e8549034000f9633abb412a1cc7ef9b26d0d822a34890a91d32fedc386f0cce3

Analysis

max time kernel
123s
max time network
146s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1306386da358611407940f89342ca83b.exe
Size

4.6MB
MD5

1306386da358611407940f89342ca83b
SHA1

764cf6b5e38e02b553e637e3b3fa39387c15ab8e
SHA256

e8549034000f9633abb412a1cc7ef9b26d0d822a34890a91d32fedc386f0cce3
SHA512

d4dbd6ccbf6fe7bd5077f72323be0f61f51e377404696dc1c10177470e92424d8a39585bdcbe59dbb509a8f7869396f897c508b263a1ece502af2d9a329935ec
SSDEEP

98304:xa48Y1rxBxNw2MFVqN39+904/Wj9VcSm/IAWZGH9x1KEfYJ2nwftHVNYe/ValT:448YpPxYvqN90p/WMnIxUxwEfYJ2ncru

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2520	DuoMi.exe
1220	dmdeskbox.exe
2372	dmdeskinfo.exe

Loads dropped DLL 40 IoCs

pid	Process
2400	1306386da358611407940f89342ca83b.exe
2400	1306386da358611407940f89342ca83b.exe
2400	1306386da358611407940f89342ca83b.exe
2400	1306386da358611407940f89342ca83b.exe
2400	1306386da358611407940f89342ca83b.exe
2400	1306386da358611407940f89342ca83b.exe
2400	1306386da358611407940f89342ca83b.exe
2400	1306386da358611407940f89342ca83b.exe
2400	1306386da358611407940f89342ca83b.exe
2400	1306386da358611407940f89342ca83b.exe
2400	1306386da358611407940f89342ca83b.exe
2400	1306386da358611407940f89342ca83b.exe
2400	1306386da358611407940f89342ca83b.exe
2400	1306386da358611407940f89342ca83b.exe
2400	1306386da358611407940f89342ca83b.exe
2520	DuoMi.exe
1220	dmdeskbox.exe
1220	dmdeskbox.exe
2520	DuoMi.exe
2520	DuoMi.exe
1220	dmdeskbox.exe
1220	dmdeskbox.exe
1220	dmdeskbox.exe
2520	DuoMi.exe
2520	DuoMi.exe
2520	DuoMi.exe
2520	DuoMi.exe
2520	DuoMi.exe
2520	DuoMi.exe
2520	DuoMi.exe
2372	dmdeskinfo.exe
2372	dmdeskinfo.exe
2372	dmdeskinfo.exe
2372	dmdeskinfo.exe
2372	dmdeskinfo.exe
2372	dmdeskinfo.exe
2372	dmdeskinfo.exe
2372	dmdeskinfo.exe
2372	dmdeskinfo.exe
2520	DuoMi.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\duomi = "C:\\Program Files (x86)\\DuoMi\\DuoMi.exe /hide"	1306386da358611407940f89342ca83b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\duomitip = "C:\\Program Files (x86)\\DuoMi\\dmdeskbox.exe /hide"	1306386da358611407940f89342ca83b.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	DuoMi.exe
File opened (read-only)	\??\h:	DuoMi.exe
File opened (read-only)	\??\j:	DuoMi.exe
File opened (read-only)	\??\k:	DuoMi.exe
File opened (read-only)	\??\u:	DuoMi.exe
File opened (read-only)	\??\w:	DuoMi.exe
File opened (read-only)	\??\z:	DuoMi.exe
File opened (read-only)	\??\b:	DuoMi.exe
File opened (read-only)	\??\i:	DuoMi.exe
File opened (read-only)	\??\m:	DuoMi.exe
File opened (read-only)	\??\n:	DuoMi.exe
File opened (read-only)	\??\o:	DuoMi.exe
File opened (read-only)	\??\r:	DuoMi.exe
File opened (read-only)	\??\y:	DuoMi.exe
File opened (read-only)	\??\g:	DuoMi.exe
File opened (read-only)	\??\q:	DuoMi.exe
File opened (read-only)	\??\v:	DuoMi.exe
File opened (read-only)	\??\l:	DuoMi.exe
File opened (read-only)	\??\p:	DuoMi.exe
File opened (read-only)	\??\s:	DuoMi.exe
File opened (read-only)	\??\t:	DuoMi.exe
File opened (read-only)	\??\x:	DuoMi.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DuoMi\codec\bass_flac.dll	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\codec\codec.dll	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\codec\oggsplitter.dll	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\dmdnet.dll	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\dmload.dll	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\mfc71.dll	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\dmdeskinfo.exe	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\codec\MPADecoder.dll	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\resource\default.png	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\Theme\Theme5.pth	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\Theme\Picture\sum\Í¼¿á0_sum_.jpg	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\resource\jquery.js	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\resource\mp3.ico	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\resource\wma.ico	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\pncrt.dll	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\dmdeskbox.exe	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\config\cusconfig.ini	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\resource\Player_Loading.html	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\resource\dpl.ico	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\codec\DCBassSource.dll	