Malware Analysis Report

2025-01-18 21:27

Sample ID 240321-sep6eaeb39
Target DAMsetup.exe
SHA256 5443b1c3aa80091b7e0d86681892e0871a7f1954dfa5cfd33318bc597116dd52
Tags
adware discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

5443b1c3aa80091b7e0d86681892e0871a7f1954dfa5cfd33318bc597116dd52

Threat Level: Shows suspicious behavior

The file DAMsetup.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery persistence spyware stealer

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Registers COM server for autorun

Checks installed software on the system

Installs/modifies Browser Helper Object

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Program crash

NSIS installer

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-21 15:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-03-21 15:02

Reported

2024-03-21 15:06

Platform

win7-20240220-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2292 wrote to memory of 2304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2292 wrote to memory of 2304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2292 wrote to memory of 2304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2292 wrote to memory of 2304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2292 wrote to memory of 2304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2292 wrote to memory of 2304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2292 wrote to memory of 2304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-03-21 15:02

Reported

2024-03-21 15:06

Platform

win7-20240221-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz26.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3036 wrote to memory of 2956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3036 wrote to memory of 2956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3036 wrote to memory of 2956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3036 wrote to memory of 2956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3036 wrote to memory of 2956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3036 wrote to memory of 2956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3036 wrote to memory of 2956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz26.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz26.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-03-21 15:02

Reported

2024-03-21 15:06

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz27.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2360 wrote to memory of 2348 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2360 wrote to memory of 2348 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2360 wrote to memory of 2348 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2360 wrote to memory of 2348 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2360 wrote to memory of 2348 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2360 wrote to memory of 2348 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2360 wrote to memory of 2348 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz27.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz27.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-03-21 15:02

Reported

2024-03-21 15:06

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz27.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2044 wrote to memory of 3140 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2044 wrote to memory of 3140 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2044 wrote to memory of 3140 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz27.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz27.dll,#1

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-21 15:02

Reported

2024-03-21 15:06

Platform

win10v2004-20231215-en

Max time kernel

90s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe

"C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
GB 2.17.5.133:80 www.microsoft.com tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 133.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsb4AF5.tmp\registry.dll

MD5 24a7a119e289f1b5b69f3d6cf258db7c
SHA1 fec84298f9819adf155fcf4e9e57dd402636c177
SHA256 ae53f8e00574a87dd243fdf344141417cfe2af318c6c5e363a030d727a6c75d1
SHA512 fdbbedcc877bf020a5965f6ba8586ade48cfbe03ac0af8190a8acf077fb294ffd6b5a7ae49870bff8cacd9e33d591be63b5b3d5c2e432c640212bdcd0c602861

C:\Users\Admin\AppData\Local\Temp\nsb4AF5.tmp\UAC.dll

MD5 acfb66ee6fc1f4266229ec6098fe1740
SHA1 e1aeb31b11996015d7f17308e2f2bbe69d4e1476
SHA256 6d7e8070fa09cc4bb66fb99c2b88d0f5419602fa64a519437f430d9378300b1e
SHA512 bf0b5b22c57c08c88b4cbdd75bdf0c8eac433d42b4d163349391b71bc44d913e4d0e28e0826a7c27b418e6d2aa37c08c90577b56baa946a8f129486fbe01c303

C:\Users\Admin\AppData\Local\Temp\nsb4AF5.tmp\System.dll

MD5 b0c77267f13b2f87c084fd86ef51ccfc
SHA1 f7543f9e9b4f04386dfbf33c38cbed1bf205afb3
SHA256 a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77
SHA512 f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

C:\Users\Admin\AppData\Local\Temp\nsb4AF5.tmp\ioSpecial.ini

MD5 cb19f50a458d9f2d4d30bfdbb286100d
SHA1 a23609a1dd3a1b94745391eeb8173630557e8885
SHA256 c764c814b232e5970a16bd9c1572c57ae0ef8ed7abc2d4d1431ca65db46f3ed6
SHA512 aa3593034560e8411b22acda4c63b56e89978bf1223ed9fea1d21ae541c9847bac303e75885c99d6381a41d3648e01c77b1ef7272d4cf39d2c1a83d24c7ddd7e

C:\Users\Admin\AppData\Local\Temp\nsb4AF5.tmp\InstallOptions.dll

MD5 8d5a5529462a9ba1ac068ee0502578c7
SHA1 875e651e302ce0bfc8893f341cf19171fee25ea5
SHA256 e625dcd0188594b1289891b64debddeb5159aca182b83a12675427b320bf7790
SHA512 101da2c33f47bd85b8934318e0f0b72f820afc928a2a21e2c7823875e3a0e830f7c67f42b4c2f30596eaa073617790c89700c0d95b7949ec617e52800b61d462

Analysis: behavioral15

Detonation Overview

Submitted

2024-03-21 15:02

Reported

2024-03-21 15:06

Platform

win7-20240221-en

Max time kernel

122s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 220

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-03-21 15:02

Reported

2024-03-21 15:06

Platform

win10v2004-20240319-en

Max time kernel

150s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3148 wrote to memory of 3048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3148 wrote to memory of 3048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3148 wrote to memory of 3048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3048 -ip 3048

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1328 --field-trial-handle=2260,i,11662483365823245381,11064702639240765741,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
GB 13.105.221.15:443 tcp
GB 13.105.221.15:443 tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 106.246.116.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-03-21 15:02

Reported

2024-03-21 15:06

Platform

win10v2004-20240226-en

Max time kernel

139s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components\DamMz.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3344 wrote to memory of 3848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3344 wrote to memory of 3848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3344 wrote to memory of 3848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components\DamMz.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components\DamMz.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-03-21 15:02

Reported

2024-03-21 15:06

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1160 wrote to memory of 4564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1160 wrote to memory of 4564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1160 wrote to memory of 4564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4564 -ip 4564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2628 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 21.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-03-21 15:02

Reported

2024-03-21 15:06

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\setupc.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\setupc.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\setupc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 58.189.79.40.in-addr.arpa udp

Files

memory/2584-1-0x00007FFCADAC0000-0x00007FFCAE461000-memory.dmp

memory/2584-2-0x00007FFCADAC0000-0x00007FFCAE461000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-03-21 15:02

Reported

2024-03-21 15:06

Platform

win7-20240221-en

Max time kernel

118s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamBho.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamBho.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-03-21 15:02

