File name:

DamewareRE.exe

Full analysis: https://app.any.run/tasks/6950f084-b975-46c2-83c3-a79c0c71e00a
Verdict: Malicious activity
Analysis date: November 30, 2023, 22:47:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

FC462C0DE12863A20836976DC3EF69ED

SHA1:

0A83F57EACF9A92CD101770F38DBF5FB3F1A7C13

SHA256:

7F613D6B3F30ADC096690F8B95E266DC214E781D43D505B2A3ED1C67BB14F570

SSDEEP:

98304:3+tgpr7TLlyxe1XLgAU/zPtrRzaftnCoaHcdG0O4arQ5KTSFYqg7Xky3rmk+qaxr:uqkFiiq4g8zT/EreV/iV3n

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • DamewareRE.exe (PID: 552)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • DamewareRE.exe (PID: 552)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • DamewareRE.exe (PID: 552)

    • Process drops legitimate windows executable

      • DamewareRE.exe (PID: 552)

    • Reads security settings of Internet Explorer

      • BASupApp.exe (PID: 2480)
      • BASupApp.exe (PID: 2584)

    • The process drops C-runtime libraries

      • DamewareRE.exe (PID: 552)

    • Reads settings of System Certificates

      • BASupApp.exe (PID: 2480)
      • BASupApp.exe (PID: 2584)

    • Checks Windows Trust Settings

      • BASupApp.exe (PID: 2480)
      • BASupApp.exe (PID: 2584)

    • Reads the Internet Settings

      • BASupApp.exe (PID: 2480)

    • Application launched itself

      • BASupApp.exe (PID: 2480)

  • INFO

    • Checks supported languages

      • DamewareRE.exe (PID: 552)
      • BASupApp.exe (PID: 2480)
      • wmpnscfg.exe (PID: 2972)
      • BASupApp.exe (PID: 2584)

    • Reads the computer name

      • DamewareRE.exe (PID: 552)
      • BASupApp.exe (PID: 2480)
      • wmpnscfg.exe (PID: 2972)
      • BASupApp.exe (PID: 2584)

    • The executable file from the user directory is run by the CMD process

      • DamewareRE.exe (PID: 552)

    • Creates files or folders in the user directory

      • DamewareRE.exe (PID: 552)
      • BASupApp.exe (PID: 2480)

    • Create files in a temporary directory

      • DamewareRE.exe (PID: 552)

    • Reads the machine GUID from the registry

      • BASupApp.exe (PID: 2480)
      • wmpnscfg.exe (PID: 2972)
      • BASupApp.exe (PID: 2584)

    • Process checks are UAC notifies on

      • BASupApp.exe (PID: 2480)
      • BASupApp.exe (PID: 2584)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:04:02 05:20:09+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 24064
InitializedDataSize: 120320
UninitializedDataSize: 1024
EntryPoint: 0x326c
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs damewarere.exe no specs basupapp.exe wmpnscfg.exe no specs basupapp.exe

Process information

PID
CMD
Path
Indicators
Parent process
552C:\Users\admin\AppData\Local\Temp\DamewareRE.exeC:\Users\admin\AppData\Local\Temp\DamewareRE.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\damewarere.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
2480"C:\Users\admin\AppData\Local\Dameware Remote Everywhere Applet\BASupApp.exe" -from_installerC:\Users\admin\AppData\Local\Dameware Remote Everywhere Applet\BASupApp.exe
DamewareRE.exe
User:
admin
Company:
N-able Take Control
Integrity Level:
MEDIUM
Description:
N-able Take Control Applet
Exit code:
0
Version:
7.50.2.1502
Modules
Images
c:\users\admin\appdata\local\dameware remote everywhere applet\basupapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
2584"C:\Users\admin\AppData\Local\DAMEWA~1\BASupApp.exe" -sasC:\Users\admin\AppData\Local\Dameware Remote Everywhere Applet\BASupApp.exe
BASupApp.exe
User:
admin
Company:
N-able Take Control
Integrity Level:
HIGH
Description:
N-able Take Control Applet
Exit code:
0
Version:
7.50.2.1502
Modules
Images
c:\users\admin\appdata\local\dameware remote everywhere applet\basupapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
2972"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
2980"C:\Windows\System32\cmd.exe" /k C:\Users\admin\AppData\Local\Temp\DamewareRE.exeC:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
11 022
Read events
10 987
Write events
32
Delete events
3

