d27c337c231b7ee7c0ab2b34fc3e45314ac9336398183bb475608306af0e8f6b

Analysis

max time kernel
102s
max time network
104s
platform
windows7_x64
resource
win7v20201028
submitted
03-01-2021 23:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DaumPotEncoder_1001_29260_.exe
Size

1.7MB
MD5

80be74f72d61a6e30e4e0d243ac8b0a5
SHA1

1df8c6d21c591d97c46b7d46062725a490935c6e
SHA256

d27c337c231b7ee7c0ab2b34fc3e45314ac9336398183bb475608306af0e8f6b
SHA512

d9273bd27a258477b06ac240db8bd71dcdd77190507486bbb58ee7581034ca906b263b5204c663ecd13c8cba48d18a01d93f2ff3376be98969f818e091ed1081

Score

10^/10

adware discovery evasion persistence stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Executes dropped EXE 12 IoCs

Processes:

f92c18f9583533.exePotEncoder.exeDaumCleaner.exeDaumCleanerService.exeDaumStation.exeDaumStationService.exeDaumStation.exeDaumStation.exeDaumCleaner.exePotEncoder.exeLogManager.exeLogManager.exe

pid	process
956	f92c18f9583533.exe
1568	PotEncoder.exe
316	DaumCleaner.exe
1584	DaumCleanerService.exe
660	DaumStation.exe
852	DaumStationService.exe
1324	DaumStation.exe
1652	DaumStation.exe
1528	DaumCleaner.exe
328	PotEncoder.exe
1648	LogManager.exe
1312	LogManager.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

328 cmd.exe
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

DaumPotEncoder_1001_29260_.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Wine DaumPotEncoder_1001_29260_.exe

pid	process
328	cmd.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Wine	DaumPotEncoder_1001_29260_.exe

Loads dropped DLL 33 IoCs

Processes:

DaumPotEncoder_1001_29260_.exef92c18f9583533.exeDaumCleaner.exeDaumStation.exe

pid	process
2012	DaumPotEncoder_1001_29260_.exe
956	f92c18f9583533.exe
956	f92c18f9583533.exe
956	f92c18f9583533.exe
956	f92c18f9583533.exe
956	f92c18f9583533.exe
956	f92c18f9583533.exe
956	f92c18f9583533.exe
956	f92c18f9583533.exe
316	DaumCleaner.exe
316	DaumCleaner.exe
316	DaumCleaner.exe
316	DaumCleaner.exe
316	DaumCleaner.exe
316	DaumCleaner.exe
316	DaumCleaner.exe
316	DaumCleaner.exe
316	DaumCleaner.exe
316	DaumCleaner.exe
316	DaumCleaner.exe
316	DaumCleaner.exe
660	DaumStation.exe
660	DaumStation.exe
660	DaumStation.exe
660	DaumStation.exe
660	DaumStation.exe
660	DaumStation.exe
316	DaumCleaner.exe
316	DaumCleaner.exe
316	DaumCleaner.exe
316	DaumCleaner.exe
956	f92c18f9583533.exe
956	f92c18f9583533.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

DaumStation.exeDaumCleaner.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	DaumStation.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\DaumStation = "C:\\Program Files (x86)\\Daum\\DaumStation\\DaumStation.exe"	DaumStation.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	DaumCleaner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DaumCleaner = "\"C:\\Program Files\\Daum\\Cleaner\\DaumCleaner.exe\" /T"	DaumCleaner.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

JavaScript code in executable 6 IoCs

Processes:

resource	yara_rule
\Program Files (x86)\Daum\PotEncoder\PotEncoder.exe	js
\Program Files (x86)\Daum\PotEncoder\PotEncoder.exe	js
\Program Files (x86)\Daum\PotEncoder\PotEncoder.exe	js
C:\Program Files (x86)\Daum\PotEncoder\PotEncoder.exe	js
C:\Program Files (x86)\Daum\PotEncoder\PotEncoder.exe	js
C:\Program Files (x86)\Daum\PotEncoder\PotEncoder.exe	js

Drops file in System32 directory 2 IoCs

Processes:

DaumCleaner.exe

description ioc process

File created C:\Windows\SysWOW64\DaumActiveX.dll DaumCleaner.exe
File created C:\Windows\SysWOW64\DaumAXMGR.dll DaumCleaner.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

DaumPotEncoder_1001_29260_.exe

pid process

2012 DaumPotEncoder_1001_29260_.exe

description	ioc	process
File created	C:\Windows\SysWOW64\DaumActiveX.dll	DaumCleaner.exe
File created	C:\Windows\SysWOW64\DaumAXMGR.dll	DaumCleaner.exe

Drops file in Program Files directory 135 IoCs

Processes:

f92c18f9583533.exeDaumCleaner.exe

description	ioc	process
File created	C:\Program Files (x86)\Daum\PotEncoder\qscl.dll	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\skin\004.bmp	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\µ¨\dell_normal.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\LGPL.TXT	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\¾Ö´ÏÄÝ\galaxyS_high_AVC.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\¾Ö´ÏÄÝ\galaxy_AVC.pes	f92c18f9583533.exe
File created	C:\Program Files\Daum\Cleaner\DaumCleanerAdmin.exe	DaumCleaner.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\Uninstall.exe	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\skin\skin.zip	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\¾ÖÇÃ\iPod_touch_high_avc.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\¾Ö´ÏÄÝ\galaxyS_normal_VBR.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\skin\001.bmp	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\¾ÆÀÌ¸®¹ö\SPINN_VBR.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\Çö´ëÀÚµ¿Â÷(³»ºñ°ÔÀÌ¼Ç)\hyudai_avante_high.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\libmp3lame-0.dll	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\PotEncoder.exe	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\skin\002.bmp	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\¼Ò´Ï\psp_high_avc_16.9.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\ÄÚ¿ø\iPhone_high_avc.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\¾Ö´ÏÄÝ\amoled_high.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\¾Ö´ÏÄÝ\tomnia_normal.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\¸ðÅä·Î¶ó\atrix_AVC_VBR.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\½ÎÀÌ¾ð\MAXX_HIGH(AVC).pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\gdiplus.dll	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\¼Ò´Ï\psp_4.3.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\¼Ò´Ï\psp_avc_4.3.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\¾ÖÇÃ\iPod_touch.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\¾Ö´ÏÄÝ\tomnia_high.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\skin\003.bmp	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\ÄÚ¿ø\q5.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\PotEncoder_Renew.exe	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\LogManager.exe	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\¾ÖÇÃ\iPhone4.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\ÄÚ¿ø\d2.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\ÄÚ¿ø\s9_cbr.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\»ï¼º\p3_avc_cbr_avi.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\¾Ö´ÏÄÝ\tomnia2_normal.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\¸ðÅä·Î¶ó\artix_high_AVC.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\½ÎÀÌ¾ð\optimusQ_normal.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\skin\ÆÌÀÎÄÚ´õ.ico	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\ÈÞ´ëÆù\mobile_K3G.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\»ï¼º\P2_CBR.pes	f92c18f9583533.exe
File created	C:\Program Files\Daum\Cleaner\Uninstall.exe	DaumCleaner.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\libavcodec_pe.dll	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\¾ÖÇÃ\iPhone4_high_vbr.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\HTC\Desire_normal_VBR.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\ÀÎºñ¿À\invio_PD-1800_high.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\¾ÖÇÃ\iPhone_high_avc.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\ÈÞ´ëÆù\mobile_SKM.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\»ï¼º\galtab_avc.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\skin\logo.png	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\µ¨\dell_hight.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\ÄÚ¿ø\s9_avc_vbr.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\¾Ö´ÏÄÝ\amoled12_high.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\¸ðÅä·Î¶ó\atrix_normal.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\½ÎÀÌ¾ð\cookie_k3g.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\ÀÎºñ¿À\invio_PD-2100_high.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\¼Ò´Ï¿¡¸¯½¼\x1_whigh.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\¾ÖÇÃ\iPhone.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\¾ÖÇÃ\ipad_high_VBR.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\»ï¼º\galtab8_high_avc.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\skin\005.bmp	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\Çö´ëÀÚµ¿Â÷(³»ºñ°ÔÀÌ¼Ç)\hyudai_grand_high.pes	f92c18f9583533.exe
File created	C:\Program Files (x86)\Daum\PotEncoder\preset\¾Ö´ÏÄÝ\galaxy_high.pes	f92c18f9583533.exe