Reported

2024-03-21 15:06

Platform

win7-20240221-en

Max time kernel

120s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 244

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-03-21 15:02

Reported

2024-03-21 15:06

Platform

win7-20231129-en

Max time kernel

121s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 220

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-03-21 15:02

Reported

2024-03-21 15:06

Platform

win7-20240221-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 224

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-03-21 15:02

Reported

2024-03-21 15:06

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz26.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2068 wrote to memory of 4636 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2068 wrote to memory of 4636 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2068 wrote to memory of 4636 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz26.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz26.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3096 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
NL 172.217.168.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 202.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 105.246.116.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-21 15:02

Reported

2024-03-21 15:05

Platform

win7-20240220-en

Max time kernel

110s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
N/A N/A C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe N/A
N/A N/A C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe N/A

Reads user/profile data of web browsers

spyware stealer

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\RuntimeVersion = "v2.0.50727" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\ThreadingModel = "Both" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\Assembly = "DamLinkHandler, Version=2.2.0.0, Culture=neutral, PublicKeyToken=fee9c3dcb8af2eba" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\RuntimeVersion = "v2.0.50727" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\CodeBase = "file:///C:/Program Files/Tensons/Download Accelerator Manager/DamLinkHandler.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\2.2.0.0\Class = "Tensons.Application.DownloadAcceleratorManager.LinkHandler" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\2.1.0.0\Class = "Tensons.Application.DownloadAcceleratorManager.BHO" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\2.1.0.0\RuntimeVersion = "v2.0.50727" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\2.2.0.0 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\2.2.0.0\RuntimeVersion = "v2.0.50727" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\2.2.0.0\CodeBase = "file:///C:/Program Files/Tensons/Download Accelerator Manager/DamLinkHandler.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\CodeBase = "file:///C:/Program Files/Tensons/Download Accelerator Manager/DamBho.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\Class = "Tensons.Application.DownloadAcceleratorManager.LinkHandler" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\Class = "Tensons.Application.DownloadAcceleratorManager.BHO" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\2.1.0.0 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\2.1.0.0\Assembly = "DamBho, Version=2.1.0.0, Culture=neutral, PublicKeyToken=fee9c3dcb8af2eba" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\2.1.0.0\CodeBase = "file:///C:/Program Files/Tensons/Download Accelerator Manager/DamBho.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\2.2.0.0\Assembly = "DamLinkHandler, Version=2.2.0.0, Culture=neutral, PublicKeyToken=fee9c3dcb8af2eba" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\ThreadingModel = "Both" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\Assembly = "DamBho, Version=2.1.0.0, Culture=neutral, PublicKeyToken=fee9c3dcb8af2eba" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000003-1118-11da-8cd6-0800200c9888} C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{00000003-1118-11da-8cd6-0800200c9888} C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components\idammz.xpt C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz32.dll C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\ex\META-INF\mozilla.sf C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\uninstall.exe C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\damfhp.exe C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\damhlprf.exe C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\chrome.manifest C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\ex\install.rdf C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\dam.crx C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\chrome\dammz.jar C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\reset.reg C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz30.dll C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz40.dll C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\Rsc\Img\DAMchrome.gif C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\MediaGrabber.exe.config C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\cap.htm C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz35.dll C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz39.dll C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\DamBho.dll C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\WRCsetup.exe C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\MediaGrabber.exe C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\MgDll.dll C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\runMg.htm C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz42p.dll C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\ex\META-INF\manifest.mf C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\Rsc\Img\ultimate.gif C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\damfhp.exe.config C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\damhlprf.exe.config C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\Rsc\Img\mgrabber.gif C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\damhlpr.exe C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\components\dammz.dll C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\icon.png C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz.dll C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\ex\META-INF\mozilla.rsa C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\Rsc\Img\DAMfirefox.gif C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz26.dll C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\ex\chrome.manifest C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\help.chm C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\chrome.manifest C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\addUrl.htm C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\dhl C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components\DamMz.dll C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz31.dll C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz34.dll C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz38.dll C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\install.rdf C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\chrome\dammz.jar C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\DamLinkHandler.dll C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\Interop.SHDocVw.dll C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\components\idammz.xpt C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz37.dll C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\addAllUrls.htm C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\install.rdf C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\ex3\dam.zip C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\Rsc\Img\about.gif C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\bi.dat C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\ex\chrome\dammz.jar C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\dhlf C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz33.dll C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz36.dll C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\components2\DamMz41.dll C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\DamFirefox\old\ex\icon.png C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A
File created C:\Program Files\Tensons\Download Accelerator Manager\NpDam.dll C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\DownloadAccd9662b75#\8a68aa8d8ee2d06649a3735ce14c8d86\DownloadAcceleratorManager.ni.exe.aux.tmp C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\23c-0\DownloadAcceleratorManager.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc23300000000020000000000106600000001000020000000dda16fe2849b3071695d3f26a1c778b83a0e8dd810e604f6934fe8135fb6e78e000000000e8000000002000020000000f1b7d509c55dc9521003f31f54da58b6de9f7fd4c1bf6de5b1edbec8bb580cce9000000080bf48f14fba6bfd108369f28672dcb049628a45d0e5ff719943ca942e71287bad382e7ad5a476abfc903933471cb67b551216a556e564947a55e3d84daa9b5b638196d9db7a72087cebccfba9b279863d403b020b5c71cf2b5c2c58e30b34c356c16cf9c88671fcef69b17892607d641346e4d4502722ed58decede95ab9f88ce7dc0084ae765e1fe7008b11d14e0a140000000765900a4bff2b6d6991604fb2869b74520a01ccaef0d18fe176f798d9e1b7cec4b0bdd0bda4adda5c70496ba6d3bbea520d97227b5a1489df168f58de56bfd54 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\Ⴓ\{e17d3efa-5297-4e7d-9650-0440a9921088} C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\á‚¥\{871536d3-39af-4fd9-85d4-6b4f8307f8c2} C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\Ⴓ\{e17d3efa-5297-4e7d-9650-0440a9921089}\AppName = "MediaGrabber.exe" C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Download &All with DAM\contexts = "243" C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\Ⴓ\{e17d3efa-5297-4e7d-9650-0440a9921088}\AppPath = "C:\\Program Files\\Tensons\\Download Accelerator Manager\\" C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{00000003-1118-11da-8cd6-0800200c9888}" C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\&Grab Video/Music with DAM\contexts = "243" C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\&Grab Video/Music with DAM\ = "C:\\Program Files\\Tensons\\Download Accelerator Manager\\\\cap.htm" C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\Ⴓ\{e17d3efa-5297-4e7d-9650-0440a9921089}\Policy = "3" C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\&Download with DAM\ = "C:\\Program Files\\Tensons\\Download Accelerator Manager\\\\addUrl.htm" C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\&Download with DAM\contexts = "34" C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\á‚¥\{871536d3-39af-4fd9-85d4-6b4f8307f8c2}\AppPath = "C:\\Program Files\\Tensons\\Download Accelerator Manager\\" C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\&Download with DAM C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\&Grab Video/Music with DAM C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5B800A31-E794-11EE-AD30-660F20EB2E2E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\Ⴓ\{e17d3efa-5297-4e7d-9650-0440a9921088}\Policy = "3" C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\&Grab Video/Music with DAM\contexts = "243" C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Download &All with DAM C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Download &All with DAM\contexts = "243" C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\DownloadUI = "{00000003-1118-11da-8cd6-0800200c9888}" C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\Ⴓ C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\á‚¥\{871536d3-39af-4fd9-85d4-6b4f8307f8c2}\AppName = "DownloadAcceleratorManager.exe" C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\á‚¥\{871536d3-39af-4fd9-85d4-6b4f8307f8c2}\Policy = "3" C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\&Download with DAM\ = "C:\\Program Files\\Tensons\\Download Accelerator Manager\\\\addUrl.htm" C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\&Download with DAM\contexts = "34" C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Download &All with DAM\ = "C:\\Program Files\\Tensons\\Download Accelerator Manager\\\\addAllUrls.htm" C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\Ⴓ\{e17d3efa-5297-4e7d-9650-0440a9921088}\AppName = "DownloadAcceleratorManager.exe" C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\Ⴓ\{e17d3efa-5297-4e7d-9650-0440a9921089}\AppPath = "C:\\Program Files\\Tensons\\Download Accelerator Manager\\" C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Download &All with DAM\ = "C:\\Program Files\\Tensons\\Download Accelerator Manager\\\\addAllUrls.htm" C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{00000003-1118-11da-8cd6-0800200c9888}" C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\á‚¥ C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Tensons.Application.DownloadAcceleratorManager.BHO\ = "Tensons.Application.DownloadAcceleratorManager.BHO" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29} C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Tensons.Application.DownloadAcceleratorManager.LinkHandler\CLSID\ = "{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{24B1E5E0-1100-3737-A6A2-EA80239F9EF5}\2.2.0.0\Assembly = "DamLinkHandler, Version=2.2.0.0, Culture=neutral, PublicKeyToken=fee9c3dcb8af2eba" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\ = "Tensons.Application.DownloadAcceleratorManager.LinkHandler" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\2.2.0.0\Class = "Tensons.Application.DownloadAcceleratorManager.LinkHandler" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29} C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Tensons.Application.DownloadAcceleratorManager.BHO\CLSID\ = "{00000003-1118-11DA-8CD6-0800200C9888}" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\CodeBase = "file:///C:/Program Files/Tensons/Download Accelerator Manager/DamLinkHandler.DLL" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\2.2.0.0\CodeBase = "file:///C:/Program Files/Tensons/Download Accelerator Manager/DamLinkHandler.DLL" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{24B1E5E0-1100-3737-A6A2-EA80239F9EF5}\2.2.0.0\RuntimeVersion = "v2.0.50727" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\2.1.0.0\CodeBase = "file:///C:/Program Files/Tensons/Download Accelerator Manager/DamBho.DLL" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE} C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\Implemented Categories C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\ProgId C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\Class = "Tensons.Application.DownloadAcceleratorManager.LinkHandler" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\Assembly = "DamLinkHandler, Version=2.2.0.0, Culture=neutral, PublicKeyToken=fee9c3dcb8af2eba" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\ProgId C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\RuntimeVersion = "v2.0.50727" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\2.2.0.0\Class = "Tensons.Application.DownloadAcceleratorManager.LinkHandler" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\2.1.0.0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\Implemented Categories C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Tensons.Application.DownloadAcceleratorManager.BHO C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\Assembly = "DamBho, Version=2.1.0.0, Culture=neutral, PublicKeyToken=fee9c3dcb8af2eba" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\RuntimeVersion = "v2.0.50727" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\CodeBase = "file:///C:/Program Files/Tensons/Download Accelerator Manager/DamBho.DLL" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Tensons.Application.DownloadAcceleratorManager.LinkHandler C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\2.2.0.0\RuntimeVersion = "v2.0.50727" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Tensons.Application.DownloadAcceleratorManager.LinkHandler\CLSID\ = "{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{24B1E5E0-1100-3737-A6A2-EA80239F9EF5} C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{24B1E5E0-1100-3737-A6A2-EA80239F9EF5}\2.2.0.0\Class = "Tensons.Application.DownloadAcceleratorManager.LinkHandler+LinkType" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\Class = "Tensons.Application.DownloadAcceleratorManager.BHO" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\2.1.0.0\Class = "Tensons.Application.DownloadAcceleratorManager.BHO" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\ThreadingModel = "Both" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\2.2.0.0\CodeBase = "file:///C:/Program Files/Tensons/Download Accelerator Manager/DamLinkHandler.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\ProgId C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{24B1E5E0-1100-3737-A6A2-EA80239F9EF5}\2.2.0.0\Class = "Tensons.Application.DownloadAcceleratorManager.LinkHandler+LinkType" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Tensons.Application.DownloadAcceleratorManager.BHO\CLSID C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888} C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\Assembly = "DamBho, Version=2.1.0.0, Culture=neutral, PublicKeyToken=fee9c3dcb8af2eba" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\Assembly = "DamLinkHandler, Version=2.2.0.0, Culture=neutral, PublicKeyToken=fee9c3dcb8af2eba" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29} C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{24B1E5E0-1100-3737-A6A2-EA80239F9EF5}\2.2.0.0\CodeBase = "file:///C:/Program Files/Tensons/Download Accelerator Manager/DamLinkHandler.DLL" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\2.1.0.0 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\2.1.0.0\Assembly = "DamBho, Version=2.1.0.0, Culture=neutral, PublicKeyToken=fee9c3dcb8af2eba" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\ProgId\ = "Tensons.Application.DownloadAcceleratorManager.BHO" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\Class = "Tensons.Application.DownloadAcceleratorManager.LinkHandler" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\ProgId\ = "Tensons.Application.DownloadAcceleratorManager.LinkHandler" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Tensons.Application.DownloadAcceleratorManager.BHO\CLSID\ = "{00000003-1118-11DA-8CD6-0800200C9888}" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\ThreadingModel = "Both" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\Implemented Categories C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\InprocServer32\2.1.0.0\Class = "Tensons.Application.DownloadAcceleratorManager.BHO" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Tensons.Application.DownloadAcceleratorManager.BHO\ = "Tensons.Application.DownloadAcceleratorManager.BHO" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE}\InprocServer32\2.2.0.0 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{24B1E5E0-1100-3737-A6A2-EA80239F9EF5}\2.2.0.0\Assembly = "DamLinkHandler, Version=2.2.0.0, Culture=neutral, PublicKeyToken=fee9c3dcb8af2eba" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64B6EEAF-13A8-30F7-9AB9-E4AF54AC40BE} C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{24B1E5E0-1100-3737-A6A2-EA80239F9EF5}\2.2.0.0\CodeBase = "file:///C:/Program Files/Tensons/Download Accelerator Manager/DamLinkHandler.DLL" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000003-1118-11DA-8CD6-0800200C9888}\ = "Tensons.Application.DownloadAcceleratorManager.BHO" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\setupc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2072 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe C:\Users\Admin\AppData\Local\Temp\setupc.exe
PID 2072 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe C:\Users\Admin\AppData\Local\Temp\setupc.exe
PID 2072 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe C:\Users\Admin\AppData\Local\Temp\setupc.exe
PID 2072 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe C:\Users\Admin\AppData\Local\Temp\setupc.exe
PID 2072 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe
PID 2072 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe
PID 2072 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe
PID 2072 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe
PID 1252 wrote to memory of 700 N/A C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 1252 wrote to memory of 700 N/A C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 1252 wrote to memory of 700 N/A C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 1252 wrote to memory of 980 N/A C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1252 wrote to memory of 980 N/A C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1252 wrote to memory of 980 N/A C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1252 wrote to memory of 980 N/A C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1252 wrote to memory of 980 N/A C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1252 wrote to memory of 980 N/A C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1252 wrote to memory of 980 N/A C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1252 wrote to memory of 2976 N/A C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 1252 wrote to memory of 2976 N/A C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 1252 wrote to memory of 2976 N/A C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 1252 wrote to memory of 664 N/A C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 1252 wrote to memory of 664 N/A C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 1252 wrote to memory of 664 N/A C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 1252 wrote to memory of 1244 N/A C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 1252 wrote to memory of 1244 N/A C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 1252 wrote to memory of 1244 N/A C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 1244 wrote to memory of 2932 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1244 wrote to memory of 2932 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1244 wrote to memory of 2932 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1244 wrote to memory of 572 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1244 wrote to memory of 572 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1244 wrote to memory of 572 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1252 wrote to memory of 2032 N/A C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 1252 wrote to memory of 2032 N/A C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 1252 wrote to memory of 2032 N/A C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 1252 wrote to memory of 2588 N/A C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1252 wrote to memory of 2588 N/A C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1252 wrote to memory of 2588 N/A C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1252 wrote to memory of 2588 N/A C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1252 wrote to memory of 2588 N/A C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1252 wrote to memory of 2588 N/A C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1252 wrote to memory of 2588 N/A C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2072 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe
PID 2072 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe
PID 2072 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe
PID 2072 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe
PID 2072 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe
PID 2072 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe
PID 2072 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe
PID 2072 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe
PID 2072 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe
PID 2072 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe
PID 2072 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe
PID 2072 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe
PID 2072 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2072 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 888 wrote to memory of 1796 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 888 wrote to memory of 1796 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 888 wrote to memory of 1796 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 888 wrote to memory of 1796 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe

"C:\Users\Admin\AppData\Local\Temp\DAMsetup.exe"

C:\Users\Admin\AppData\Local\Temp\setupc.exe

C:\Users\Admin\AppData\Local\Temp\setupc.exe DownloadAcceleratorManager MediaGrabber damfhp damhlpr firefox chrome iexplore

C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe

"C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe" /ia C:\Program Files\Tensons\Download Accelerator Manager

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe" /s /codebase "C:\Program Files\Tensons\Download Accelerator Manager\DamLinkHandler.dll"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" /s /codebase "C:\Program Files\Tensons\Download Accelerator Manager\DamLinkHandler.dll"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" /delete dam

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" /delete DownloadAcceleratorManager

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" /nologo /silent "C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 160 -InterruptEvent 0 -NGENProcess f4 -Pipe 164 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe" /register /codebase /silent "C:\Program Files\Tensons\Download Accelerator Manager\\DamBho.dll"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" /register /codebase /silent "C:\Program Files\Tensons\Download Accelerator Manager\\DamBho.dll"

C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe

"C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe" /iu C:\Program Files\Tensons\Download Accelerator Manager

C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe

"C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe" /iu C:\Program Files\Tensons\Download Accelerator Manager

C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe

"C:\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://install.tensons.com/?pid=003&v=5.6.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:888 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 install.tensons.com udp
DE 217.160.0.153:80 install.tensons.com tcp
DE 217.160.0.153:80 install.tensons.com tcp
US 8.8.8.8:53 www.damdownloader.com udp
US 74.208.236.212:80 www.damdownloader.com tcp
US 74.208.236.212:80 www.damdownloader.com tcp
US 74.208.236.212:80 www.damdownloader.com tcp
US 74.208.236.212:80 www.damdownloader.com tcp
US 74.208.236.212:80 www.damdownloader.com tcp
US 74.208.236.212:80 www.damdownloader.com tcp
US 8.8.8.8:53 www.tensons.com udp
US 74.208.236.212:80 www.tensons.com tcp
US 74.208.236.212:80 www.tensons.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsy17E6.tmp\registry.dll

MD5 24a7a119e289f1b5b69f3d6cf258db7c
SHA1 fec84298f9819adf155fcf4e9e57dd402636c177
SHA256 ae53f8e00574a87dd243fdf344141417cfe2af318c6c5e363a030d727a6c75d1
SHA512 fdbbedcc877bf020a5965f6ba8586ade48cfbe03ac0af8190a8acf077fb294ffd6b5a7ae49870bff8cacd9e33d591be63b5b3d5c2e432c640212bdcd0c602861

\Users\Admin\AppData\Local\Temp\nsy17E6.tmp\UAC.dll

MD5 acfb66ee6fc1f4266229ec6098fe1740
SHA1 e1aeb31b11996015d7f17308e2f2bbe69d4e1476
SHA256 6d7e8070fa09cc4bb66fb99c2b88d0f5419602fa64a519437f430d9378300b1e
SHA512 bf0b5b22c57c08c88b4cbdd75bdf0c8eac433d42b4d163349391b71bc44d913e4d0e28e0826a7c27b418e6d2aa37c08c90577b56baa946a8f129486fbe01c303