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\resource\dmv.ico	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\resource\mkv.ico	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\dmlyricctrl.dll	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\dmplaycore.dll	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\drvc.dll	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\dmdesklyric.dll	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\codec\CoreAVC0.ax	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\uninst.exe	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\raac.dll	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\codec\codec.xml	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\resource\Player_Error.html	1306386da358611407940f89342ca83b.exe
File opened for modification	C:\Program Files (x86)\DuoMi\config\cusconfig.ini	dmdeskinfo.exe
File created	C:\Program Files (x86)\DuoMi\LyricSkin\×ØÉ«»¨ÎÆ.lsk	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\dmcbar.dll	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\dmcommon.dll	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\dmlyric.dll	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\config\sysconfig.ini	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\config\ÂþÂþÌú¹ì.lsk	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\Theme\Picture\sum\Í¼¿á2_sum_.jpg	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\cook.dll	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\dmplayer.dll	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\config\ipsecdef.dat	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\Theme\Theme1.pth	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\Theme\Picture\Í¼¿á0.jpg	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\LyricSkin\»ÒÍÃË¹»ù.lsk	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\resource\ape.ico	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\resource\mp4.ico	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\dmup.dll	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\msvcr71.dll	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\DuoMi.exe	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\ErrorNotify.exe	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\dmsamplesprocess.dll	1306386da358611407940f89342ca83b.exe
File opened for modification	C:\Program Files (x86)\DuoMi\¶àÃ×¹¤×÷ÊÒ.url	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\resource\rmvb.ico	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\resource\img\mask.png	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\resource\img\searching.jpg	1306386da358611407940f89342ca83b.exe
File opened for modification	C:\Program Files (x86)\DuoMi\config\cusconfig.ini	1306386da358611407940f89342ca83b.exe
File opened for modification	C:\Program Files (x86)\DuoMi\data\cusconfig.ini	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\npduomi.dll	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\dmobject.dll	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\resource\Loading.html	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\resource\blank.html	1306386da358611407940f89342ca83b.exe
File created	C:\Program Files (x86)\DuoMi\Theme\Picture\Í¼¿á2.jpg	1306386da358611407940f89342ca83b.exe
File opened for modification	C:\Program Files (x86)\DuoMi\data\cusconfig.ini	DuoMi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\Duomi.exe = "9000"	DuoMi.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main	dmdeskbox.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main	dmdeskinfo.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	dmdeskinfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	dmdeskinfo.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\duomi.dpl\shell\open\command\ = "\"C:\\Program Files (x86)\\DuoMi\\DuoMi.exe\" \"%1\""	1306386da358611407940f89342ca83b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\duomi.AAC\shell\open\	1306386da358611407940f89342ca83b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\duomi.WAV\shell\opendm\command\ = "\"C:\\Program Files (x86)\\DuoMi\\DuoMi.exe\" \"%1\""	1306386da358611407940f89342ca83b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DuomiObj.DuomiObject\CLSID	1306386da358611407940f89342ca83b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{267355F8-8583-4621-8AAC-A9A3901EC90F}\TypeLib	1306386da358611407940f89342ca83b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\duomi.pth\shell\open	