NSIS installer 18 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\f92c18f9583533.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\f92c18f9583533.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\f92c18f9583533.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\f92c18f9583533.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\f92c18f9583533.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\f92c18f9583533.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\nsdF2E8.tmp\DaumCleaner.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\nsdF2E8.tmp\DaumCleaner.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\nsdF2E8.tmp\DaumCleaner.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\nsdF2E8.tmp\DaumCleaner.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\nsdF2E8.tmp\DaumCleaner.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\nsdF2E8.tmp\DaumCleaner.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\nsy4250.tmp\DaumStation.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\nsy4250.tmp\DaumStation.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\nsy4250.tmp\DaumStation.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\nsy4250.tmp\DaumStation.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\nsy4250.tmp\DaumStation.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\nsy4250.tmp\DaumStation.exe	nsis_installer_2

Delays execution with timeout.exe 47 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
676	timeout.exe
292	timeout.exe
676	timeout.exe
1068	timeout.exe
1976	timeout.exe
1324	timeout.exe
1648	timeout.exe
1580	timeout.exe
1488	timeout.exe
1168	timeout.exe
1296	timeout.exe
1808	timeout.exe
1956	timeout.exe
924	timeout.exe
1972	timeout.exe
928	timeout.exe
396	timeout.exe
1696	timeout.exe
896	timeout.exe
688	timeout.exe
1236	timeout.exe
1568	timeout.exe
660	timeout.exe
1676	timeout.exe
1236	timeout.exe
1660	timeout.exe
1572	timeout.exe
540	timeout.exe
796	timeout.exe
1956	timeout.exe
888	timeout.exe
396	timeout.exe
540	timeout.exe
1808	timeout.exe
1012	timeout.exe
1960	timeout.exe
768	timeout.exe
1892	timeout.exe
1196	timeout.exe
1916	timeout.exe
1700	timeout.exe
1752	timeout.exe
1472	timeout.exe
1684	timeout.exe
1836	timeout.exe
1532	timeout.exe
1048	timeout.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

PotEncoder.exeDaumCleaner.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	PotEncoder.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	DaumCleaner.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\New_Tab_Provider = "2"	DaumCleaner.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

Processes:

PotEncoder.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.daum.net/"	PotEncoder.exe

Modifies registry class 473 IoCs

Processes:

DaumCleaner.exeDaumCleanerService.exeDaumStationService.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B4BDD07D-A21C-4429-B3F2-6A20F35ACBC0}\DllSurrogate	DaumCleaner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4303D36D-830B-4E34-AB2C-6457B445047D}\1.0\0\win32	DaumCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD0CDEF6-4697-40d4-A2F0-D2A173841750}\ProgID	DaumCleaner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7AAAB9F7-8DA1-4EDD-8A65-CFF8D1735A64}\1.0\FLAGS	DaumCleaner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Xman.CXmanNewObj\CurVer	DaumCleaner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Xmanbroker.BrokerNewObj\ = "BrokerObj Class"	DaumCleaner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD0CDEF6-4697-40d4-A2F0-D2A173841750}\TypeLib\ = "{7AAAB9F7-8DA1-4edd-8A65-CFF8D1735A64}"	DaumCleaner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DaumCleanerService.DaumCleaner	DaumCleanerService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\DaumStart.DLL\AppID = "{8D3575C0-74E4-4A71-A4CB-F9116A56594C}"	DaumCleaner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Xmanbroker.UpdatedBrokerObj.1	DaumCleaner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9911A9AA-C607-426b-A110-DD0AB0E75DF5}\InprocServer32\ThreadingModel = "Apartment"	DaumCleaner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9911A9AA-C607-426b-A110-DD0AB0E75DF5}\TypeLib	DaumCleaner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD0CDEF6-4697-40d4-A2F0-D2A173841750}\InprocServer32\ThreadingModel = "Apartment"	DaumCleaner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130F6841-7839-4A97-8F79-A6FDAC3C29ED}	DaumCleanerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B3F10067-4DF9-492B-A10B-CE93E04ED4BE}\1.0\FLAGS	DaumCleanerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDDB5A00-D1EB-49D5-B197-72A06DF78AA1}\VersionIndependentProgID	DaumCleaner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1089A2A7-C22D-48E8-9DC5-6FCFE77C0FE8}\ProxyStubClsid32	DaumCleaner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8D859AE2-E75D-4E51-8655-D37F719814DC}\LocalServer32	DaumStationService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{290535A3-4C19-48FF-98AB-E9BCE7D7A291}\TypeLib\ = "{4303D36D-830B-4E34-AB2C-6457B445047D}"	DaumCleaner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD0CDEF6-4697-40d4-A2F0-D2A173841750}\Elevation	DaumCleaner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7622BA8C-3309-4A10-9531-75C7B2DC6C2F}	DaumCleanerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Xman.CXmanObj.1\CLSID	DaumCleaner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Xmanbroker.UpdatedBrokerObj.1\CLSID\ = "{E3A5A117-4736-40d6-932E-441159BF87D7}"	DaumCleaner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B3F10067-4DF9-492B-A10B-CE93E04ED4BE}\1.0	DaumCleanerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DaumStart.DaumStartHelper	DaumCleaner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4BDD07D-A21C-4429-B3F2-6A20F35ACBC0}\VersionIndependentProgID	DaumCleaner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C}\InprocServer32\ = "C:\\Windows\\SysWow64\\DaumActiveX.dll"	DaumCleaner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E3A5A117-4736-40d6-932E-441159BF87D7}\Programmable	DaumCleaner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E3A5A117-4736-40d6-932E-441159BF87D7}\InprocServer32\ThreadingModel = "Apartment"	DaumCleaner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA7713F3-9590-4596-B30A-D894A4D87962}\TypeLib	DaumCleaner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B2F874BB-114F-4430-97CC-5B59E85631F2}\TypeLib\Version = "1.0"	DaumCleaner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2CBB7806-A691-4CAD-B335-EBF7C63D09BF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	DaumCleaner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8D859AE2-E75D-4E51-8655-D37F719814DC}\AppID = "{0A132C76-D170-4172-B827-EFC4181399B0}"	DaumStationService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130F6841-7839-4A97-8F79-A6FDAC3C29ED}\ProgID	DaumCleanerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E3A5A117-4736-40d6-932E-441159BF87D7}\TypeLib	DaumCleaner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{9911A9AA-C607-426b-A110-DD0AB0E75DF5}	DaumCleaner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CBB7806-A691-4CAD-B335-EBF7C63D09BF}\ProxyStubClsid32	DaumCleaner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDDB5A00-D1EB-49D5-B197-72A06DF78AA1}\ProgID\ = "DaumStart.DaumStartHelper.1"	DaumCleaner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4303D36D-830B-4E34-AB2C-6457B445047D}\1.0\0	DaumCleaner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7AAAB9F7-8DA1-4EDD-8A65-CFF8D1735A64}\1.0\0\win32	DaumCleaner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D40172FA-6EF4-4807-A326-59E0D4CCC270}\TypeLib\Version = "1.0"	DaumStationService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DaumCleanerService.DaumCleaner.1\ = "DaumCleaner Class"	DaumCleanerService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD0CDEF6-4697-40d4-A2F0-D2A173841750}\LocalizedString = "@C:\\Windows\\system32\\DaumAXMGR.dll,-101"	DaumCleaner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{CD0CDEF6-4697-40d4-A2F0-D2A173841750}\ = "UpdatedBrokerObj Class"	DaumCleaner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2CBB7806-A691-4CAD-B335-EBF7C63D09BF}\TypeLib	DaumCleaner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Xmanbroker.UpdatedBrokerObj\CLSID\ = "{E3A5A117-4736-40d6-932E-441159BF87D7}"	DaumCleaner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{290535A3-4C19-48FF-98AB-E9BCE7D7A291}	DaumCleaner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DaumCleanerService.DaumCleaner.1\CLSID\ = "{130F6841-7839-4A97-8F79-A6FDAC3C29ED}"	DaumCleanerService.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9911A9AA-C607-426b-A110-DD0AB0E75DF5}\ProgID	DaumCleaner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7AAAB9F7-8DA1-4EDD-8A65-CFF8D1735A64}\1.0\HELPDIR	DaumCleaner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C}\TypeLib\ = "{4303D36D-830B-4E34-AB2C-6457B445047D}"	DaumCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4BDD07D-A21C-4429-B3F2-6A20F35ACBC0}	DaumCleaner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DaumStationService.DaumStationAdminSe.1	DaumStationService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\DaumStart.DLL	DaumCleaner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Xman.CXmanObj.1\ = "Daum ActiveX manager Class"	DaumCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E3A5A117-4736-40d6-932E-441159BF87D7}\TypeLib	DaumCleaner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CBB7806-A691-4CAD-B335-EBF7C63D09BF}\TypeLib	DaumCleaner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D40172FA-6EF4-4807-A326-59E0D4CCC270}\ = "IDaumStationAdminService"	DaumStationService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130F6841-7839-4A97-8F79-A6FDAC3C29ED}\TypeLib\ = "{B3F10067-4DF9-492B-A10B-CE93E04ED4BE}"	DaumCleanerService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7622BA8C-3309-4A10-9531-75C7B2DC6C2F}\TypeLib\Version = "1.0"	DaumCleanerService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Xman.CXmanObj.1\CLSID\ = "{B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C}"	DaumCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C}\VersionIndependentProgID	DaumCleaner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDDB5A00-D1EB-49D5-B197-72A06DF78AA1}\InprocServer32	DaumCleaner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{290535A3-4C19-48FF-98AB-E9BCE7D7A291}\TypeLib	DaumCleaner.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

f92c18f9583533.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	f92c18f9583533.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	f92c18f9583533.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	f92c18f9583533.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

DaumPotEncoder_1001_29260_.exe

pid process

2012 DaumPotEncoder_1001_29260_.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

PotEncoder.exePotEncoder.exe

pid process

1568 PotEncoder.exe
1568 PotEncoder.exe
328 PotEncoder.exe
328 PotEncoder.exe
328 PotEncoder.exe

pid	process
1568	PotEncoder.exe
1568	PotEncoder.exe
328	PotEncoder.exe
328	PotEncoder.exe
328	PotEncoder.exe

Suspicious use of WriteProcessMemory 240 IoCs

Processes:

DaumPotEncoder_1001_29260_.execmd.exe

description	pid	process	target process
PID 2012 wrote to memory of 328	2012	DaumPotEncoder_1001_29260_.exe	cmd.exe
PID 2012 wrote to memory of 328	2012	DaumPotEncoder_1001_29260_.exe	cmd.exe
PID 2012 wrote to memory of 328	2012	DaumPotEncoder_1001_29260_.exe	cmd.exe
PID 2012 wrote to memory of 328	2012	DaumPotEncoder_1001_29260_.exe	cmd.exe
PID 328 wrote to memory of 540	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 540	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 540	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 540	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1808	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1808	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1808	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1808	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 676	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 676	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 676	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 676	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1068	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1068	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1068	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1068	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1236	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1236	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1236	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1236	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1956	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1956	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1956	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1956	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1660	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1660	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1660	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1660	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1916	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1916	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1916	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1916	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1976	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1976	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1976	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1976	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1572	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1572	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1572	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1572	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1700	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1700	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1700	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1700	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1752	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1752	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1752	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1752	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1324	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1324	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1324	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1324	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1648	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1648	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1648	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1648	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1472	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1472	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1472	328	cmd.exe	timeout.exe
PID 328 wrote to memory of 1472	328	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\DaumPotEncoder_1001_29260_.exe
"C:\Users\Admin\AppData\Local\Temp\DaumPotEncoder_1001_29260_.exe"
1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\cmd.exe
cmd /c $$3532.bat
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:328

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:540

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1808

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:676

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1068

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1236

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1956

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1660

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1916

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1976

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1572

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1700

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1752

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1324

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1648

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1472

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:540

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1808

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:676

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1580

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1012

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:924

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1488

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:292

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1684

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1892

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1960

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1836

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1972

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:396

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1696

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:796

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1568

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:660

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:928

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1532

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1168

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:896

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1048

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:688

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:768

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1236

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1956

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1676

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1296

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:888

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1196

C:\Windows\SysWOW64\timeout.exe
Timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:396

C:\Users\Admin\AppData\Local\Temp\f92c18f9583533.exe
"C:\Users\Admin\AppData\Local\Temp\f92c18f9583533.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
PID:956

C:\Program Files (x86)\Daum\PotEncoder\PotEncoder.exe
"C:\Program Files (x86)\Daum\PotEncoder\PotEncoder.exe" -RegisterDaum
3⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of SetWindowsHookEx
PID:1568

C:\Users\Admin\AppData\Local\Temp\nsdF2E8.tmp\DaumCleaner.exe
"C:\Users\Admin\AppData\Local\Temp\nsdF2E8.tmp\DaumCleaner.exe" /S
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:316