\Users\Admin\AppData\Local\Temp\nsy17E6.tmp\System.dll

MD5 b0c77267f13b2f87c084fd86ef51ccfc
SHA1 f7543f9e9b4f04386dfbf33c38cbed1bf205afb3
SHA256 a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77
SHA512 f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

C:\Users\Admin\AppData\Local\Temp\nsy17E6.tmp\ioSpecial.ini

MD5 e71b6d96350c05001d4b8149d34d06f0
SHA1 72f04f8cc9b74527d5b31e80dc5a3ca3d31fc971
SHA256 16e1895e8a0e15fc376e7e191751c07210835ec586ecbe61d9170b14e293396e
SHA512 2bd7c133f00fade07883f1f43330f6e74455f8af2f57a86e2955beb0ae77e73c53070931582ea82770991ee71404875dab6c5a7dfaf3ca12a095d3dbbae01a77

\Users\Admin\AppData\Local\Temp\nsy17E6.tmp\InstallOptions.dll

MD5 8d5a5529462a9ba1ac068ee0502578c7
SHA1 875e651e302ce0bfc8893f341cf19171fee25ea5
SHA256 e625dcd0188594b1289891b64debddeb5159aca182b83a12675427b320bf7790
SHA512 101da2c33f47bd85b8934318e0f0b72f820afc928a2a21e2c7823875e3a0e830f7c67f42b4c2f30596eaa073617790c89700c0d95b7949ec617e52800b61d462

C:\Users\Admin\AppData\Local\Temp\nsy17E6.tmp\ioSpecial.ini

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\Temp\nsy17E6.tmp\DotNetChecker.dll

MD5 83b493e0bc0cf1105ce25d9bd5d1c2b9
SHA1 1813bcb2a4384bd2a134bec29bd978f0b5c4e1b4
SHA256 3f7bed61a1f5ad0c0a468363c4f2974c2674fd018ce2aabd40b5a16604c2d4cd
SHA512 3aaccda41b5822d8eca0f8fb01c060151a1a19038c35905c937949491edc803ad7399f71ea7d56fded69394e4abb3f6266b3b3a8bcf644ef4bccb3406e3c2769

memory/2072-138-0x0000000074B50000-0x0000000074C6C000-memory.dmp

\Users\Admin\AppData\Local\Temp\setupc.exe

MD5 62738e8892a6d7b05cbb3b8a192afe9b
SHA1 6546f3fc2b4d1301bbc57ea98e57ebdabcc4b9cd
SHA256 55e37ec9db608c9dd898e3fd23975503e079a6f5ab82e0f9106014851ea2411f
SHA512 b88a231bfaad80f9c50dead56287d4e2bd445d5471267dcf39805c42abe692225696f7afbafa4fbbf0b4046de38e6f9edf03bed24f039a6d054a29aed4951762

memory/2424-144-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp

C:\Program Files\Tensons\Download Accelerator Manager\damhlprf.exe.config

MD5 7ed00198dff303eefb49e046562b5b7d
SHA1 f2a14ec5d2b7717061b77769067f93295f1fbc8b
SHA256 f4ffcc01ea1c06be63c18d343187ccb5f2f5885f1780218780f92214415e9c74
SHA512 71a2e8769e28a7dfe6d387bf3bfb0961af69d5bda7b6acc37ad6095581f02254e8d3be5b9583dfb39e34566f37c4fc54aa08f39e68ed705485519e7096b35ef9

\Program Files\Tensons\Download Accelerator Manager\DownloadAcceleratorManager.exe

MD5 c9a97774f133b25b2c5db91d5b34bac2
SHA1 55091d710765145164295c5f77fc93d76f957677
SHA256 1d4d500bacc5dbc232d162dffe25287571a049082c554fb07d920733f5336f7e
SHA512 a2e54b471d897d38ae366a2e5f1061a6c05236cdf7af1058e31f893039541799924de25adbfe412253fc568cf7730aaa3153eff8604f3c17bc7d43abad14c2e9

memory/1252-220-0x00000000003D0000-0x00000000004F8000-memory.dmp

memory/1252-221-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

memory/700-222-0x000000013FAC0000-0x000000013FAD0000-memory.dmp

memory/700-223-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

C:\Program Files\Tensons\Download Accelerator Manager\DamLinkHandler.dll

MD5 d37ae62d7ae1d1d29742b37b5e5a65ec
SHA1 52ca247535c8d2df65d1072370a2b7ab320b11f9
SHA256 16c65138a398e626cb4e3c5440b89fb8c9c8c08fed7292c0b67a481f6fc6c1f5
SHA512 30771626d02c6380ff6ea0022eccc09e9d142f7b819036cf3a0ea9eb9fea24b9c6a7404af9964d5f82aa7cfb26ca4320114ad91bd94469808a0509f6c8460f74

memory/700-225-0x0000000002060000-0x0000000002070000-memory.dmp

memory/700-226-0x0000000002060000-0x0000000002070000-memory.dmp

memory/700-227-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

memory/980-228-0x0000000000110000-0x0000000000122000-memory.dmp

memory/980-231-0x0000000000620000-0x0000000000630000-memory.dmp

memory/980-234-0x0000000000620000-0x0000000000630000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

MD5 0c116067cb44edfda18538b5c3dd2775
SHA1 7ca5e7973d15ade6df7b0e37572bfc1ca58579cf
SHA256 602351ea3a43b7b1547027f43cd41ea2536bb259e096edc82596ba8a10259eed
SHA512 627195492735b66dfe77e496925795a5bb1b695c0ae4b79af6656c10c6e303788ad0c1735f945ddab37052974716e6ece93db4895aa8f876adda12e22c92d150

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

MD5 75bd49c3d3addac04aa2138f3f8f117b
SHA1 04bcd1b0a2ce7c06648f1cc5e5f8b28694b4a2ed
SHA256 c1137bbf8e8360af6c0129db4a6e985031c9d6a3f6ec77a9c5cfe7dad783f88e
SHA512 e4fda4cf368081ce91c7a879d35e003c1aeeca46b80e0c2a56c4c88fc6a6d8ccf2663f3863777ab72a5a7f0fc195fed82b4a81db30e175d37427d146605c905a