1306386da358611407940f89342ca83b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\duomi.MP3\shell\open\	1306386da358611407940f89342ca83b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\duomi.WMA\shell\opendm\command\ = "\"C:\\Program Files (x86)\\DuoMi\\DuoMi.exe\" \"%1\""	1306386da358611407940f89342ca83b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\duomi.AAC\shell\open	1306386da358611407940f89342ca83b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DuoMi\Shell	1306386da358611407940f89342ca83b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DuomiObj.DuomiObject\CurVer	1306386da358611407940f89342ca83b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{267355F8-8583-4621-8AAC-A9A3901EC90F}\MiscStatus	1306386da358611407940f89342ca83b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.flac\duomi_bk = "VLC.flac"	1306386da358611407940f89342ca83b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.dmv\ = "duomi.dmv"	1306386da358611407940f89342ca83b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\duomi.dpl\shell\opendm\ = "ÓÃ ¶àÃ×ÒôÀÖ ´ò¿ª"	1306386da358611407940f89342ca83b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pth\ = "duomi.pth"	1306386da358611407940f89342ca83b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\duomi.WMA\shell\opendm\command	1306386da358611407940f89342ca83b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\duomi.FLAC\shell\opendm\ = "Ê¹ÓÃ ¶àÃ×ÒôÀÖ ²¥·Å"	1306386da358611407940f89342ca83b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{267355F8-8583-4621-8AAC-A9A3901EC90F}\ = "CDuomiObject Object"	1306386da358611407940f89342ca83b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{267355F8-8583-4621-8AAC-A9A3901EC90F}\Version\ = "1.0"	1306386da358611407940f89342ca83b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\duomi.dpl\shell\opendm\command	1306386da358611407940f89342ca83b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\duomi.pth	1306386da358611407940f89342ca83b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\duomi.AAC\shell\opendm\command\ = "\"C:\\Program Files (x86)\\DuoMi\\DuoMi.exe\" \"%1\""	1306386da358611407940f89342ca83b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\duomi.WAV\shell\open\command\ = "\"C:\\Program Files (x86)\\DuoMi\\DuoMi.exe\" \"%1\""	1306386da358611407940f89342ca83b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DuoMi\ = "URL:DuoMi Protocol"	1306386da358611407940f89342ca83b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DuomiObj.DuomiObject.1	1306386da358611407940f89342ca83b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{267355F8-8583-4621-8AAC-A9A3901EC90F}\ProgID	1306386da358611407940f89342ca83b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BBDD5D95-01EC-449E-9C7A-F85F61D28C50}\1.0\HELPDIR	1306386da358611407940f89342ca83b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C02C7725-399E-47F9-90E1-5CDDDD6C71A5}\ProxyStubClsid32	1306386da358611407940f89342ca83b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mp3\duomi_bk = "VLC.mp3"	1306386da358611407940f89342ca83b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wma\ = "duomi.WMA"	1306386da358611407940f89342ca83b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\duomi.MP3	1306386da358611407940f89342ca83b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DuoMi\Shell\open	1306386da358611407940f89342ca83b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DuomiObj.DuomiObject.1\ = "CDuomiObject Object"	1306386da358611407940f89342ca83b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.AAC\ = "duomi.AAC"	1306386da358611407940f89342ca83b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\duomi.dpl\DefaultIcon\ = "C:\\Program Files (x86)\\DuoMi\\resource\\dpl.ico,0"	1306386da358611407940f89342ca83b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\duomi.MP3\DefaultIcon\ = "C:\\Program Files (x86)\\DuoMi\\resource\\mp3.ico,0"	1306386da358611407940f89342ca83b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\duomi.FLAC\shell\opendm\command\ = "\"C:\\Program Files (x86)\\DuoMi\\DuoMi.exe\" \"%1\""	1306386da358611407940f89342ca83b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DuoMi	1306386da358611407940f89342ca83b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.AAC\duomi_bk = "VLC.aac"	1306386da358611407940f89342ca83b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{267355F8-8583-4621-8AAC-A9A3901EC90F}\MiscStatus\ = "0"	