\MgDll.dll | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\runMg.htm | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz42p.dll | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\ex\META-INF\manifest.mf | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\Rsc\Img\ultimate.gif | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\damfhp.exe.config | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\damhlprf.exe.config | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\Rsc\Img\mgrabber.gif | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\damhlpr.exe | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\components\dammz.dll | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\icon.png | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz.dll | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\ex\META-INF\mozilla.rsa | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\Rsc\Img\DAMfirefox.gif | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz26.dll | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\ex\chrome.manifest | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\help.chm | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\chrome.manifest | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\addUrl.htm | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\dhl | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components\DamMz.dll | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz31.dll | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz34.dll | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz38.dll | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\install.rdf | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\chrome\dammz.jar | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\DamLinkHandler.dll | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\Interop.SHDocVw.dll | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\components\idammz.xpt | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz37.dll | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\addAllUrls.htm | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\install.rdf | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\ex3\dam.zip | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\Rsc\Img\about.gif | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\bi.dat | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\ex\chrome\dammz.jar | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\dhlf | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz33.dll | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz36.dll | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz41.dll | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\ex\icon.png | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
| File created | C:\Program Files\Tensons\Download Accelerator Manager\NpDam.dll | C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngennicupdatelock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v4.0.30319_64\DownloadAccd9662b75#\8a68aa8d8ee2d06649a3735ce14c8d86\DownloadAcceleratorManager.ni.exe.aux.tmp | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngenserviceclientlock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngenserviceclientlock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngenserviceclientlock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\23c-0\DownloadAcceleratorManager.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc23300000000020000000000106600000001000020000000dda16fe2849b3071695d3f26a1c778b83a0e8dd810e604f6934fe8135fb6e78e000000000e8000000002000020000000f1b7d509c55dc9521003f31f54da58b6de9f7fd4c1bf6de5b1edbec8bb580cce9000000080bf48f14fba6bfd108369f28672dcb049628a45d0e5ff719943ca942e71287bad382e7ad5a476abfc903933471cb67b551216a556e564947a55e3d84daa9b5b638196d9db7a72087cebccfba9b279863d403b020b5c71cf2b5c2c58e30b34c356c16cf9c88671fcef69b17892607d641346e4d4502722ed58decede95ab9f88ce7dc0084ae765e1fe7008b11d14e0a140000000765900a4bff2b6d6991604fb2869b74520a01ccaef0d18fe176f798d9e1b7cec4b0bdd0bda4adda5c70496ba6d3bbea520d97227b5a1489df168f58de56bfd54 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\Ⴓ\{e17d3efa-5297-4e7d-9650-0440a9921088} | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\á‚¥\{871536d3-39af-4fd9-85d4-6b4f8307f8c2} | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\Ⴓ\{e17d3efa-5297-4e7d-9650-0440a9921089}\AppName = "MediaGrabber.exe" | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Download &All with DAM\contexts = "243" | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\Ⴓ\{e17d3efa-5297-4e7d-9650-0440a9921088}\AppPath = "C:\\Program Files\\Tensons\\Download Accelerator Manager\\" | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{00000003-1118-11da-8cd6-0800200c9888}" | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\&Grab Video/Music with DAM\contexts = "243" | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\&Grab Video/Music with DAM\ = "C:\\Program Files\\Tensons\\Download Accelerator Manager\\\\cap.htm" | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\Ⴓ\{e17d3efa-5297-4e7d-9650-0440a9921089}\Policy = "3" | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\&Download with DAM\ = "C:\\Program Files\\Tensons\\Download Accelerator Manager\\\\addUrl.htm" | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\&Download with DAM\contexts = "34" | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\á‚¥\{871536d3-39af-4fd9-85d4-6b4f8307f8c2}\AppPath = "C:\\Program Files\\Tensons\\Download Accelerator Manager\\" | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\&Download with DAM | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\&Grab Video/Music with DAM | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5B800A31-E794-11EE-AD30-660F20EB2E2E} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\Ⴓ\{e17d3efa-5297-4e7d-9650-0440a9921088}\Policy = "3" | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\&Grab Video/Music with DAM\contexts = "243" | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Download &All with DAM | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Download &All with DAM\contexts = "243" | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\DownloadUI = "{00000003-1118-11da-8cd6-0800200c9888}" | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\Ⴓ | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\á‚¥\{871536d3-39af-4fd9-85d4-6b4f8307f8c2}\AppName = "DownloadAcceleratorManager.exe" | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\á‚¥\{871536d3-39af-4fd9-85d4-6b4f8307f8c2}\Policy = "3" | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\&Download with DAM\ = "C:\\Program Files\\Tensons\\Download Accelerator Manager\\\\addUrl.htm" | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\&Download with DAM\contexts = "34" | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Download &All with DAM\ = "C:\\Program Files\\Tensons\\Download Accelerator Manager\\\\addAllUrls.htm" | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\Ⴓ\{e17d3efa-5297-4e7d-9650-0440a9921088}\AppName = "DownloadAcceleratorManager.exe" | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\Ⴓ\{e17d3efa-5297-4e7d-9650-0440a9921089}\AppPath = "C:\\Program Files\\Tensons\\Download Accelerator Manager\\" | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Download &All with DAM\ = "C:\\Program Files\\Tensons\\Download Accelerator Manager\\\\addAllUrls.htm" | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{00000003-1118-11da-8cd6-0800200c9888}" | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\á‚¥ | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Tensons.Application.DownloadAcceleratorManager.BHO\ = "Tensons.Application.DownloadAcceleratorManager.BHO" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29} | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Tensons.Application.DownloadAcceleratorManager.LinkHandler\CLSID\ = "{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\ = "mscoree.dll" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{24B1E5E0-1100-3737-A6A2-EA80239F9EF5}\2.2.0.0\Assembly = "DamLinkHandler, Version=2.2.0.0, Culture=neutral, PublicKeyToken=fee9c3dcb8af2eba" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\ = "Tensons.Application.DownloadAcceleratorManager.LinkHandler" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\2.2.0.0\Class = "Tensons.Application.DownloadAcceleratorManager.LinkHandler" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29} | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Tensons.Application.DownloadAcceleratorManager.BHO\CLSID\ = "{00000003-1118-11DA-8CD6-0800200C9888}" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\CodeBase = "file:///C:/Program Files/Tensons/Download Accelerator Manager/DamLinkHandler.DLL" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\2.2.0.0\CodeBase = "file:///C:/Program Files/Tensons/Download Accelerator Manager/DamLinkHandler.DLL" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{24B1E5E0-1100-3737-A6A2-EA80239F9EF5}\2.2.0.0\RuntimeVersion = "v2.0.50727" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\2.1.0.0\CodeBase = "file:///C:/Program Files/Tensons/Download Accelerator Manager/DamBho.DLL" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE} | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\Implemented Categories | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\ProgId | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\Class = "Tensons.Application.DownloadAcceleratorManager.LinkHandler" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\Assembly = "DamLinkHandler, Version=2.2.0.0, Culture=neutral, PublicKeyToken=fee9c3dcb8af2eba" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\ProgId | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\ = "mscoree.dll" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\RuntimeVersion = "v2.0.50727" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\2.2.0.0\Class = "Tensons.Application.DownloadAcceleratorManager.LinkHandler" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\2.1.0.0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\Implemented Categories | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Tensons.Application.DownloadAcceleratorManager.BHO | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\Assembly = "DamBho, Version=2.1.0.0, Culture=neutral, PublicKeyToken=fee9c3dcb8af2eba" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\RuntimeVersion = "v2.0.50727" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\CodeBase = "file:///C:/Program Files/Tensons/Download Accelerator Manager/DamBho.DLL" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Tensons.Application.DownloadAcceleratorManager.LinkHandler | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\2.2.0.0\RuntimeVersion = "v2.0.50727" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Tensons.Application.DownloadAcceleratorManager.LinkHandler\CLSID\ = "{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{24B1E5E0-1100-3737-A6A2-EA80239F9EF5} | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{24B1E5E0-1100-3737-A6A2-EA80239F9EF5}\2.2.0.0\Class = "Tensons.Application.DownloadAcceleratorManager.LinkHandler+LinkType" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\Class = "Tensons.Application.DownloadAcceleratorManager.BHO" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\2.1.0.0\Class = "Tensons.Application.DownloadAcceleratorManager.BHO" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\ThreadingModel = "Both" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\2.2.0.0\CodeBase = "file:///C:/Program Files/Tensons/Download Accelerator Manager/DamLinkHandler.DLL" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\ProgId | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{24B1E5E0-1100-3737-A6A2-EA80239F9EF5}\2.2.0.0\Class = "Tensons.Application.DownloadAcceleratorManager.LinkHandler+LinkType" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Tensons.Application.DownloadAcceleratorManager.BHO\CLSID | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888} | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\Assembly = "DamBho, Version=2.1.0.0, Culture=neutral, PublicKeyToken=fee9c3dcb8af2eba" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\Assembly = "DamLinkHandler, Version=2.2.0.0, Culture=neutral, PublicKeyToken=fee9c3dcb8af2eba" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29} | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{24B1E5E0-1100-3737-A6A2-EA80239F9EF5}\2.2.0.0\CodeBase = "file:///C:/Program Files/Tensons/Download Accelerator Manager/DamLinkHandler.DLL" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\ = "mscoree.dll" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\2.1.0.0 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\2.1.0.0\Assembly = "DamBho, Version=2.1.0.0, Culture=neutral, PublicKeyToken=fee9c3dcb8af2eba" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\ProgId\ = "Tensons.Application.DownloadAcceleratorManager.BHO" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\ = "mscoree.dll" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\Class = "Tensons.Application.DownloadAcceleratorManager.LinkHandler" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\ProgId\ = "Tensons.Application.DownloadAcceleratorManager.LinkHandler" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Tensons.Application.DownloadAcceleratorManager.BHO\CLSID\ = "{00000003-1118-11DA-8CD6-0800200C9888}" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\ThreadingModel = "Both" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\Implemented Categories | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\2.1.0.0\Class = "Tensons.Application.DownloadAcceleratorManager.BHO" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Tensons.Application.DownloadAcceleratorManager.BHO\ = "Tensons.Application.DownloadAcceleratorManager.BHO" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\2.2.0.0 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{24B1E5E0-1100-3737-A6A2-EA80239F9EF5}\2.2.0.0\Assembly = "DamLinkHandler, Version=2.2.0.0, Culture=neutral, PublicKeyToken=fee9c3dcb8af2eba" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE} | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{24B1E5E0-1100-3737-A6A2-EA80239F9EF5}\2.2.0.0\CodeBase = "file:///C:/Program Files/Tensons/Download Accelerator Manager/DamLinkHandler.DLL" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\ = "Tensons.Application.DownloadAcceleratorManager.BHO" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setupc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setupc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setupc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setupc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setupc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setupc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setupc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\setupc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
| N/A | N/A | C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe
"C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe"
C:\Users\Admin\AppData\Local\Temp\setupc.exe
C:\Users\Admin\AppData\Local\Temp\setupc.exe DownloadAcceleratorManager MediaGrabber damfhp damhlpr firefox chrome iexplore
C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe
"C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe" /ia C:\Program Files\Tensons\Download Accelerator Manager
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe" /s /codebase "C:\Program Files\Tensons\Download Accelerator Manager\DamLinkHandler.dll"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" /s /codebase "C:\Program Files\Tensons\Download Accelerator Manager\DamLinkHandler.dll"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" /delete dam
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" /delete DownloadAcceleratorManager