C:\Program Files\Daum\Cleaner\DaumCleanerService.exe
"C:\Program Files\Daum\Cleaner\DaumCleanerService.exe" /Service
4⤵
- Executes dropped EXE
- Modifies registry class
PID:1584

C:\Users\Admin\AppData\Local\Temp\nsy4250.tmp\DaumStation.exe
"C:\Users\Admin\AppData\Local\Temp\nsy4250.tmp\DaumStation.exe" /Icleaner
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:660

C:\Program Files (x86)\Daum\DaumStation\DaumStationService.exe
"C:\Program Files (x86)\Daum\DaumStation\DaumStationService.exe" /Service
5⤵
- Executes dropped EXE
- Modifies registry class
PID:852

C:\Program Files (x86)\Daum\DaumStation\DaumStation.exe
"C:\Program Files (x86)\Daum\DaumStation\DaumStation.exe" /I1
5⤵
- Executes dropped EXE
PID:1324

C:\Program Files (x86)\Daum\DaumStation\DaumStation.exe
"C:\Program Files (x86)\Daum\DaumStation\DaumStation.exe"
5⤵
- Executes dropped EXE
PID:1652

C:\Program Files\Daum\Cleaner\DaumCleaner.exe
"C:\Program Files\Daum\Cleaner\DaumCleaner.exe" /I1
4⤵
- Executes dropped EXE
PID:1528

C:\Program Files (x86)\Daum\PotEncoder\PotEncoder.exe
"C:\Program Files (x86)\Daum\PotEncoder\PotEncoder.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:328

C:\Program Files (x86)\Daum\PotEncoder\LogManager.exe
"C:\Program Files (x86)\Daum\PotEncoder\LogManager.exe" service=tvpot_encoder codes=program=install
3⤵
- Executes dropped EXE
PID:1648

C:\Program Files (x86)\Daum\PotEncoder\LogManager.exe
"C:\Program Files (x86)\Daum\PotEncoder\LogManager.exe" service=tvpot_encoder codes=program=install lowrun
4⤵
- Executes dropped EXE
PID:1312

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Daum\DaumStation\DaumStation.exe
MD5
8698e1ff8dc87b6c92b9a11d9c5d9132

SHA1
960f6a2dd79d427530de9e33eba6d2062cef4b6c

SHA256
697715ed7379505c439cd8c32aee9cd47288fe5f6f33b9bd7736aa4a395b4a2f

SHA512
ffa0d4adab6c387fd3c5967c6300d2b29c3289e19f7dcdace1c34876a5c4596af36586b21b3ec36eac661cac2e79571499d3515146972e9b296670097c12599a

Download Submit
C:\Program Files (x86)\Daum\DaumStation\DaumStation.exe
MD5
8698e1ff8dc87b6c92b9a11d9c5d9132

SHA1
960f6a2dd79d427530de9e33eba6d2062cef4b6c

SHA256
697715ed7379505c439cd8c32aee9cd47288fe5f6f33b9bd7736aa4a395b4a2f

SHA512
ffa0d4adab6c387fd3c5967c6300d2b29c3289e19f7dcdace1c34876a5c4596af36586b21b3ec36eac661cac2e79571499d3515146972e9b296670097c12599a

Download Submit
C:\Program Files (x86)\Daum\DaumStation\DaumStationService.exe
MD5
195ab7d7c119eb7596e4787fae71da48

SHA1
e4baa66e3f3e507bb589fbf1e0b36497ef0b23af

SHA256
4a678cdde7b1dbc58c3b7d593d764c4a4da549dd0404973fd3c527f77d0c902c

SHA512
4c3db6693bccfb259dd1684c120ebf994402373f3f81bc288459e9a333f732379d0d4f5c7e8bfa41f9ad065152b26d24355a706505fb9cfc36be7d63845d02e5

Download Submit
C:\Program Files (x86)\Daum\DaumStation\DaumStationService.exe
MD5
195ab7d7c119eb7596e4787fae71da48

SHA1
e4baa66e3f3e507bb589fbf1e0b36497ef0b23af

SHA256
4a678cdde7b1dbc58c3b7d593d764c4a4da549dd0404973fd3c527f77d0c902c

SHA512
4c3db6693bccfb259dd1684c120ebf994402373f3f81bc288459e9a333f732379d0d4f5c7e8bfa41f9ad065152b26d24355a706505fb9cfc36be7d63845d02e5

Download Submit
C:\Program Files (x86)\Daum\PotEncoder\LogManager.exe
MD5
bfcb72d7f9fc1cedbc0adebbface716c

SHA1
56bf1adaf9736d3d7ec5cf1beccb6129eeb88f95

SHA256
fcdffcaef46a6bde3db6f6e742707a41f103a81eacad1251a3c1114b060c10f5

SHA512
03592ab2f6711a5574ccf2d5cfd0f6986642ee22be2906f8f101247f33959dbdb2c21b1665281d273b728d488f120da1898994af033d3b43f4bf417a474938e3

Download Submit
C:\Program Files (x86)\Daum\PotEncoder\LogManager.exe
MD5
bfcb72d7f9fc1cedbc0adebbface716c

SHA1
56bf1adaf9736d3d7ec5cf1beccb6129eeb88f95

SHA256
fcdffcaef46a6bde3db6f6e742707a41f103a81eacad1251a3c1114b060c10f5

SHA512
03592ab2f6711a5574ccf2d5cfd0f6986642ee22be2906f8f101247f33959dbdb2c21b1665281d273b728d488f120da1898994af033d3b43f4bf417a474938e3

Download Submit
C:\Program Files (x86)\Daum\PotEncoder\PotEncoder.exe
MD5
de0f29d225c170d805a523af1df58bb3

SHA1
b76a4bec0ec86535b805eae5880f7779b06cbef6

SHA256
558a7634c007a8142c95f9389bf789f529d0327adc1433094531f7a6c0c9e0a6

SHA512
31d749236cf2b8ed609b8b26bb9eed6b562219b4a879e859a2b76a70f2f4e2af4879169aaee7648a03c52b6aec42c20cd68aff937b2d499ffea2e11c35f09488

Download Submit
C:\Program Files (x86)\Daum\PotEncoder\PotEncoder.exe
MD5
de0f29d225c170d805a523af1df58bb3

SHA1
b76a4bec0ec86535b805eae5880f7779b06cbef6

SHA256
558a7634c007a8142c95f9389bf789f529d0327adc1433094531f7a6c0c9e0a6

SHA512
31d749236cf2b8ed609b8b26bb9eed6b562219b4a879e859a2b76a70f2f4e2af4879169aaee7648a03c52b6aec42c20cd68aff937b2d499ffea2e11c35f09488

Download Submit
C:\Program Files (x86)\Daum\PotEncoder\PotEncoder.exe
MD5
de0f29d225c170d805a523af1df58bb3

SHA1
b76a4bec0ec86535b805eae5880f7779b06cbef6

SHA256
558a7634c007a8142c95f9389bf789f529d0327adc1433094531f7a6c0c9e0a6

SHA512
31d749236cf2b8ed609b8b26bb9eed6b562219b4a879e859a2b76a70f2f4e2af4879169aaee7648a03c52b6aec42c20cd68aff937b2d499ffea2e11c35f09488