1306386da358611407940f89342ca83b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\duomi.dmv	1306386da358611407940f89342ca83b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\duomi.WMA\shell	1306386da358611407940f89342ca83b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\duomi.FLAC\shell\open	1306386da358611407940f89342ca83b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\duomi.FLAC\shell\opendm	1306386da358611407940f89342ca83b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\duomi.AAC\shell\	1306386da358611407940f89342ca83b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\duomi.WAV\shell\open	1306386da358611407940f89342ca83b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{267355F8-8583-4621-8AAC-A9A3901EC90F}\VersionIndependentProgID\ = "DuomiObj.DuomiObject"	1306386da358611407940f89342ca83b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\duomi.AAC	1306386da358611407940f89342ca83b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\duomi.AAC\shell\open\command	1306386da358611407940f89342ca83b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\duomi.WAV\shell\opendm\command	1306386da358611407940f89342ca83b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dpl	1306386da358611407940f89342ca83b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BBDD5D95-01EC-449E-9C7A-F85F61D28C50}\1.0	1306386da358611407940f89342ca83b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BBDD5D95-01EC-449E-9C7A-F85F61D28C50}\1.0\0\win32\ = "C:\\Program Files (x86)\\DuoMi\\dmobject.dll"	1306386da358611407940f89342ca83b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dmv	1306386da358611407940f89342ca83b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\duomi.dmv\shell\open\command	1306386da358611407940f89342ca83b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\duomi.dmv\shell\open\command\ = "\"C:\\Program Files (x86)\\DuoMi\\DuoMi.exe\" \"%1\""	1306386da358611407940f89342ca83b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\duomi.pth\shell\open\command\ = "\"C:\\Program Files (x86)\\DuoMi\\DuoMi.exe\" \"%1\""	1306386da358611407940f89342ca83b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\duomi.pth\shell\opendm\command	1306386da358611407940f89342ca83b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DuomiObj.DuomiObject	1306386da358611407940f89342ca83b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\duomi.FLAC\shell\open\	1306386da358611407940f89342ca83b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\duomi.AAC\shell\opendm\ = "Ê¹ÓÃ ¶àÃ×ÒôÀÖ ²¥·Å"	1306386da358611407940f89342ca83b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\duomi.WAV\shell\opendm\ = "Ê¹ÓÃ ¶àÃ×ÒôÀÖ ²¥·Å"	1306386da358611407940f89342ca83b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\duomi.WMA\shell\open	1306386da358611407940f89342ca83b.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1220	dmdeskbox.exe
2520	DuoMi.exe
1220	dmdeskbox.exe
1220	dmdeskbox.exe
1220	dmdeskbox.exe
2372	dmdeskinfo.exe
2372	dmdeskinfo.exe
2520	DuoMi.exe
2372	dmdeskinfo.exe
2372	dmdeskinfo.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2520	2400	1306386da358611407940f89342ca83b.exe	30
PID 2400 wrote to memory of 2520	2400	1306386da358611407940f89342ca83b.exe	30
PID 2400 wrote to memory of 2520	2400	1306386da358611407940f89342ca83b.exe	30
PID 2400 wrote to memory of 2520	2400	1306386da358611407940f89342ca83b.exe	30
PID 2400 wrote to memory of 2520	2400	1306386da358611407940f89342ca83b.exe	30
PID 2400 wrote to memory of 2520	2400	1306386da358611407940f89342ca83b.exe	30
PID 2400 wrote to memory of 2520	2400	1306386da358611407940f89342ca83b.exe	30
PID 2400 wrote to memory of 1220	2400	1306386da358611407940f89342ca83b.exe	31
PID 2400 wrote to memory of 1220	2400	1306386da358611407940f89342ca83b.exe	31
PID 2400 wrote to memory of 1220	2400	1306386da358611407940f89342ca83b.exe	31
PID 2400 wrote to memory of 1220	2400	1306386da358611407940f89342ca83b.exe	31
PID 2400 wrote to memory of 1220	2400	1306386da358611407940f89342ca83b.exe	31
PID 2400 wrote to memory of 1220	2400	1306386da358611407940f89342ca83b.exe	31
PID 2400 wrote to memory of 1220	2400	1306386da358611407940f89342ca83b.exe	31
PID 2520 wrote to memory of 2372	2520	DuoMi.exe	32
PID 2520 wrote to memory of 2372	2520	DuoMi.exe	32
PID 2520 wrote to memory of 2372	2520	DuoMi.exe	32
PID 2520 wrote to memory of 2372	2520	DuoMi.exe	32
PID 2520 wrote to memory of 2372	2520	DuoMi.exe	32
PID 2520 wrote to memory of 2372	2520	DuoMi.exe	32
PID 2520 wrote to memory of 2372	2520	DuoMi.exe	32