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

MD5 277aec4e9dcd33baa9edd8076e8b4250
SHA1 4733fba00f6ece193dc8bbce652fc79580a220f3
SHA256 980563f709604b8f9a7a143dc4c566cb5ea7b3a38c622c037833a09549f83dad
SHA512 6ed0eef9fc1e344dd2d67865d09a8f82aadf2dabd7e46c3916048be7c7406eca10fdf66f6227e833eb3196ff959bb79ddb6ede531fd204b5b6488fb97172fe69

memory/2932-244-0x000000001B1B0000-0x000000001B2D8000-memory.dmp

memory/2932-245-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

memory/2932-246-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

memory/572-247-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

memory/572-248-0x0000000000160000-0x0000000000170000-memory.dmp

memory/572-249-0x0000064488000000-0x000006448847A000-memory.dmp

\Windows\assembly\NativeImages_v4.0.30319_64\DownloadAccd9662b75#\8a68aa8d8ee2d06649a3735ce14c8d86\DownloadAcceleratorManager.ni.exe

MD5 e4ab1f6ea57467d9acdcaa0dedcc7f16
SHA1 dd9c187f6036eadb9d30ceef94b38b8681a58087
SHA256 77a174455ae1eeca7efcf6d85a4d91c871e294342d0fc9b63e7308b1e8363b9f
SHA512 75f3faa0de407f595e323058ad6f961ab529699b07d0c7c5b6c5d89d6c472ae551d9cb0f705dfa1d629f4c0bdba88612f3268d34e0edcc5d47f47367409520ef

memory/572-265-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

memory/2032-266-0x000000013F7B0000-0x000000013F7C0000-memory.dmp

memory/2032-267-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

memory/2032-269-0x00000000007B0000-0x00000000007BC000-memory.dmp

C:\Program Files\Tensons\Download Accelerator Manager\DamBho.dll

MD5 2cac7bdbcd895a3b2216fbff08f87799
SHA1 ae20d356c897fa271a712a429ea7368cf379c55c
SHA256 a391a059943274d82a89dc0eb069a57f8984c56cb3c4cded13388d4873985f16
SHA512 13937d63facaf2c661dde15b456cb0c062712165acf9054171f3a47711eba78729d83ea54bf55e443bd55c83478660ffb4c49bb2a28a966bb30ca4eeda934dfc

memory/2032-270-0x00000000007B0000-0x00000000007BC000-memory.dmp

memory/2032-271-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

memory/2588-272-0x0000000001180000-0x0000000001192000-memory.dmp

memory/2588-275-0x0000000000460000-0x000000000046C000-memory.dmp

memory/2588-278-0x0000000000460000-0x000000000046C000-memory.dmp

C:\Program Files\Tensons\Download Accelerator Manager\Rsc\Img\DAMfirefox.gif

MD5 d7a4d039966466bdbbb2dedb6026c582
SHA1 2fa913238de077e63543742f75d8193c20a85349
SHA256 9520ba714da28958015dbdefc5cff31c392e7f6b5c66e5d2df4c4c48f7e58223
SHA512 262398a377bd72d081b64291960374b802394bdcc96025f260f08889011ed6ae6a024176cf35e5e3cb44c6ad2d039c08f0ac9221b7caec4135cc7970f707361c

memory/1252-280-0x000000001AF20000-0x000000001AFA0000-memory.dmp

memory/1252-281-0x000000001AF20000-0x000000001AFA0000-memory.dmp

memory/2072-282-0x0000000074B50000-0x0000000074C6C000-memory.dmp

memory/1252-283-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

memory/2624-285-0x00000000010A0000-0x00000000011C8000-memory.dmp

memory/2624-289-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp

\Windows\assembly\NativeImages_v4.0.30319_64\DownloadAccd9662b75#\8a68aa8d8ee2d06649a3735ce14c8d86\DownloadAcceleratorManager.ni.exe

MD5 2449b8c5529f8c3896d04db90e15e586
SHA1 fd1512866db0c28f1c138a983e542832f63bf151
SHA256 f66a07292cd66881c6eb176cf6cb53fb934cf1262ebe8ba144d742e4c188cb11
SHA512 00cd9c7026541e21cd1cfea5b37b8c1533e5dab73e1eed67ced4c99ddfb075f8fd661d51b41b18cc76b06dc030bbcf3e77f7631932a5445d9951e57e18bad7c3

C:\Windows\assembly\NativeImages_v4.0.30319_64\DownloadAccd9662b75#\8a68aa8d8ee2d06649a3735ce14c8d86\DownloadAcceleratorManager.ni.exe

MD5 4b43463d7fed7e2c13ce35789ca2b03d
SHA1 65ca208297d967b6ed966b6316db3b1ee7d42273
SHA256 f3f55b3161f43ed96b5739b94816db53d09b782ad869433db0141c7c6a23c0a9
SHA512 d953918c5112cf0307879fd185af61b1feea5a883ccafbf18caf9100ec0695e224eef8405b60aa889873fd8a0eba64cafe34a2957680f6821d7dfae2755beb0a

C:\Windows\assembly\NativeImages_v4.0.30319_64\DownloadAccd9662b75#\8a68aa8d8ee2d06649a3735ce14c8d86\DownloadAcceleratorManager.ni.exe.aux

MD5 c23aaffb596604c6369caf3b1291a4b8
SHA1 07118497eb8eb907fdb5d784ff2fd19fe8423928
SHA256 4f90393872408dfb22e85f4468e4d4f6aa14ab4aaf45b015aaddbe176cdb3a4a
SHA512 b318dbb96c3ed72e27c5ce233bdda3070cbc8c3432a02e97c89416a487d2528b3402756f5b7e79e9da0ccf57e161dfef3bc34091414d1b6e9fb02477b5c5b17e

\Program Files\Tensons\Download Accelerator Manager\MediaGrabber.exe

MD5 0e617f91a119dfad00de19adc57231f4
SHA1 74b5d97612740d8f90f6f199f543ef2df1c3832e
SHA256 9927c743ba8ce0ce8b59983693a7242cf9ca46d93630cf5c36fdde32e96cb150
SHA512 a17b1c1a0e91e4b657b8cf144af91b693eb723ec1ece96cdf9992178df353b4da545155fddd779330ade21d899fcce0502289ed6b0da1dcfa191a9fddd6406f0

memory/2624-290-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsy17E6.tmp\customPage002.ini

MD5 7fa5a3a0e3892c0ede0e7cf0feeb52db
SHA1 e3e617d63ed0ad707f3e23747eea0c132d98556d
SHA256 6da1d876cbe106704612f0ed75e5cb01a44f58eb081c5e76991a1d12d12c3c7e
SHA512 e04719fa763a7966940c7b538ca6a6c4e1d308581d7b438cf61f9340bc7e1968d281b19660de2acfd14da8bff71b6d020db9fc3a5fb77cd5ca5ecdea3b699cd7