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" /nologo /silent "C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 160 -InterruptEvent 0 -NGENProcess f4 -Pipe 164 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe" /register /codebase /silent "C:\Program Files\Tensons\Download Accelerator Manager\\DamBho.dll"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" /register /codebase /silent "C:\Program Files\Tensons\Download Accelerator Manager\\DamBho.dll"
C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe
"C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe" /iu C:\Program Files\Tensons\Download Accelerator Manager
C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe
"C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe" /iu C:\Program Files\Tensons\Download Accelerator Manager
C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe
"C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://install.tensons.com/?pid=003&v=5.6.0
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:888 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | install.tensons.com | udp |
| DE | 217.160.0.153:80 | install.tensons.com | tcp |
| DE | 217.160.0.153:80 | install.tensons.com | tcp |
| US | 8.8.8.8:53 | www.damdownloader.com | udp |
| US | 74.208.236.212:80 | www.damdownloader.com | tcp |
| US | 74.208.236.212:80 | www.damdownloader.com | tcp |
| US | 74.208.236.212:80 | www.damdownloader.com | tcp |
| US | 74.208.236.212:80 | www.damdownloader.com | tcp |
| US | 74.208.236.212:80 | www.damdownloader.com | tcp |
| US | 74.208.236.212:80 | www.damdownloader.com | tcp |
| US | 8.8.8.8:53 | www.tensons.com | udp |
| US | 74.208.236.212:80 | www.tensons.com | tcp |
| US | 74.208.236.212:80 | www.tensons.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsy17E6.tmp\registry.dll
| MD5 | 24a7a119e289f1b5b69f3d6cf258db7c |
| SHA1 | fec84298f9819adf155fcf4e9e57dd402636c177 |
| SHA256 | ae53f8e00574a87dd243fdf344141417cfe2af318c6c5e363a030d727a6c75d1 |
| SHA512 | fdbbedcc877bf020a5965f6ba8586ade48cfbe03ac0af8190a8acf077fb294ffd6b5a7ae49870bff8cacd9e33d591be63b5b3d5c2e432c640212bdcd0c602861 |
\Users\Admin\AppData\Local\Temp\nsy17E6.tmp\UAC.dll
| MD5 | acfb66ee6fc1f4266229ec6098fe1740 |
| SHA1 | e1aeb31b11996015d7f17308e2f2bbe69d4e1476 |
| SHA256 | 6d7e8070fa09cc4bb66fb99c2b88d0f5419602fa64a519437f430d9378300b1e |
| SHA512 | bf0b5b22c57c08c88b4cbdd75bdf0c8eac433d42b4d163349391b71bc44d913e4d0e28e0826a7c27b418e6d2aa37c08c90577b56baa946a8f129486fbe01c303 |
\Users\Admin\AppData\Local\Temp\nsy17E6.tmp\System.dll
| MD5 | b0c77267f13b2f87c084fd86ef51ccfc |
| SHA1 | f7543f9e9b4f04386dfbf33c38cbed1bf205afb3 |
| SHA256 | a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77 |
| SHA512 | f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e |
C:\Users\Admin\AppData\Local\Temp\nsy17E6.tmp\ioSpecial.ini
| MD5 | e71b6d96350c05001d4b8149d34d06f0 |
| SHA1 | 72f04f8cc9b74527d5b31e80dc5a3ca3d31fc971 |
| SHA256 | 16e1895e8a0e15fc376e7e191751c07210835ec586ecbe61d9170b14e293396e |
| SHA512 | 2bd7c133f00fade07883f1f43330f6e74455f8af2f57a86e2955beb0ae77e73c53070931582ea82770991ee71404875dab6c5a7dfaf3ca12a095d3dbbae01a77 |
\Users\Admin\AppData\Local\Temp\nsy17E6.tmp\InstallOptions.dll
| MD5 | 8d5a5529462a9ba1ac068ee0502578c7 |
| SHA1 | 875e651e302ce0bfc8893f341cf19171fee25ea5 |
| SHA256 | e625dcd0188594b1289891b64debddeb5159aca182b83a12675427b320bf7790 |
| SHA512 | 101da2c33f47bd85b8934318e0f0b72f820afc928a2a21e2c7823875e3a0e830f7c67f42b4c2f30596eaa073617790c89700c0d95b7949ec617e52800b61d462 |
C:\Users\Admin\AppData\Local\Temp\nsy17E6.tmp\ioSpecial.ini
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\Users\Admin\AppData\Local\Temp\nsy17E6.tmp\DotNetChecker.dll
| MD5 | 83b493e0bc0cf1105ce25d9bd5d1c2b9 |
| SHA1 | 1813bcb2a4384bd2a134bec29bd978f0b5c4e1b4 |
| SHA256 | 3f7bed61a1f5ad0c0a468363c4f2974c2674fd018ce2aabd40b5a16604c2d4cd |
| SHA512 | 3aaccda41b5822d8eca0f8fb01c060151a1a19038c35905c937949491edc803ad7399f71ea7d56fded69394e4abb3f6266b3b3a8bcf644ef4bccb3406e3c2769 |
memory/2072-138-0x0000000074B50000-0x0000000074C6C000-memory.dmp
\Users\Admin\AppData\Local\Temp\setupc.exe
| MD5 | 62738e8892a6d7b05cbb3b8a192afe9b |
| SHA1 | 6546f3fc2b4d1301bbc57ea98e57ebdabcc4b9cd |
| SHA256 | 55e37ec9db608c9dd898e3fd23975503e079a6f5ab82e0f9106014851ea2411f |
| SHA512 | b88a231bfaad80f9c50dead56287d4e2bd445d5471267dcf39805c42abe692225696f7afbafa4fbbf0b4046de38e6f9edf03bed24f039a6d054a29aed4951762 |
memory/2424-144-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp
C:\Program Files\Tensons\Download Accelerator Manager\damhlprf.exe.config
| MD5 | 7ed00198dff303eefb49e046562b5b7d |
| SHA1 | f2a14ec5d2b7717061b77769067f93295f1fbc8b |
| SHA256 | f4ffcc01ea1c06be63c18d343187ccb5f2f5885f1780218780f92214415e9c74 |
| SHA512 | 71a2e8769e28a7dfe6d387bf3bfb0961af69d5bda7b6acc37ad6095581f02254e8d3be5b9583dfb39e34566f37c4fc54aa08f39e68ed705485519e7096b35ef9 |
\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe
| MD5 | c9a97774f133b25b2c5db91d5b34bac2 |
| SHA1 | 55091d710765145164295c5f77fc93d76f957677 |
| SHA256 | 1d4d500bacc5dbc232d162dffe25287571a049082c554fb07d920733f5336f7e |
| SHA512 | a2e54b471d897d38ae366a2e5f1061a6c05236cdf7af1058e31f893039541799924de25adbfe412253fc568cf7730aaa3153eff8604f3c17bc7d43abad14c2e9 |
memory/1252-220-0x00000000003D0000-0x00000000004F8000-memory.dmp
memory/1252-221-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp
memory/700-222-0x000000013FAC0000-0x000000013FAD0000-memory.dmp
memory/700-223-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp
C:\Program Files\Tensons\Download Accelerator Manager\DamLinkHandler.dll
| MD5 | d37ae62d7ae1d1d29742b37b5e5a65ec |
| SHA1 | 52ca247535c8d2df65d1072370a2b7ab320b11f9 |
| SHA256 | 16c65138a398e626cb4e3c5440b89fb8c9c8c08fed7292c0b67a481f6fc6c1f5 |
| SHA512 | 30771626d02c6380ff6ea0022eccc09e9d142f7b819036cf3a0ea9eb9fea24b9c6a7404af9964d5f82aa7cfb26ca4320114ad91bd94469808a0509f6c8460f74 |
memory/700-225-0x0000000002060000-0x0000000002070000-memory.dmp
memory/700-226-0x0000000002060000-0x0000000002070000-memory.dmp
memory/700-227-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp
memory/980-228-0x0000000000110000-0x0000000000122000-memory.dmp
memory/980-231-0x0000000000620000-0x0000000000630000-memory.dmp
memory/980-234-0x0000000000620000-0x0000000000630000-memory.dmp
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
| MD5 | 0c116067cb44edfda18538b5c3dd2775 |
| SHA1 | 7ca5e7973d15ade6df7b0e37572bfc1ca58579cf |
| SHA256 | 602351ea3a43b7b1547027f43cd41ea2536bb259e096edc82596ba8a10259eed |
| SHA512 | 627195492735b66dfe77e496925795a5bb1b695c0ae4b79af6656c10c6e303788ad0c1735f945ddab37052974716e6ece93db4895aa8f876adda12e22c92d150 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
| MD5 | 75bd49c3d3addac04aa2138f3f8f117b |
| SHA1 | 04bcd1b0a2ce7c06648f1cc5e5f8b28694b4a2ed |
| SHA256 | c1137bbf8e8360af6c0129db4a6e985031c9d6a3f6ec77a9c5cfe7dad783f88e |
| SHA512 | e4fda4cf368081ce91c7a879d35e003c1aeeca46b80e0c2a56c4c88fc6a6d8ccf2663f3863777ab72a5a7f0fc195fed82b4a81db30e175d37427d146605c905a |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
| MD5 | 277aec4e9dcd33baa9edd8076e8b4250 |
| SHA1 | 4733fba00f6ece193dc8bbce652fc79580a220f3 |
| SHA256 | 980563f709604b8f9a7a143dc4c566cb5ea7b3a38c622c037833a09549f83dad |
| SHA512 | 6ed0eef9fc1e344dd2d67865d09a8f82aadf2dabd7e46c3916048be7c7406eca10fdf66f6227e833eb3196ff959bb79ddb6ede531fd204b5b6488fb97172fe69 |
memory/2932-244-0x000000001B1B0000-0x000000001B2D8000-memory.dmp
memory/2932-245-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp
memory/2932-246-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp
memory/572-247-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp
memory/572-248-0x0000000000160000-0x0000000000170000-memory.dmp
memory/572-249-0x0000064488000000-0x000006448847A000-memory.dmp
\Windows\assembly\NativeImages_v4.0.30319_64\DownloadAccd9662b75#\8a68aa8d8ee2d06649a3735ce14c8d86\DownloadAcceleratorManager.ni.exe
| MD5 | e4ab1f6ea57467d9acdcaa0dedcc7f16 |
| SHA1 | dd9c187f6036eadb9d30ceef94b38b8681a58087 |
| SHA256 | 77a174455ae1eeca7efcf6d85a4d91c871e294342d0fc9b63e7308b1e8363b9f |
| SHA512 | 75f3faa0de407f595e323058ad6f961ab529699b07d0c7c5b6c5d89d6c472ae551d9cb0f705dfa1d629f4c0bdba88612f3268d34e0edcc5d47f47367409520ef |
memory/572-265-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp
memory/2032-266-0x000000013F7B0000-0x000000013F7C0000-memory.dmp
memory/2032-267-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp
memory/2032-269-0x00000000007B0000-0x00000000007BC000-memory.dmp
C:\Program Files\Tensons\Download Accelerator Manager\DamBho.dll
| MD5 | 2cac7bdbcd895a3b2216fbff08f87799 |
| SHA1 | ae20d356c897fa271a712a429ea7368cf379c55c |
| SHA256 | a391a059943274d82a89dc0eb069a57f8984c56cb3c4cded13388d4873985f16 |
| SHA512 | 13937d63facaf2c661dde15b456cb0c062712165acf9054171f3a47711eba78729d83ea54bf55e443bd55c83478660ffb4c49bb2a28a966bb30ca4eeda934dfc |
memory/2032-270-0x00000000007B0000-0x00000000007BC000-memory.dmp
memory/2032-271-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp
memory/2588-272-0x0000000001180000-0x0000000001192000-memory.dmp
memory/2588-275-0x0000000000460000-0x000000000046C000-memory.dmp
memory/2588-278-0x0000000000460000-0x000000000046C000-memory.dmp
C:\Program Files\Tensons\Download Accelerator Manager\Rsc\Img\DAMfirefox.gif
| MD5 | d7a4d039966466bdbbb2dedb6026c582 |
| SHA1 | 2fa913238de077e63543742f75d8193c20a85349 |
| SHA256 | 9520ba714da28958015dbdefc5cff31c392e7f6b5c66e5d2df4c4c48f7e58223 |
| SHA512 | 262398a377bd72d081b64291960374b802394bdcc96025f260f08889011ed6ae6a024176cf35e5e3cb44c6ad2d039c08f0ac9221b7caec4135cc7970f707361c |
memory/1252-280-0x000000001AF20000-0x000000001AFA0000-memory.dmp
memory/1252-281-0x000000001AF20000-0x000000001AFA0000-memory.dmp
memory/2072-282-0x0000000074B50000-0x0000000074C6C000-memory.dmp
memory/1252-283-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp
memory/2624-285-0x00000000010A0000-0x00000000011C8000-memory.dmp
memory/2624-289-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp
\Windows\assembly\NativeImages_v4.0.30319_64\DownloadAccd9662b75#\8a68aa8d8ee2d06649a3735ce14c8d86\DownloadAcceleratorManager.ni.exe
| MD5 | 2449b8c5529f8c3896d04db90e15e586 |
| SHA1 | fd1512866db0c28f1c138a983e542832f63bf151 |
| SHA256 | f66a07292cd66881c6eb176cf6cb53fb934cf1262ebe8ba144d742e4c188cb11 |
| SHA512 | 00cd9c7026541e21cd1cfea5b37b8c1533e5dab73e1eed67ced4c99ddfb075f8fd661d51b41b18cc76b06dc030bbcf3e77f7631932a5445d9951e57e18bad7c3 |
C:\Windows\assembly\NativeImages_v4.0.30319_64\DownloadAccd9662b75#\8a68aa8d8ee2d06649a3735ce14c8d86\DownloadAcceleratorManager.ni.exe
| MD5 | 4b43463d7fed7e2c13ce35789ca2b03d |
| SHA1 | 65ca208297d967b6ed966b6316db3b1ee7d42273 |
| SHA256 | f3f55b3161f43ed96b5739b94816db53d09b782ad869433db0141c7c6a23c0a9 |
| SHA512 | d953918c5112cf0307879fd185af61b1feea5a883ccafbf18caf9100ec0695e224eef8405b60aa889873fd8a0eba64cafe34a2957680f6821d7dfae2755beb0a |