Download Submit
C:\Program Files (x86)\Daum\PotEncoder\skin\skin.zip
MD5
3fa5147e13f77f46d2407a86c1e910cf

SHA1
076273a06f1637edf512eec94c53454a558a95a1

SHA256
6059859fd4440aca504b36f4c16c978e8781d97516d704ad1bdeb6a542c2630d

SHA512
9f8b450b6a1d76c5387522b48f278975a3674a3005cb3912279aa27aed145b6a1a9428774d8f07fe127299107557573a6cb301ebf4569bdf7f1f4fc279198bd0

Download Submit
C:\Program Files (x86)\Daum\PotEncoder\updater.xml
MD5
46745d2f691390140a7ff6f9430dd50c

SHA1
8681e9e661a1522f8e322f2ebf2d1b230b7a8ced

SHA256
0fe3318884e05aaedf8fbe1657f5dd82bdb56b392a1017e5d5753f0a054125c6

SHA512
f2808b603c3355246fd6ba351e5e16a89801bad0083474da9955f7a0c8721434bf602b5a6a1fc5f69eacda1199f4c7e2ecb04be37ad0a9348651895fa95f1a97

Download Submit
C:\Program Files\Daum\Cleaner\DaumCleaner.exe
MD5
2465b1a2962802e49d6167fb1e323aa1

SHA1
123e8572dd9c9ad611ef03caf3cc020d1734efbe

SHA256
4d37d18a503c8123dfb1d6ec153fe518ac0c56755cd1f71d1ebc911b3ec2f350

SHA512
f9765ed44c94b50b5dc00b088f3c47827a8c1886ba9b50b369e99e5f572219dc151676282bb96185da789275fe5a292e746e250a1eb2212ebd700e36c095aa4d

Download Submit
C:\Program Files\Daum\Cleaner\DaumCleanerService.exe
MD5
a4a32466f9e562bbbdd494dabbe81787

SHA1
41c463bd0173d30820c4c6bb6fcf68f63be50c38

SHA256
84436798a2b4d7e3a2f23f0a5ae04c264bd4d4453cc43da8cfb9eb27eee39f71

SHA512
b2e2af0d95b796ea659b34ab726b84efa9f6b87b4dcad325c653a3b60f172188817fa91034751762f02f5e4d919d0536ad074167a193c039a144acdf86d863eb

Download Submit
C:\Program Files\Daum\Cleaner\DaumCleanerService.exe
MD5
a4a32466f9e562bbbdd494dabbe81787

SHA1
41c463bd0173d30820c4c6bb6fcf68f63be50c38

SHA256
84436798a2b4d7e3a2f23f0a5ae04c264bd4d4453cc43da8cfb9eb27eee39f71

SHA512
b2e2af0d95b796ea659b34ab726b84efa9f6b87b4dcad325c653a3b60f172188817fa91034751762f02f5e4d919d0536ad074167a193c039a144acdf86d863eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$3532.bat
MD5
d8f37b2ee4b400abd5c57fb0dbf914c9

SHA1
73cf26b71d030006aa949c46315fccfcfe43969f

SHA256
8e860635225b6ec9c4a182807391e2bcb4d2a87aafd1ec46257cae62a8460560

SHA512
81f99f0d93767799cfb37bf23c7735948ccc0284320c2f7791ca2631801894d84d8d6855b48d094b3ef7748a5c10c65a3bfe2d0dae6b0be69e0bd9ed8fef36bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\f92c18f9583533.exe
MD5
ce394ffded3c0ecdcf6607a1501462de

SHA1
8aea47f17936ef622b2bd1fd68249a14bb39dd37

SHA256
558b5f496a20204b4e19b1973cc1c29e80ef840565f8b890400199a4c8f799b7

SHA512
8948e62c03e77bdc0ecd8b4ae8cd9c8338783e52ddf7d21846ffcae7721317092fac93f2509d941caee124b90455a6ced728f88671109b1d711696f0bdc6ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\f92c18f9583533.exe
MD5
ce394ffded3c0ecdcf6607a1501462de

SHA1
8aea47f17936ef622b2bd1fd68249a14bb39dd37

SHA256
558b5f496a20204b4e19b1973cc1c29e80ef840565f8b890400199a4c8f799b7

SHA512
8948e62c03e77bdc0ecd8b4ae8cd9c8338783e52ddf7d21846ffcae7721317092fac93f2509d941caee124b90455a6ced728f88671109b1d711696f0bdc6ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdF2E8.tmp\DaumCleaner.exe
MD5
2a80464af0ff68299e17a51e3decc8aa

SHA1
6909bbe4dd52f0dc97420938c5ab1e91bfa9817e

SHA256
9cc3a82639c91517383d1c1a6441ef3439ca1a9a4949823259a46d1f1c5f88fd

SHA512
18e906acd4cbbed8c5a98b9d08063c05481b51860c65a17ae75abd90831290caba4e4ddad4a4fa3515951aaaa6b26a72220bf6de4dee78c2cd92517db0dee41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdF2E8.tmp\DaumCleaner.exe
MD5
2a80464af0ff68299e17a51e3decc8aa

SHA1
6909bbe4dd52f0dc97420938c5ab1e91bfa9817e

SHA256
9cc3a82639c91517383d1c1a6441ef3439ca1a9a4949823259a46d1f1c5f88fd

SHA512
18e906acd4cbbed8c5a98b9d08063c05481b51860c65a17ae75abd90831290caba4e4ddad4a4fa3515951aaaa6b26a72220bf6de4dee78c2cd92517db0dee41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy4250.tmp\DaumStation.exe
MD5
c75f52cf61114e8a3032a23d9f0261c4

SHA1
6b0fbeaece78885dbe2073b7bd6c40ffe016f589

SHA256
9e8fe4481033621ef8c81b731cd3dbf134377a5c2b562108513d5572b27ba8b8

SHA512
9375240d30fdc42d4752771ebb92e1e5cfbf417a1593e9e18890413d1987b6087ae26e9da0e8c32527b170b8631dd958692b600b61c140f353765dd52aff8bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy4250.tmp\DaumStation.exe
MD5
c75f52cf61114e8a3032a23d9f0261c4

SHA1
6b0fbeaece78885dbe2073b7bd6c40ffe016f589

SHA256
9e8fe4481033621ef8c81b731cd3dbf134377a5c2b562108513d5572b27ba8b8

SHA512
9375240d30fdc42d4752771ebb92e1e5cfbf417a1593e9e18890413d1987b6087ae26e9da0e8c32527b170b8631dd958692b600b61c140f353765dd52aff8bdc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KB42OJL6.txt
MD5
e270670427d7b8f88bb0f32ea4e59d8d

SHA1
3cef03ccf1440527c7891b06a51f827df1420fb6

SHA256
9cd9d7e0c53f52054f34c00f544cbbf82787241e45fb5f7fc3ec28ade83fb600

SHA512
f5de583f80575906a66183a9af9eb35b1e5a4f3deba78500db03dc3c54dd998fe17d07e76b9785a2c62ed42a8f60de627c7ac3898a358ad3a290e222d92b421a

Download Submit
\Program Files (x86)\Daum\DaumStation\DaumStation.exe
MD5
8698e1ff8dc87b6c92b9a11d9c5d9132