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIPI = "0"	1306386da358611407940f89342ca83b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	1306386da358611407940f89342ca83b.exe

C:\Users\Admin\AppData\Local\Temp\1306386da358611407940f89342ca83b.exe
"C:\Users\Admin\AppData\Local\Temp\1306386da358611407940f89342ca83b.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2400
- C:\Program Files (x86)\DuoMi\DuoMi.exe
  "C:\Program Files (x86)\DuoMi\DuoMi.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Program Files (x86)\DuoMi\dmdeskinfo.exe
    "C:\Program Files (x86)\DuoMi\dmdeskinfo.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2372
- C:\Program Files (x86)\DuoMi\dmdeskbox.exe
  "C:\Program Files (x86)\DuoMi\dmdeskbox.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\DuoMi\DuoMi.exe

Filesize
295KB

MD5
257d6811ebd842b294d4406204d4417c

SHA1
91fc9911a71ba6cdeb69097f0c53f38a6e6e8cc5

SHA256
4269b872b2fb1ef6a372ea5e88748f15ee598595410fa60f8da974d6af088964

SHA512
58a164c51324e075526c589691c12b4a5c04f02e72a3af44ad0aaa253c2bb940259714e4ff7b5c0407366902ded2602a6a554624047722c9a1fe4cf3c83d267d

Download Submit
C:\Program Files (x86)\DuoMi\MFC71.DLL

Filesize
394KB

MD5
e242f37d765794e2eaeb0e5e24f49ae9

SHA1
a0fec8fe6fd56162d6e273cad8787ceed0282101

SHA256
f72de7e2808cfe2fce1e632cafc7667b7cf488831d848788496a448c3e24471b

SHA512
5037cef1bd9623e96bd78cbb4045e0028b6c924bbe1db2cd58245b0d9ba3c7e5ad73b5a12401b48eae45dfde74822953c17e90cadefd22da94f419a7bdbc4954

Download Submit
C:\Program Files (x86)\DuoMi\MSVCP71.dll

Filesize
280KB

MD5
11ee33ffc9e844507df063f0a846a4bb

SHA1
4ba490041b9c0ba43f27a88540029d8e960a0db6

SHA256
c853f1aa40530d3cb1978513d8162080e38fae9ffe4a6c977578b67fc3962287

SHA512
6bbfbcead28eabdc1e0dc6262d93c4335e752ac262071e917ba347cf3235a96b8188eb12473f7767f5dd104ecc55ce980e79e67ca832e202220fb06727986c3a

Download Submit
C:\Program Files (x86)\DuoMi\Skin\Default.pkg

Filesize
1.2MB

MD5
e00ffcae478513cb0516325d15faeae3

SHA1
c7cf202b9cd88420ffc07d2426d757be82bd4cfc

SHA256
2013513ff39a2182f40859a65c0026ceb7d352bd59cd481fd2155152e83ba20f

SHA512
5a41666e02ca4b511c78326cf62845912c5b1e49ff6ce3b107a03a8c41006352da5e5b247d03f45e7ebb3dd168f4ac5ffc1ed2f1da013fa2c41c8631bccf62b5