Modification events

(PID) Process:(2480) BASupApp.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2972) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{504F209B-8415-41A9-A5F5-5D46FB5C0495}\{5A03542F-93F4-4618-BCC9-179F23F69801}
Operation:delete keyName:(default)
Value:
(PID) Process:(2972) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{504F209B-8415-41A9-A5F5-5D46FB5C0495}
Operation:delete keyName:(default)
Value:
(PID) Process:(2972) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{FCB8E35C-C475-4780-ACB0-3A7FB93D6870}
Operation:delete keyName:(default)
Value:
(PID) Process:(2480) BASupApp.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2480) BASupApp.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2480) BASupApp.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2480) BASupApp.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2584) BASupApp.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
70
Suspicious files
12
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
552DamewareRE.exeC:\Users\admin\AppData\Local\Temp\nshE54D.tmp\System.dllexecutable
MD5:5DFCBB8A6F997F761C42140852D1E97B
SHA256:D6D897439781F43DFA1DAB63FA3530A8A98EAB3FE07D879C380DCA4DC69F3CE2
552DamewareRE.exeC:\Users\admin\AppData\Local\Dameware Remote Everywhere Applet\BASupAppIT.dllexecutable
MD5:F4F02D43D990A6971CA649ECAA0A4DD6
SHA256:7B86F44CF394E57A6328239648C0CEF61BE493F3C54C2534063CB0D4D1339630
552DamewareRE.exeC:\Users\admin\AppData\Local\Dameware Remote Everywhere Applet\BASupSysShell64.exeexecutable
MD5:099D5A81EF1AB851865B46A1569B83C2
SHA256:CA0CFAC0D9179E5824D0F4A8F71717310B4A1641189D501F99C90F86C29E678B
552DamewareRE.exeC:\Users\admin\AppData\Local\Dameware Remote Everywhere Applet\BASupAppElev.exeexecutable
MD5:FF9E810AB85ABAD366624B181DE08A6E
SHA256:D98549252A427DF7FD6648D1E53CB983655C54B0F5FD88C12CBFF54082650DF4
552DamewareRE.exeC:\Users\admin\AppData\Local\Dameware Remote Everywhere Applet\BASupAppES.dllexecutable
MD5:45FAE75F380AF2085AE0F29D246C991D
SHA256:7BF1C8C31008E936D880D5A459121367C97F3F2091DBFC6E9BD757679BE5E546
552DamewareRE.exeC:\Users\admin\AppData\Local\Dameware Remote Everywhere Applet\BASupAppEN.dllexecutable
MD5:2369B4F8ADF75A54D7BCC8B8117A4C83
SHA256:5205A04A9B50772C926DF64F0224B9CBC2DC32E52EE05BA672FD701D2CFB1269
552DamewareRE.exeC:\Users\admin\AppData\Local\Dameware Remote Everywhere Applet\BASupAppPT.dllexecutable
MD5:36287BFDC9628CA7B8066EBF16AD403C
SHA256:F5C6580C27846D90452201D0349583C832C4FC1EEEA04A35A95D4819D0632F85
552DamewareRE.exeC:\Users\admin\AppData\Local\Dameware Remote Everywhere Applet\BASupApp.exeexecutable
MD5:33E725BF91F41F656DCFB423DDE43391
SHA256:303D1CD1E43F09B950EF2162FE785DAF22869B40D4AFFA3CFC5B4696ACA44601
552DamewareRE.exeC:\Users\admin\AppData\Local\Dameware Remote Everywhere Applet\BASupAppDE.dllexecutable
MD5:547A9C9EDBF76BBD904F6E81A68001CF
SHA256:82BCD093B87C3045D19810D3527D8BA3207B95FF2DE14903FCBFD13516BB3C17
552DamewareRE.exeC:\Users\admin\AppData\Local\Dameware Remote Everywhere Applet\BAWHook.dllexecutable
MD5:212B242768E3AF09042D59FFFE612327
SHA256:113B558EC8391298302B74DE14F7FDCE5440955087CE0A65DC5A0BF2492E55B1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
10
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2480
BASupApp.exe
GET
200
87.248.204.0:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e0db84bfd8f003ce
unknown
compressed
4.66 Kb
unknown
2480
BASupApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D
unknown
binary
471 b
unknown
2480
BASupApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEA8fXbsaZYto%2B%2BgfHxxj8JQ%3D
unknown
binary
471 b
unknown
1080
svchost.exe
GET
304
87.248.204.0:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5c94acfb5b892539
unknown
unknown
2480
BASupApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTjzY2p9Pa8oibmj%2BNSMWsz63kmWgQUuhbZbU2FL3MpdpovdYxqII%2BeyG8CEAVEr%2FOUnQg5pr%2FbP1%2FlYRY%3D
unknown
binary
727 b
unknown
1080
svchost.exe
GET
200
87.248.204.0:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?8c278ce706dba7cc
unknown
compressed
65.2 Kb
unknown
2480
BASupApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
binary
471 b
unknown
2480
BASupApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAc2N7ckVHzYR6z9KGYqXls%3D
unknown
binary
727 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2480
BASupApp.exe
87.248.204.0:80
ctldl.windowsupdate.com
LLNW
US
unknown
2480
BASupApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1080
svchost.exe
87.248.204.0:80
ctldl.windowsupdate.com
LLNW
US
unknown
2480
BASupApp.exe
104.18.38.243:443
comserver.us3.swi-rc.com
CLOUDFLARENET
unknown
2480
BASupApp.exe
172.64.149.13:443
comserver.us3.swi-rc.com
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
ctldl.windowsupdate.com
  • 87.248.204.0
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
comserver.us3.swi-rc.com
  • 104.18.38.243
  • 172.64.149.13
unknown
images.us3.swi-rc.com
  • 172.64.149.13
  • 104.18.38.243
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
DamewareRE.exe