SHA1
960f6a2dd79d427530de9e33eba6d2062cef4b6c

SHA256
697715ed7379505c439cd8c32aee9cd47288fe5f6f33b9bd7736aa4a395b4a2f

SHA512
ffa0d4adab6c387fd3c5967c6300d2b29c3289e19f7dcdace1c34876a5c4596af36586b21b3ec36eac661cac2e79571499d3515146972e9b296670097c12599a

Download Submit
\Program Files (x86)\Daum\DaumStation\DaumStation.exe
MD5
8698e1ff8dc87b6c92b9a11d9c5d9132

SHA1
960f6a2dd79d427530de9e33eba6d2062cef4b6c

SHA256
697715ed7379505c439cd8c32aee9cd47288fe5f6f33b9bd7736aa4a395b4a2f

SHA512
ffa0d4adab6c387fd3c5967c6300d2b29c3289e19f7dcdace1c34876a5c4596af36586b21b3ec36eac661cac2e79571499d3515146972e9b296670097c12599a

Download Submit
\Program Files (x86)\Daum\DaumStation\DaumStation.exe
MD5
8698e1ff8dc87b6c92b9a11d9c5d9132

SHA1
960f6a2dd79d427530de9e33eba6d2062cef4b6c

SHA256
697715ed7379505c439cd8c32aee9cd47288fe5f6f33b9bd7736aa4a395b4a2f

SHA512
ffa0d4adab6c387fd3c5967c6300d2b29c3289e19f7dcdace1c34876a5c4596af36586b21b3ec36eac661cac2e79571499d3515146972e9b296670097c12599a

Download Submit
\Program Files (x86)\Daum\DaumStation\DaumStationService.exe
MD5
195ab7d7c119eb7596e4787fae71da48

SHA1
e4baa66e3f3e507bb589fbf1e0b36497ef0b23af

SHA256
4a678cdde7b1dbc58c3b7d593d764c4a4da549dd0404973fd3c527f77d0c902c

SHA512
4c3db6693bccfb259dd1684c120ebf994402373f3f81bc288459e9a333f732379d0d4f5c7e8bfa41f9ad065152b26d24355a706505fb9cfc36be7d63845d02e5

Download Submit
\Program Files (x86)\Daum\DaumStation\DaumStationService.exe
MD5
195ab7d7c119eb7596e4787fae71da48

SHA1
e4baa66e3f3e507bb589fbf1e0b36497ef0b23af

SHA256
4a678cdde7b1dbc58c3b7d593d764c4a4da549dd0404973fd3c527f77d0c902c

SHA512
4c3db6693bccfb259dd1684c120ebf994402373f3f81bc288459e9a333f732379d0d4f5c7e8bfa41f9ad065152b26d24355a706505fb9cfc36be7d63845d02e5

Download Submit
\Program Files (x86)\Daum\PotEncoder\LogManager.exe
MD5
bfcb72d7f9fc1cedbc0adebbface716c

SHA1
56bf1adaf9736d3d7ec5cf1beccb6129eeb88f95

SHA256
fcdffcaef46a6bde3db6f6e742707a41f103a81eacad1251a3c1114b060c10f5

SHA512
03592ab2f6711a5574ccf2d5cfd0f6986642ee22be2906f8f101247f33959dbdb2c21b1665281d273b728d488f120da1898994af033d3b43f4bf417a474938e3

Download Submit
\Program Files (x86)\Daum\PotEncoder\PotEncoder.exe
MD5
de0f29d225c170d805a523af1df58bb3

SHA1
b76a4bec0ec86535b805eae5880f7779b06cbef6

SHA256
558a7634c007a8142c95f9389bf789f529d0327adc1433094531f7a6c0c9e0a6

SHA512
31d749236cf2b8ed609b8b26bb9eed6b562219b4a879e859a2b76a70f2f4e2af4879169aaee7648a03c52b6aec42c20cd68aff937b2d499ffea2e11c35f09488

Download Submit
\Program Files (x86)\Daum\PotEncoder\PotEncoder.exe
MD5
de0f29d225c170d805a523af1df58bb3

SHA1
b76a4bec0ec86535b805eae5880f7779b06cbef6

SHA256
558a7634c007a8142c95f9389bf789f529d0327adc1433094531f7a6c0c9e0a6

SHA512
31d749236cf2b8ed609b8b26bb9eed6b562219b4a879e859a2b76a70f2f4e2af4879169aaee7648a03c52b6aec42c20cd68aff937b2d499ffea2e11c35f09488

Download Submit
\Program Files (x86)\Daum\PotEncoder\PotEncoder.exe
MD5
de0f29d225c170d805a523af1df58bb3

SHA1
b76a4bec0ec86535b805eae5880f7779b06cbef6

SHA256
558a7634c007a8142c95f9389bf789f529d0327adc1433094531f7a6c0c9e0a6

SHA512
31d749236cf2b8ed609b8b26bb9eed6b562219b4a879e859a2b76a70f2f4e2af4879169aaee7648a03c52b6aec42c20cd68aff937b2d499ffea2e11c35f09488

Download Submit
\Program Files\Daum\Cleaner\DaumCleaner.exe
MD5
2465b1a2962802e49d6167fb1e323aa1

SHA1
123e8572dd9c9ad611ef03caf3cc020d1734efbe

SHA256
4d37d18a503c8123dfb1d6ec153fe518ac0c56755cd1f71d1ebc911b3ec2f350

SHA512
f9765ed44c94b50b5dc00b088f3c47827a8c1886ba9b50b369e99e5f572219dc151676282bb96185da789275fe5a292e746e250a1eb2212ebd700e36c095aa4d

Download Submit
\Program Files\Daum\Cleaner\DaumCleaner.exe
MD5
2465b1a2962802e49d6167fb1e323aa1

SHA1
123e8572dd9c9ad611ef03caf3cc020d1734efbe

SHA256
4d37d18a503c8123dfb1d6ec153fe518ac0c56755cd1f71d1ebc911b3ec2f350

SHA512
f9765ed44c94b50b5dc00b088f3c47827a8c1886ba9b50b369e99e5f572219dc151676282bb96185da789275fe5a292e746e250a1eb2212ebd700e36c095aa4d

Download Submit
\Program Files\Daum\Cleaner\DaumCleaner.exe
MD5
2465b1a2962802e49d6167fb1e323aa1

SHA1
123e8572dd9c9ad611ef03caf3cc020d1734efbe

SHA256
4d37d18a503c8123dfb1d6ec153fe518ac0c56755cd1f71d1ebc911b3ec2f350

SHA512
f9765ed44c94b50b5dc00b088f3c47827a8c1886ba9b50b369e99e5f572219dc151676282bb96185da789275fe5a292e746e250a1eb2212ebd700e36c095aa4d

Download Submit
\Program Files\Daum\Cleaner\DaumCleanerService.exe
MD5
a4a32466f9e562bbbdd494dabbe81787

SHA1
41c463bd0173d30820c4c6bb6fcf68f63be50c38

SHA256
84436798a2b4d7e3a2f23f0a5ae04c264bd4d4453cc43da8cfb9eb27eee39f71

SHA512
b2e2af0d95b796ea659b34ab726b84efa9f6b87b4dcad325c653a3b60f172188817fa91034751762f02f5e4d919d0536ad074167a193c039a144acdf86d863eb