C:\Users\Admin\AppData\Local\Temp\nsy17E6.tmp\customPage002.ini

MD5 51705c7a434922cb5f94515fb9764b03
SHA1 6b9a5ae64ade667aa4af50f15c3eb6f6edb3a306
SHA256 2e52228430fffe78de7cee8306addb94a6292ab042897a0978bf77be081ca44a
SHA512 0362c6faca3b1a3600662a6e78e3432b8d0c930f1d7f7c6257ad6b74d68d930aeb0d1555bc642847577f1ce5264fbbfd3680b0cd1cb25b071a9edc5f239242f7

C:\Users\Admin\AppData\Local\Temp\nsy17E6.tmp\customPage002.ini

MD5 2f462c1a7320b2dc24659195e50be662
SHA1 aa22599c41b2efc405532496989dadcb90dddfa0
SHA256 2ddde12755d567628bb87a8f6908ab98e5a6fa4f899d944f032cffd86f609196
SHA512 54c717b2f295830d9377a0daf7c18390548ae35ed2749676898e36d5019ad48ac413128af69aaabb39ccddae532756b79d7dd7ebb466e4d543d23fe15787ddfc

memory/1012-366-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

memory/1012-365-0x0000000001390000-0x00000000014B8000-memory.dmp

memory/1012-367-0x0000000000130000-0x0000000000140000-memory.dmp

memory/1012-369-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsy17E6.tmp\ioSpecial.ini

MD5 1f79a896ff2f4d42d2242946865581de
SHA1 e0181bcb8fa6aeba65f3687064b9b4e2293b387f
SHA256 9cc8815672baa28d73ba01f6d426145b62e3e2661062ac24a5878c2ef4765df8
SHA512 40f63e64fdbc2e4e0270f61491cb36038df6a0d4b6644e406143140b95632562a8eec3da55af9bc1206da5431d9ac51c1df0f787635cf46c40c456b134a24e57

C:\Users\Admin\AppData\Local\Temp\nsy17E6.tmp\ioSpecial.ini

MD5 3ce8d909302d1065dcb295f03829c278
SHA1 86923fc2b15e5cc83719c3a17725c1f8fb202a94
SHA256 8c440a018411f402f95a12b9b65c17d5403938c4bb8ae8a10ee77c41633350fe
SHA512 e5756bd9ee4386717dc0ee8f48704612f161203e0da51c29b4af60fe81b283381a21cd1befe01c5aa654c2372c8d933477fe11c52f7a46c367c8ed233c6ae89e

memory/1792-490-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp

memory/1792-488-0x0000000000140000-0x0000000000150000-memory.dmp

memory/1792-495-0x000000001B9A0000-0x000000001BA20000-memory.dmp

memory/1792-518-0x0000000000410000-0x0000000000436000-memory.dmp

memory/1792-519-0x000000001B9A0000-0x000000001BA20000-memory.dmp

memory/1792-520-0x000000001B9A0000-0x000000001BA20000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\favicon[1].htm

MD5 9f1a72ec482631417808575cc932bd5a
SHA1 8492455bad3a0b904bddcf88d2816d26f281c742
SHA256 29f0a779e085b38cb38f41c2608c2af21e89e81b0dfc6665feca5b3ae3fb83ec
SHA512 dda3e0c922d3b214aeb3e00e087c9fe6f09dc8548104dead19c02eb5973a6de90870a3b2eae9e4fb59b34cf30954cfe4c9ab5bcf76e129a5ecfeb551d057b3ee

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\icon[1].gif

MD5 16c4bbfc8c0e2faef5c9e575f8e5db10
SHA1 e6df34e00fe5e6c4cb543c18b344c58e5c050530
SHA256 dbb001b04b242f857d9a2dfa1fbe9ae246b6153a67749dec208658f1a0d24f32
SHA512 026ef36d08740977c256db8ba34fa51205bd0079cd94cede98bce6afb4b5977c48d0c3b7ab0abeeed819e8233aac4232420ea39a7a577e76dcff1875623fa6b8

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jw2rl61\imagestore.dat

MD5 2985cd5b754357ff82f520ac6dcf14b7
SHA1 0d1f305aa9c739dcf169d7127fee3231fa43e105
SHA256 3ce36167494268ae81594f68aedd4f97003a126a4c491ed24aa9d30371163e7e
SHA512 d5591f86584819cd113c9f1b72daa6a0e64f203ed82adcd590da28bc532512bc38aa2fb52e45d4ccc65d6af547e03f7dee1a3c93a0ff656d28a0a8831584e17d

C:\Users\Admin\AppData\Local\Temp\Cab4137.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar4267.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3087d58a7aca35d19cf8f63da013b94b
SHA1 fb72bfb5f4588952ccb67ea9b581ec61989c694b
SHA256 f571f268913b3011154b6630ab049550b7f91e198484b4fd2a2c279fac6c0e1d
SHA512 7282b49e7128106d2bc699d422436a00600ffd146f14ec400182e9c98ef76587590133a1fe3711bebcfb50cae4e0ecd744c9cb930cad55cb1b6b1078d43edc92

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4e99ae47a71f0ec540abdbcbe54ff09f
SHA1 54b0b4269167cc98cfe3d63c4c2d622ea120d49d
SHA256 33c7b95dfb9a758b75a5b528016265ed8ee08272b6a01fe252c5b1ea1826d9d5
SHA512 d100a6e704f8fe224f382197889b9d2a20d4689c6e4acc49adc784ae83ab4579166ee7971ac17fe35ce725ae3ea144003535f4f6524911e14da5e25bb0e28ac6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a74cb50222acec4aa5d3b6382c6929ea
SHA1 6aa832f48b6c147ae236e9ade1fac4bb4cb5a0be
SHA256 7b5a7405039c47712fb6d71a3a8b212da995c2186abedffb1cf4590cdc8b65c5
SHA512 430714bbf7669a88f12541240eedbd3db3e8bbcaf1b0b29586f6dcf43d2ccb94ebaea2ac288eb377c587625ac1d38a0cac2dedc669273c3c9af57e47db23a6a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 363679474c283daae8efe8decf67a945
SHA1 9fd65bb3a536b4b8a5644c6b0cd24549e4e5109e
SHA256 98b3e2e57e33a3356b69ddea8c96d4f80101c11acfc8e8c35b76e1899878460b
SHA512 c3dc07b41d082bac87d312125f708babf79df413b26aebed9a3a96e759cb5f8dc15fe21a474564e263f9cc129204c16250ec9931012ef99f766d70b94fe396c0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 54a6dcd1504d430d468672d49be788ee
SHA1 35716d305feb6036ff99c3aafc4e87442cbca832
SHA256 c34f1c984b35ce764f0510c9da317bc1d86b58db4a73005977444170af6258ee
SHA512 288937fbf6bd6e148d2358145ddfb77e44aac457a4c300c042c8c781adbaaffadab30b2dde6fb181cc5e2700ad470521f7b9864981f6e602406ed7d8d57e2111