C:\Windows\assembly\NativeImages_v4.0.30319_64\DownloadAccd9662b75#\8a68aa8d8ee2d06649a3735ce14c8d86\DownloadAcceleratorManager.ni.exe.aux
| MD5 | c23aaffb596604c6369caf3b1291a4b8 |
| SHA1 | 07118497eb8eb907fdb5d784ff2fd19fe8423928 |
| SHA256 | 4f90393872408dfb22e85f4468e4d4f6aa14ab4aaf45b015aaddbe176cdb3a4a |
| SHA512 | b318dbb96c3ed72e27c5ce233bdda3070cbc8c3432a02e97c89416a487d2528b3402756f5b7e79e9da0ccf57e161dfef3bc34091414d1b6e9fb02477b5c5b17e |
\Program Files\Tensons\Download Accelerator Manager\MediaGrabber.exe
| MD5 | 0e617f91a119dfad00de19adc57231f4 |
| SHA1 | 74b5d97612740d8f90f6f199f543ef2df1c3832e |
| SHA256 | 9927c743ba8ce0ce8b59983693a7242cf9ca46d93630cf5c36fdde32e96cb150 |
| SHA512 | a17b1c1a0e91e4b657b8cf144af91b693eb723ec1ece96cdf9992178df353b4da545155fddd779330ade21d899fcce0502289ed6b0da1dcfa191a9fddd6406f0 |
memory/2624-290-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsy17E6.tmp\customPage002.ini
| MD5 | 7fa5a3a0e3892c0ede0e7cf0feeb52db |
| SHA1 | e3e617d63ed0ad707f3e23747eea0c132d98556d |
| SHA256 | 6da1d876cbe106704612f0ed75e5cb01a44f58eb081c5e76991a1d12d12c3c7e |
| SHA512 | e04719fa763a7966940c7b538ca6a6c4e1d308581d7b438cf61f9340bc7e1968d281b19660de2acfd14da8bff71b6d020db9fc3a5fb77cd5ca5ecdea3b699cd7 |
C:\Users\Admin\AppData\Local\Temp\nsy17E6.tmp\customPage002.ini
| MD5 | 51705c7a434922cb5f94515fb9764b03 |
| SHA1 | 6b9a5ae64ade667aa4af50f15c3eb6f6edb3a306 |
| SHA256 | 2e52228430fffe78de7cee8306addb94a6292ab042897a0978bf77be081ca44a |
| SHA512 | 0362c6faca3b1a3600662a6e78e3432b8d0c930f1d7f7c6257ad6b74d68d930aeb0d1555bc642847577f1ce5264fbbfd3680b0cd1cb25b071a9edc5f239242f7 |
C:\Users\Admin\AppData\Local\Temp\nsy17E6.tmp\customPage002.ini
| MD5 | 2f462c1a7320b2dc24659195e50be662 |
| SHA1 | aa22599c41b2efc405532496989dadcb90dddfa0 |
| SHA256 | 2ddde12755d567628bb87a8f6908ab98e5a6fa4f899d944f032cffd86f609196 |
| SHA512 | 54c717b2f295830d9377a0daf7c18390548ae35ed2749676898e36d5019ad48ac413128af69aaabb39ccddae532756b79d7dd7ebb466e4d543d23fe15787ddfc |
memory/1012-366-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp
memory/1012-365-0x0000000001390000-0x00000000014B8000-memory.dmp
memory/1012-367-0x0000000000130000-0x0000000000140000-memory.dmp
memory/1012-369-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsy17E6.tmp\ioSpecial.ini
| MD5 | 1f79a896ff2f4d42d2242946865581de |
| SHA1 | e0181bcb8fa6aeba65f3687064b9b4e2293b387f |
| SHA256 | 9cc8815672baa28d73ba01f6d426145b62e3e2661062ac24a5878c2ef4765df8 |
| SHA512 | 40f63e64fdbc2e4e0270f61491cb36038df6a0d4b6644e406143140b95632562a8eec3da55af9bc1206da5431d9ac51c1df0f787635cf46c40c456b134a24e57 |
C:\Users\Admin\AppData\Local\Temp\nsy17E6.tmp\ioSpecial.ini
| MD5 | 3ce8d909302d1065dcb295f03829c278 |
| SHA1 | 86923fc2b15e5cc83719c3a17725c1f8fb202a94 |
| SHA256 | 8c440a018411f402f95a12b9b65c17d5403938c4bb8ae8a10ee77c41633350fe |
| SHA512 | e5756bd9ee4386717dc0ee8f48704612f161203e0da51c29b4af60fe81b283381a21cd1befe01c5aa654c2372c8d933477fe11c52f7a46c367c8ed233c6ae89e |
memory/1792-490-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp
memory/1792-488-0x0000000000140000-0x0000000000150000-memory.dmp
memory/1792-495-0x000000001B9A0000-0x000000001BA20000-memory.dmp
memory/1792-518-0x0000000000410000-0x0000000000436000-memory.dmp
memory/1792-519-0x000000001B9A0000-0x000000001BA20000-memory.dmp
memory/1792-520-0x000000001B9A0000-0x000000001BA20000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\favicon[1].htm
| MD5 | 9f1a72ec482631417808575cc932bd5a |
| SHA1 | 8492455bad3a0b904bddcf88d2816d26f281c742 |
| SHA256 | 29f0a779e085b38cb38f41c2608c2af21e89e81b0dfc6665feca5b3ae3fb83ec |
| SHA512 | dda3e0c922d3b214aeb3e00e087c9fe6f09dc8548104dead19c02eb5973a6de90870a3b2eae9e4fb59b34cf30954cfe4c9ab5bcf76e129a5ecfeb551d057b3ee |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\icon[1].gif
| MD5 | 16c4bbfc8c0e2faef5c9e575f8e5db10 |
| SHA1 | e6df34e00fe5e6c4cb543c18b344c58e5c050530 |
| SHA256 | dbb001b04b242f857d9a2dfa1fbe9ae246b6153a67749dec208658f1a0d24f32 |
| SHA512 | 026ef36d08740977c256db8ba34fa51205bd0079cd94cede98bce6afb4b5977c48d0c3b7ab0abeeed819e8233aac4232420ea39a7a577e76dcff1875623fa6b8 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jw2rl61\imagestore.dat
| MD5 | 2985cd5b754357ff82f520ac6dcf14b7 |
| SHA1 | 0d1f305aa9c739dcf169d7127fee3231fa43e105 |
| SHA256 | 3ce36167494268ae81594f68aedd4f97003a126a4c491ed24aa9d30371163e7e |
| SHA512 | d5591f86584819cd113c9f1b72daa6a0e64f203ed82adcd590da28bc532512bc38aa2fb52e45d4ccc65d6af547e03f7dee1a3c93a0ff656d28a0a8831584e17d |
C:\Users\Admin\AppData\Local\Temp\Cab4137.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar4267.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3087d58a7aca35d19cf8f63da013b94b |
| SHA1 | fb72bfb5f4588952ccb67ea9b581ec61989c694b |
| SHA256 | f571f268913b3011154b6630ab049550b7f91e198484b4fd2a2c279fac6c0e1d |
| SHA512 | 7282b49e7128106d2bc699d422436a00600ffd146f14ec400182e9c98ef76587590133a1fe3711bebcfb50cae4e0ecd744c9cb930cad55cb1b6b1078d43edc92 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4e99ae47a71f0ec540abdbcbe54ff09f |
| SHA1 | 54b0b4269167cc98cfe3d63c4c2d622ea120d49d |
| SHA256 | 33c7b95dfb9a758b75a5b528016265ed8ee08272b6a01fe252c5b1ea1826d9d5 |
| SHA512 | d100a6e704f8fe224f382197889b9d2a20d4689c6e4acc49adc784ae83ab4579166ee7971ac17fe35ce725ae3ea144003535f4f6524911e14da5e25bb0e28ac6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a74cb50222acec4aa5d3b6382c6929ea |