Download Submit
\Program Files\Daum\Cleaner\DaumCleanerService.exe
MD5
a4a32466f9e562bbbdd494dabbe81787

SHA1
41c463bd0173d30820c4c6bb6fcf68f63be50c38

SHA256
84436798a2b4d7e3a2f23f0a5ae04c264bd4d4453cc43da8cfb9eb27eee39f71

SHA512
b2e2af0d95b796ea659b34ab726b84efa9f6b87b4dcad325c653a3b60f172188817fa91034751762f02f5e4d919d0536ad074167a193c039a144acdf86d863eb

Download Submit
\Program Files\Daum\Cleaner\DaumStart.1.5.0.147.dll
MD5
569bd4777f5d95b3b7ba9f92b2a1e4ba

SHA1
04a9027bd96c2ffc739a4fc4bd5ba8b54b865347

SHA256
75cd2c93ee3e4163977b26d87b282f538799dd998cdb40ded8ef2c5221fdef03

SHA512
a0eb3b6ad948f1c41fe1ef1c17be736af8437e7343b40694c73d49659ec8d74cbb567b4d90c28e7b69eac344a67034e467db96d8e615854ba574aec45e5faf20

Download Submit
\Users\Admin\AppData\Local\Temp\f92c18f9583533.exe
MD5
ce394ffded3c0ecdcf6607a1501462de

SHA1
8aea47f17936ef622b2bd1fd68249a14bb39dd37

SHA256
558b5f496a20204b4e19b1973cc1c29e80ef840565f8b890400199a4c8f799b7

SHA512
8948e62c03e77bdc0ecd8b4ae8cd9c8338783e52ddf7d21846ffcae7721317092fac93f2509d941caee124b90455a6ced728f88671109b1d711696f0bdc6ab99

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF2E8.tmp\DaumCleaner.exe
MD5
2a80464af0ff68299e17a51e3decc8aa

SHA1
6909bbe4dd52f0dc97420938c5ab1e91bfa9817e

SHA256
9cc3a82639c91517383d1c1a6441ef3439ca1a9a4949823259a46d1f1c5f88fd

SHA512
18e906acd4cbbed8c5a98b9d08063c05481b51860c65a17ae75abd90831290caba4e4ddad4a4fa3515951aaaa6b26a72220bf6de4dee78c2cd92517db0dee41b

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF2E8.tmp\InstallOptions.dll
MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF2E8.tmp\System.dll
MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF2E8.tmp\UAC.dll
MD5
88ad3fd90fc52ac3ee0441a38400a384

SHA1
08bc9e1f5951b54126b5c3c769e3eaed42f3d10b

SHA256
e58884695378cf02715373928bb8ade270baf03144369463f505c3b3808cbc42

SHA512
359496f571e6fa2ec4c5ab5bd1d35d1330586f624228713ae55c65a69e07d8623022ef54337c22c3aab558a9b74d9977c8436f5fea4194899d9ef3ffd74e7dbb

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF2E8.tmp\UAC.dll
MD5
88ad3fd90fc52ac3ee0441a38400a384

SHA1
08bc9e1f5951b54126b5c3c769e3eaed42f3d10b

SHA256
e58884695378cf02715373928bb8ade270baf03144369463f505c3b3808cbc42

SHA512
359496f571e6fa2ec4c5ab5bd1d35d1330586f624228713ae55c65a69e07d8623022ef54337c22c3aab558a9b74d9977c8436f5fea4194899d9ef3ffd74e7dbb

Download Submit
\Users\Admin\AppData\Local\Temp\nsdF2E8.tmp\inetc.dll
MD5
8d8fdad7e153d6b82913f6fdc407d12c

SHA1
aabbeed33cd5221e4cb22aab6e48310df94facfd

SHA256
e727c8bba6686c4814602f2bc089af4b4cf3498d1dbe1a08d8c4732da5ba046b

SHA512
42bc0ce1aca63904c34025307fd4b1d9f480ae47e42e7dfa48bbbf8286d947de2989435ad7a748951291307949217afeebcd31d10a1356c9366d3187085773a2

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4250.tmp\DaumStation.exe
MD5
c75f52cf61114e8a3032a23d9f0261c4

SHA1
6b0fbeaece78885dbe2073b7bd6c40ffe016f589

SHA256
9e8fe4481033621ef8c81b731cd3dbf134377a5c2b562108513d5572b27ba8b8

SHA512
9375240d30fdc42d4752771ebb92e1e5cfbf417a1593e9e18890413d1987b6087ae26e9da0e8c32527b170b8631dd958692b600b61c140f353765dd52aff8bdc

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4250.tmp\System.dll
MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4250.tmp\UAC.dll
MD5
88ad3fd90fc52ac3ee0441a38400a384

SHA1
08bc9e1f5951b54126b5c3c769e3eaed42f3d10b

SHA256
e58884695378cf02715373928bb8ade270baf03144369463f505c3b3808cbc42

SHA512
359496f571e6fa2ec4c5ab5bd1d35d1330586f624228713ae55c65a69e07d8623022ef54337c22c3aab558a9b74d9977c8436f5fea4194899d9ef3ffd74e7dbb

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4250.tmp\UAC.dll
MD5
88ad3fd90fc52ac3ee0441a38400a384

SHA1
08bc9e1f5951b54126b5c3c769e3eaed42f3d10b

SHA256
e58884695378cf02715373928bb8ade270baf03144369463f505c3b3808cbc42

SHA512
359496f571e6fa2ec4c5ab5bd1d35d1330586f624228713ae55c65a69e07d8623022ef54337c22c3aab558a9b74d9977c8436f5fea4194899d9ef3ffd74e7dbb

Download Submit
\Users\Admin\AppData\Local\Temp\nsy5276.tmp\System.dll
MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Windows\SysWOW64\DaumAXMGR.dll
MD5
199bd7c0a387a5bb491ee9736772fbdb

SHA1
0fd52f4575bd748afc0ce75da2c5c9d0ce596b58

SHA256
ecd6e4f061f6046dfc95c7caa8407ef8dce0a06878e8236e8ddfbc71ba017dcc

SHA512
ed5d121c87fe3b9d3fc5cc22dfacc8e0d2b4e944c007faab85a2d269a3181e2415893f84e994a321dff9767f0eb2a2e37cfb0df621a4cc03807a73e681f2e6df

Download Submit
\Windows\SysWOW64\DaumAXMGR.dll
MD5
199bd7c0a387a5bb491ee9736772fbdb

SHA1
0fd52f4575bd748afc0ce75da2c5c9d0ce596b58

SHA256
ecd6e4f061f6046dfc95c7caa8407ef8dce0a06878e8236e8ddfbc71ba017dcc

SHA512
ed5d121c87fe3b9d3fc5cc22dfacc8e0d2b4e944c007faab85a2d269a3181e2415893f84e994a321dff9767f0eb2a2e37cfb0df621a4cc03807a73e681f2e6df

Download Submit
\Windows\SysWOW64\DaumAXMGR.dll
MD5
199bd7c0a387a5bb491ee9736772fbdb