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1bd51ddda647e20ecf42bb2d61ef8744
SHA1 f9b7f2e6f07b7f892e18cc147b71153ac20253bb
SHA256 e8e736f9eeccad95d48c9af202af321ea21a69d7feb0ee56d033d482658f7c0c
SHA512 19f5e8ca8d661ce13d1c4b01b6e9fea330e09f2950090bcb79f42416bd006ee397a83fb57f7085027490ac4962d5fc45b3bb2736af9e55f85334225ab610af81

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 94120d305370a4733cd225d6267caebd
SHA1 8fc4245b925bbfd9f313a3fe81fdf4e1d3124af9
SHA256 a4c8f27c5c627a1c391360856260bad61392394503349a7aa27b602fb393aeb5
SHA512 1bc03bbdc367a842aecac52a6e3e4007507e4fc7a26fc77dc1ad61c305554f55149a7fc94ce5f26c07bf86fa70692c229fc133fa0e01a21158611199fcd7366d

memory/1792-1039-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp

memory/1792-1040-0x000000001B9A0000-0x000000001BA20000-memory.dmp

memory/1792-1041-0x000000001B9A0000-0x000000001BA20000-memory.dmp

memory/1792-1042-0x000000001B9A0000-0x000000001BA20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~DFE34F6C3ACB028D93.TMP

MD5 b0a1f1d96381bc2b658feb57792ade6e
SHA1 0960364751aac785566f8278c363bc481c9370f6
SHA256 089f176703d3238a6038d40a58a85260298e78f3a31b6ba14f7032ffbbc0e245
SHA512 c4fee497851d449879cbb26beaaa778b1fc2a3bbe7a026f25ad6eba94119667e4d5e2fdbd52f0b18f51dc1aea58c99f81f9b7f2e4349611463ca9c9c1a1f488b

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-21 15:02

Reported

2024-03-21 15:06

Platform

win7-20240319-en

Max time kernel

118s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Dialer.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Dialer.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Dialer.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 228

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-03-21 15:02

Reported

2024-03-21 15:06

Platform

win7-20240220-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 220

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-03-21 15:02

Reported

2024-03-21 15:06

Platform

win10v2004-20231215-en

Max time kernel

110s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 456 wrote to memory of 5052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 456 wrote to memory of 5052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 456 wrote to memory of 5052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 152.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 21.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 205.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-03-21 15:02

Reported

2024-03-21 15:06

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DotNetChecker.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1136 wrote to memory of 2184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1136 wrote to memory of 2184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1136 wrote to memory of 2184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DotNetChecker.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DotNetChecker.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2184 -ip 2184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/2184-0-0x0000000075140000-0x000000007525C000-memory.dmp

memory/2184-1-0x0000000075140000-0x000000007525C000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-03-21 15:02

Reported

2024-03-21 15:06

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1984 wrote to memory of 2332 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1984 wrote to memory of 2332 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1984 wrote to memory of 2332 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2332 -ip 2332

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-03-21 15:02

Reported

2024-03-21 15:06

Platform

win10v2004-20240226-en

Max time kernel

134s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1952 wrote to memory of 1980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1952 wrote to memory of 1980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1952 wrote to memory of 1980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1980 -ip 1980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 19.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 0.227.79.178.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 128.227.79.178.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-03-21 15:02

Reported

2024-03-21 15:06

Platform

win7-20240221-en

Max time kernel

121s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\setupc.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\setupc.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\setupc.exe"

Network

N/A

Files

memory/2760-0-0x000007FEF6270000-0x000007FEF6C0D000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-03-21 15:02

Reported

2024-03-21 15:06

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components\DamMz.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2044 wrote to memory of 2732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2044 wrote to memory of 2732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2044 wrote to memory of 2732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2044 wrote to memory of 2732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2044 wrote to memory of 2732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2044 wrote to memory of 2732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2044 wrote to memory of 2732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components\DamMz.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components\DamMz.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-03-21 15:02

Reported

2024-03-21 15:06

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz25.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 516 wrote to memory of 4448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 516 wrote to memory of 4448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 516 wrote to memory of 4448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz25.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz25.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
GB 96.17.178.204:80 tcp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-03-21 15:02

Reported

2024-03-21 15:06

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2460 wrote to memory of 1128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2460 wrote to memory of 1128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2460 wrote to memory of 1128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1128 -ip 1128

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 50.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 195.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-03-21 15:02

Reported

2024-03-21 15:06

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\registry.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2320 wrote to memory of 5060 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2320 wrote to memory of 5060 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2320 wrote to memory of 5060 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\registry.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\registry.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5060 -ip 5060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=3112,i,1786399861560734457,5606877702857066305,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
GB 172.217.16.234:443 tcp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 50.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-03-21 15:02

Reported

2024-03-21 15:06

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamBho.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamBho.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 21.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-03-21 15:02

Reported

2024-03-21 15:06

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz25.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2968 wrote to memory of 3024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2968 wrote to memory of 3024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2968 wrote to memory of 3024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2968 wrote to memory of 3024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2968 wrote to memory of 3024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2968 wrote to memory of 3024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2968 wrote to memory of 3024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz25.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DamFirefox\components2\DamMz25.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-21 15:02

Reported

2024-03-21 15:06

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

141s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Dialer.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 8 wrote to memory of 2764 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 8 wrote to memory of 2764 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 8 wrote to memory of 2764 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Dialer.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Dialer.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2764 -ip 2764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3824 --field-trial-handle=2268,i,8796662530135712346,11409037572378858775,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 191.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
NL 142.250.179.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 202.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-03-21 15:02

Reported

2024-03-21 15:06

Platform

win7-20240221-en

Max time kernel

122s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DotNetChecker.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DotNetChecker.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DotNetChecker.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 224

Network

N/A

Files

memory/1824-0-0x0000000074460000-0x000000007457C000-memory.dmp

memory/1824-1-0x0000000074340000-0x000000007445C000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-03-21 15:02

Reported

2024-03-21 15:06

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\registry.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\registry.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\registry.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 228

Network

N/A

Files

N/A