| SHA1 | 6aa832f48b6c147ae236e9ade1fac4bb4cb5a0be |
| SHA256 | 7b5a7405039c47712fb6d71a3a8b212da995c2186abedffb1cf4590cdc8b65c5 |
| SHA512 | 430714bbf7669a88f12541240eedbd3db3e8bbcaf1b0b29586f6dcf43d2ccb94ebaea2ac288eb377c587625ac1d38a0cac2dedc669273c3c9af57e47db23a6a0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 363679474c283daae8efe8decf67a945 |
| SHA1 | 9fd65bb3a536b4b8a5644c6b0cd24549e4e5109e |
| SHA256 | 98b3e2e57e33a3356b69ddea8c96d4f80101c11acfc8e8c35b76e1899878460b |
| SHA512 | c3dc07b41d082bac87d312125f708babf79df413b26aebed9a3a96e759cb5f8dc15fe21a474564e263f9cc129204c16250ec9931012ef99f766d70b94fe396c0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 54a6dcd1504d430d468672d49be788ee |
| SHA1 | 35716d305feb6036ff99c3aafc4e87442cbca832 |
| SHA256 | c34f1c984b35ce764f0510c9da317bc1d86b58db4a73005977444170af6258ee |
| SHA512 | 288937fbf6bd6e148d2358145ddfb77e44aac457a4c300c042c8c781adbaaffadab30b2dde6fb181cc5e2700ad470521f7b9864981f6e602406ed7d8d57e2111 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1bd51ddda647e20ecf42bb2d61ef8744 |
| SHA1 | f9b7f2e6f07b7f892e18cc147b71153ac20253bb |
| SHA256 | e8e736f9eeccad95d48c9af202af321ea21a69d7feb0ee56d033d482658f7c0c |
| SHA512 | 19f5e8ca8d661ce13d1c4b01b6e9fea330e09f2950090bcb79f42416bd006ee397a83fb57f7085027490ac4962d5fc45b3bb2736af9e55f85334225ab610af81 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 94120d305370a4733cd225d6267caebd |
| SHA1 | 8fc4245b925bbfd9f313a3fe81fdf4e1d3124af9 |
| SHA256 | a4c8f27c5c627a1c391360856260bad61392394503349a7aa27b602fb393aeb5 |
| SHA512 | 1bc03bbdc367a842aecac52a6e3e4007507e4fc7a26fc77dc1ad61c305554f55149a7fc94ce5f26c07bf86fa70692c229fc133fa0e01a21158611199fcd7366d |
memory/1792-1039-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp
memory/1792-1040-0x000000001B9A0000-0x000000001BA20000-memory.dmp
memory/1792-1041-0x000000001B9A0000-0x000000001BA20000-memory.dmp
memory/1792-1042-0x000000001B9A0000-0x000000001BA20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\~DFE34F6C3ACB028D93.TMP
| MD5 | b0a1f1d96381bc2b658feb57792ade6e |
| SHA1 | 0960364751aac785566f8278c363bc481c9370f6 |
| SHA256 | 089f176703d3238a6038d40a58a85260298e78f3a31b6ba14f7032ffbbc0e245 |
| SHA512 | c4fee497851d449879cbb26beaaa778b1fc2a3bbe7a026f25ad6eba94119667e4d5e2fdbd52f0b18f51dc1aea58c99f81f9b7f2e4349611463ca9c9c1a1f488b |
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-21 15:02
Reported
2024-03-21 15:06
Platform
win7-20240319-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Dialer.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Dialer.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 228
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-03-21 15:02
Reported
2024-03-21 15:06
Platform
win7-20240220-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 220
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-03-21 15:02
Reported
2024-03-21 15:06
Platform
win10v2004-20231215-en
Max time kernel
110s
Max time network
121s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 456 wrote to memory of 5052 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 456 wrote to memory of 5052 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 456 wrote to memory of 5052 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.78.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-03-21 15:02
Reported
2024-03-21 15:06
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1136 wrote to memory of 2184 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1136 wrote to memory of 2184 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1136 wrote to memory of 2184 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DotNetChecker.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DotNetChecker.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2184 -ip 2184
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
Files
memory/2184-0-0x0000000075140000-0x000000007525C000-memory.dmp
memory/2184-1-0x0000000075140000-0x000000007525C000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-03-21 15:02
Reported
2024-03-21 15:06
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1984 wrote to memory of 2332 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1984 wrote to memory of 2332 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1984 wrote to memory of 2332 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2332 -ip 2332
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-03-21 15:02
Reported
2024-03-21 15:06
Platform
win10v2004-20240226-en
Max time kernel
134s
Max time network
125s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1952 wrote to memory of 1980 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1952 wrote to memory of 1980 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1952 wrote to memory of 1980 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1980 -ip 1980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 19.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.227.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 128.227.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-03-21 15:02
Reported
2024-03-21 15:06
Platform
win7-20240221-en
Max time kernel
121s
Max time network
138s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMP\setupc.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\setupc.exe"
Network
Files