SHA1
0fd52f4575bd748afc0ce75da2c5c9d0ce596b58

SHA256
ecd6e4f061f6046dfc95c7caa8407ef8dce0a06878e8236e8ddfbc71ba017dcc

SHA512
ed5d121c87fe3b9d3fc5cc22dfacc8e0d2b4e944c007faab85a2d269a3181e2415893f84e994a321dff9767f0eb2a2e37cfb0df621a4cc03807a73e681f2e6df

Download Submit
\Windows\SysWOW64\DaumActiveX.dll
MD5
76c018fed13289e8a47a8c43e7eafe54

SHA1
dcca9c825c677f74d628259acc8c60dd6277cbde

SHA256
8573701869d8425a3683c27b187cf3d68f51afbcfedc6b10a3b06aad39457104

SHA512
adcd7ffb175fab5b21ae67108fd6701e90d82a2a58c7a617694b73b6124881b8cf2ecd7ad61bd11fe9573529f64b94ee57f673d377c5c49c5b5f13903b3f27ea

Download Submit
\Windows\SysWOW64\DaumActiveX.dll
MD5
76c018fed13289e8a47a8c43e7eafe54

SHA1
dcca9c825c677f74d628259acc8c60dd6277cbde

SHA256
8573701869d8425a3683c27b187cf3d68f51afbcfedc6b10a3b06aad39457104

SHA512
adcd7ffb175fab5b21ae67108fd6701e90d82a2a58c7a617694b73b6124881b8cf2ecd7ad61bd11fe9573529f64b94ee57f673d377c5c49c5b5f13903b3f27ea

Download Submit
\Windows\SysWOW64\DaumActiveX.dll
MD5
76c018fed13289e8a47a8c43e7eafe54

SHA1
dcca9c825c677f74d628259acc8c60dd6277cbde

SHA256
8573701869d8425a3683c27b187cf3d68f51afbcfedc6b10a3b06aad39457104

SHA512
adcd7ffb175fab5b21ae67108fd6701e90d82a2a58c7a617694b73b6124881b8cf2ecd7ad61bd11fe9573529f64b94ee57f673d377c5c49c5b5f13903b3f27ea

Download Submit
memory/292-29-0x0000000000000000-mapping.dmp

Download
memory/316-89-0x0000000002D20000-0x0000000002D32000-memory.dmp

Filesize
72KB

Download
memory/316-71-0x0000000000000000-mapping.dmp

Download
memory/316-85-0x0000000002D20000-0x0000000002D32000-memory.dmp

Filesize
72KB

Download
memory/316-91-0x0000000002D20000-0x0000000002D32000-memory.dmp

Filesize
72KB

Download
memory/316-111-0x0000000002D20000-0x0000000002D32000-memory.dmp

Filesize
72KB

Download
memory/328-116-0x0000000000000000-mapping.dmp

Download
memory/328-5-0x0000000000000000-mapping.dmp

Download
memory/396-62-0x0000000000000000-mapping.dmp

Download
memory/396-35-0x0000000000000000-mapping.dmp

Download
memory/540-7-0x0000000000000000-mapping.dmp

Download
memory/540-22-0x0000000000000000-mapping.dmp

Download
memory/660-92-0x0000000000000000-mapping.dmp

Download
memory/660-39-0x0000000000000000-mapping.dmp

Download
memory/676-9-0x0000000000000000-mapping.dmp

Download
memory/676-24-0x0000000000000000-mapping.dmp

Download
memory/688-45-0x0000000000000000-mapping.dmp

Download
memory/768-46-0x0000000000000000-mapping.dmp

Download
memory/796-37-0x0000000000000000-mapping.dmp

Download
memory/852-98-0x0000000000000000-mapping.dmp

Download
memory/888-51-0x0000000000000000-mapping.dmp

Download
memory/896-43-0x0000000000000000-mapping.dmp

Download
memory/924-27-0x0000000000000000-mapping.dmp

Download
memory/928-40-0x0000000000000000-mapping.dmp

Download
memory/956-59-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/956-53-0x0000000000000000-mapping.dmp

Download
memory/1012-26-0x0000000000000000-mapping.dmp

Download
memory/1048-44-0x0000000000000000-mapping.dmp

Download
memory/1068-10-0x0000000000000000-mapping.dmp

Download
memory/1156-4-0x000007FEF7B20000-0x000007FEF7D9A000-memory.dmp

Filesize
2.5MB

Download
memory/1168-42-0x0000000000000000-mapping.dmp

Download
memory/1196-56-0x0000000000000000-mapping.dmp

Download
memory/1236-47-0x0000000000000000-mapping.dmp

Download
memory/1236-11-0x0000000000000000-mapping.dmp

Download
memory/1296-50-0x0000000000000000-mapping.dmp

Download
memory/1312-123-0x0000000000000000-mapping.dmp

Download
memory/1324-19-0x0000000000000000-mapping.dmp

Download
memory/1324-103-0x0000000000000000-mapping.dmp

Download
memory/1472-21-0x0000000000000000-mapping.dmp

Download
memory/1488-28-0x0000000000000000-mapping.dmp

Download
memory/1528-113-0x0000000000000000-mapping.dmp

Download
memory/1532-41-0x0000000000000000-mapping.dmp

Download
memory/1568-38-0x0000000000000000-mapping.dmp

Download
memory/1568-66-0x0000000000000000-mapping.dmp

Download
memory/1572-16-0x0000000000000000-mapping.dmp

Download
memory/1580-25-0x0000000000000000-mapping.dmp

Download
memory/1584-78-0x0000000000000000-mapping.dmp

Download
memory/1648-121-0x0000000000000000-mapping.dmp

Download
memory/1648-20-0x0000000000000000-mapping.dmp

Download
memory/1652-106-0x0000000000000000-mapping.dmp

Download
memory/1660-13-0x0000000000000000-mapping.dmp

Download
memory/1676-49-0x0000000000000000-mapping.dmp

Download
memory/1684-30-0x0000000000000000-mapping.dmp

Download
memory/1696-36-0x0000000000000000-mapping.dmp

Download
memory/1700-17-0x0000000000000000-mapping.dmp

Download
memory/1752-18-0x0000000000000000-mapping.dmp

Download
memory/1808-23-0x0000000000000000-mapping.dmp

Download
memory/1808-8-0x0000000000000000-mapping.dmp

Download
memory/1836-33-0x0000000000000000-mapping.dmp

Download
memory/1892-31-0x0000000000000000-mapping.dmp

Download
memory/1916-14-0x0000000000000000-mapping.dmp

Download
memory/1956-48-0x0000000000000000-mapping.dmp

Download
memory/1956-12-0x0000000000000000-mapping.dmp

Download
memory/1960-32-0x0000000000000000-mapping.dmp

Download
memory/1972-34-0x0000000000000000-mapping.dmp

Download
memory/1976-15-0x0000000000000000-mapping.dmp

Download
memory/2012-2-0x0000000003EE0000-0x0000000003EF1000-memory.dmp

Filesize
68KB

Download
memory/2012-3-0x00000000042F0000-0x0000000004301000-memory.dmp

Filesize
68KB

Download