Download Submit
C:\Program Files (x86)\DuoMi\Theme\Picture\Í¼¿á0.jpg

Filesize
110KB

MD5
12ffbf422e2ad785292b3a182ac0c6ce

SHA1
2276c74caef13939a4eed5679d4d7ec70bfff2c5

SHA256
1ad7011a5269e00d8611af061b05087f2c54f3120d2f4819c19067fa68d5862d

SHA512
28e36ccbeb4b0deb91ab8fc09a21eb735328433a6e90a58fe7ab50c89a5d33ff48544ddf68e19d1743accfe8818eca61536a3fe95e92151691e99de78d9a1b35

Download Submit
C:\Program Files (x86)\DuoMi\config\cusconfig.ini

Filesize
3KB

MD5
6170232ae798d0ec8d2e9ba293ee0c40

SHA1
60ee2d85e385de634568f28c85416ee4b9ddef70

SHA256
7c116e83a76cda5495ed05cd736531e6940ee0f1b5889a854a3ffceec85e8e30

SHA512
24090a1a8bc5f49b89016454262127d627090e3a965671551fe0bab2d54b94112969988bfc6e8737e74aff464979e74384bce438ef1692bf552df3ba322859c8

Download Submit
C:\Program Files (x86)\DuoMi\config\cusconfig.ini

Filesize
3KB

MD5
6632c4573e69983d291c2c3c6868e707

SHA1
33c405f1b1e47e72a785d1165ab8bc023f71a4b9

SHA256
a30f2cbe644207f2aaeb16300579a6f3fd9fb53cb8c8729e13e0cb2843885caf

SHA512
23189135fc6083b6ad7b658c91c586fca088adbf78f075101f3afedb48a39663b6717591aae97c708ff951dc2f82ad1eb160de51e5f4448373d053924c19d696

Download Submit
C:\Program Files (x86)\DuoMi\config\sysconfig.ini

Filesize
3KB

MD5
e4785a2a4032dbb4667dd16077ac892c

SHA1
c1483e8feeb044b25ca46a3047ab56f0acb51bee

SHA256
e3412721338a773799432a5d8fc968126ef11b456acadb7fd1b54ad8aeb71fc2

SHA512
56f45038ef2b3343a1e503221c5d06224e14657f3da4dff722991dbc0f888f63db52b327655564b8f3d5bf8295e77e629019408419754cf6372937a48d2c8585

Download Submit
C:\Program Files (x86)\DuoMi\config\sysconfig.ini

Filesize
3KB

MD5
02f1cb2b76f60d3cee7a2a5e0525ebfd

SHA1
200f79cf12c320a77a28ccb6abf42fcc1ecf13b6

SHA256
1d4e9de1f4cbeb06980f7b20028e6eee1aca08e063d9ebc7befb4aa6648e7e42

SHA512
10d9df3bf343ebfc4d61f9f1e468bb4c5f1268ba539da84d054f78be1e960d7d3b0524ebb215eb42494c070251490d49d161b1805981292171481dc0c6c21b0f

Download Submit
C:\Program Files (x86)\DuoMi\config\ÂþÂþÌú¹ì.lsk

Filesize
64KB

MD5
03b22bc5426f24e75a0e7acc8f698d1c

SHA1
2d15535c2b5ce2777e976e3a85ec639c515f1671

SHA256
bbdeff21528d813f6eab46daef7fc848d0395d1e84e0153765fe7d441d8b3184

SHA512
6432f8532b6298ea85a143f76c4b30abe0712cc201d12e0db7de426b5be79be7a264ed3e84a2e18af159f052e04849b8eaabfd3a308b9addf6d57ef186de99e6

Download Submit
C:\Program Files (x86)\DuoMi\data\cusconfig.ini

Filesize
25B

MD5
cdb721230507dbf90c7c87d244af7a90

SHA1
6356f2007a60307ca20315536e98abe39f075f46

SHA256
d080e6b18fbedb80dabedb7c3530ea09685b9ad584c905064ae8da2ed41bbabc

SHA512
44505bc892e27e102a17af5e959867fe036e1b24dc03f03782d4cadf1213ab869915f7ac9addffd43e285a8ab6aace09e43a532f1ec5af734e3f62c24fdaef0b