memory/2760-0-0x000007FEF6270000-0x000007FEF6C0D000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-03-21 15:02
Reported
2024-03-21 15:06
Platform
win7-20240221-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2044 wrote to memory of 2732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2044 wrote to memory of 2732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2044 wrote to memory of 2732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2044 wrote to memory of 2732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2044 wrote to memory of 2732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2044 wrote to memory of 2732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2044 wrote to memory of 2732 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components\DamMz.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components\DamMz.dll,#1
Network
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-03-21 15:02
Reported
2024-03-21 15:06
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 516 wrote to memory of 4448 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 516 wrote to memory of 4448 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 516 wrote to memory of 4448 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz25.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz25.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| GB | 96.17.178.204:80 | tcp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-03-21 15:02
Reported
2024-03-21 15:06
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2460 wrote to memory of 1128 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2460 wrote to memory of 1128 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2460 wrote to memory of 1128 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1128 -ip 1128
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 628
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-03-21 15:02
Reported
2024-03-21 15:06
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2320 wrote to memory of 5060 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2320 wrote to memory of 5060 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2320 wrote to memory of 5060 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\registry.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\registry.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5060 -ip 5060
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 612
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=3112,i,1786399861560734457,5606877702857066305,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| GB | 172.217.16.234:443 | tcp | |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-03-21 15:02
Reported
2024-03-21 15:06
Platform
win10v2004-20240226-en
Max time kernel
146s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamBho.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 21.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.112.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-03-21 15:02
Reported
2024-03-21 15:06
Platform
win7-20240221-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2968 wrote to memory of 3024 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2968 wrote to memory of 3024 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2968 wrote to memory of 3024 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2968 wrote to memory of 3024 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2968 wrote to memory of 3024 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2968 wrote to memory of 3024 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2968 wrote to memory of 3024 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz25.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz25.dll,#1
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-03-21 15:02
Reported
2024-03-21 15:06
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
141s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 8 wrote to memory of 2764 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 8 wrote to memory of 2764 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 8 wrote to memory of 2764 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Dialer.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Dialer.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2764 -ip 2764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 604
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3824 --field-trial-handle=2268,i,8796662530135712346,11409037572378858775,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| NL | 142.250.179.202:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 202.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-03-21 15:02
Reported
2024-03-21 15:06
Platform
win7-20240221-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DotNetChecker.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DotNetChecker.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 224
Network
Files
memory/1824-0-0x0000000074460000-0x000000007457C000-memory.dmp
memory/1824-1-0x0000000074340000-0x000000007445C000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-03-21 15:02
Reported
2024-03-21 15:06
Platform
win7-20240221-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\registry.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\registry.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 228