Download Submit
C:\Program Files (x86)\DuoMi\dmcommon.dll

Filesize
341KB

MD5
863eed3a3873479142567025fd2f79e5

SHA1
f3260f0c96cb3be900d718b9a31e31ef247d670a

SHA256
a467a7d7152f16a00fdabcc0e4b46bf1876faeef1e07f674a6b6c934f25b94d0

SHA512
f866855bf34302482ebf0bae5a92e5fc537352c6d8cf7eb526162bc72c3dbf7f20f7b250d8334fc6367847bc169e3ef487abb1eea39d9bf045d0f2b92bafd61a

Download Submit
C:\Program Files (x86)\DuoMi\dmdeskbox.exe

Filesize
144KB

MD5
1ebd1a8de2525e6932e389a54d3bf392

SHA1
9927dec8dbaf5fd68828ecf2ca3092b98c77ec09

SHA256
674ff51e887870b594f17fc52645f9988e4fbc7cdcdeac6964e164ee5ec6d31f

SHA512
66606d88487675646d561d5fc4c2565aac5dfe32a6206be72f36d2622a6549347cc597ae57ea2f39577f5f57bd80e86caf182242368d7f1f9f2c00963915cde5

Download Submit
C:\Program Files (x86)\DuoMi\resource\mp3.ico

Filesize
25KB

MD5
758dad3b00dd72c0853ce77643eeb69d

SHA1
b159453a2768d35b959edda5aa0ac2d441d92880

SHA256
615ffa8f56d7eb49d6fda62c6bd0c54bb0ef8b9258409d77186dcbe5c9b30a8b

SHA512
3e0d80018e9842fc24389a2a1a848bc1ab2eba4f412216196d24b54f2cf5944efac0929e91cb9c03d3f8f1e0452a6ad3ff9c2e272ad918c578c743ca0041ae7f

Download Submit
C:\Program Files (x86)\DuoMi\resource\rmvb.ico

Filesize
25KB

MD5
828586045f88de07f3f0c66baacca604

SHA1
6b60a06fa74b8446dd1064f3966636fd9f11765f

SHA256
915e7c73162ef50df387f3246f4abc3ed3c6a3e4fe268e2463d9ef22d94b633b

SHA512
3504ef82521d240425cb2cd5c9d26debe2c980487cd024ebbcda028f7db99faf726bfeedac4d647c55d5e09395a4ac46e41010e11b1d55f05d1c2b7b44b118fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst88D1.tmp\Shortcuts.ini

Filesize
548B

MD5
7e8845ef346c5a6b54c63f9bd5bdc4d1

SHA1
f778000a99d409c8c0287b38ede0dd8adf7279dc

SHA256
504ed10282db3fa7d0183d193ae0cd599f18c409934a219202943873ede34ca5

SHA512
1b72932e50936f5cdff992f00b2cfcfb896efe9e1ccc37e5f7a46acd0f1a273e2563eea8eb0994cc38df4ad7977db2e2e31cef7baac6320732d4b4bd4fd9c247

Download Submit
\Program Files (x86)\DuoMi\DuoMi.exe

Filesize
464KB

MD5
f81a2916fecfea6cb3030247d6b2ef46

SHA1
8e9f47439eea0a513248cf1cdde6544af06d8214

SHA256
b30db602370e8a1e9a5fc27fba7b8093172fdc552dd32c3851468c52e1554638

SHA512
e4a2321bfd0c6e3d7042310ff1324fef5c40b7903a0e216e6b45bd57e52928cd6813d5828decf3d857338fde8fbd52ad13412c32ef56cd7d0277f191abedf3a3

Download Submit
\Program Files (x86)\DuoMi\DuoMi.exe

Filesize
330KB

MD5
a6456d45b43e504ebadee96cf9f90042

SHA1
8dcbff7681dea4bab7ae316a8894a30f45ce3e7a

SHA256
d6a86a496eeb23e14292b8e792b08e3f69c424ded170b2e6e06eaefeedb2415f

SHA512
89d4b67a44d447c25a64d5849e84ca80dc03ff89ec4056d7ef0e583decd3d81174a45cd3c41e788fc11a0740ec51fb76ced0668978c0b76e4f2ca6a31029eb53

Download Submit
\Program Files (x86)\DuoMi\DuoMi.exe

Filesize
304KB

MD5
1e6c258f0309d8ce7bc896d3317445a1

SHA1
6b9a2f472d42e3e45787df12078ecf1c9c7ac5d9

SHA256
dc0443b01faa78feafaccbb31d935f5cc70237b528c5f33950b8999abe28cfc5

SHA512
23265c8fdcdf8d3397fd801dd5be8891899bcade65a5a56bea92cfe39fed500969db47bfee8132b29ba79a05af5ca2a1d56bfa323de77496609dce588f3dad96

Download Submit
\Program Files (x86)\DuoMi\DuoMi.exe

Filesize
197KB

MD5
82ef52ac2fd25213b63e09b4f4476d3d

SHA1
619e273b106777bc4df78ed2a3cfd5b3afe16db7

SHA256
02a29d8515886b832bb6868efb2d2c705c9f0364f406397773db98c110c2f4e8

SHA512
b85a526fd4144804bd33461a68a46a29f1290a67bd96803807ad95fca47f00ef4a84e02e57c0f624d2fec71d649dffa0f19a9e82acf8604b703ce5ad73c95828

Download Submit
\Program Files (x86)\DuoMi\dmcommon.dll

Filesize
179KB

MD5
5efae86b9327153a16c36a95b72f9ad6

SHA1
ab7ae1ca819d3a6aacb33aa7e289d9ead50c8e29

SHA256
24dabca2dd4c530763bf07ea93ae0b5ae3267e10a280b6fea01d5d8a328ad25e

SHA512
9194154e424df64c5ce2c0a58e48dc42e9be6a37122e5b6f81118d00bc1151bb21ef3b3b6b6db69756f2b48095cb49adbb2c469a035cae30b2d7e5c97fce2e34

Download Submit
\Program Files (x86)\DuoMi\dmcommon.dll

Filesize
664KB

MD5
4a8a7d3297e3e6c205825899dedd0186

SHA1
9f52b311f625135b3035fbcec51838061de7eb06

SHA256
329ffc6bdba46f9f3da249727ae4dc561761b9b541085de2800affdb09db3eb2

SHA512
8eb2b6936c251b0b318474f44ca41db2bf5ebaddcea8502f36e94f0941dd60adcf75db25db8910686f696d80132ad56760051ad9ed9929b7c992436ceb092676

Download Submit
\Program Files (x86)\DuoMi\dmdeskinfo.exe

Filesize
152KB

MD5
dd1687f1d96acd0998b3ee11da1e849b

SHA1
1814c6b344fd08ebed9d8861b845ad4428998c87

SHA256
2d38001adbdb9509c32fa13679afe20f0818fe477cb0413c66df95c15eec6575

SHA512
9424e9c65462a86c891215d2257006a9713c59ef558f753bbcf9842f0f157aefff2d57d7040cc98f7a602d8c3ee980065c601391eb08880d7062160feb1cabe4

Download Submit
\Program Files (x86)\DuoMi\dmdnet.dll

Filesize
200KB

MD5
b94139d0327be5c6c5ffc2e3b6384008

SHA1
373f35741433011c13f19bf8a29b05bbcb203890

SHA256
3c0a667027616191ccdacaaccf1e696a5c2b36f46b045bb6a9aef787095df60f

SHA512
96c8d85bd9c741bcc55732b61d86d674560278519b7626b4c14f8de655edc2395d3da1ea7b744db75b0c68f8bf24e402505fa0c4fba87aa6e2b0dc9b0e2bed04

Download Submit
\Program Files (x86)\DuoMi\dmlyric.dll

Filesize
40KB

MD5
9c68196558b44fe1f9c18771d7c646bc

SHA1
2b19191237746801d08842491d75ba0a564f8958

SHA256
25485fb6572626a3a85caab5e63bac60c71a33502d18706994541f72689fec3c

SHA512
516a961f7f56d8588a0bc765c80088abdd62f2776c98602a25418359cff6a45130adeed5de6420b7fadb4ade2927899f13b8989855adb206b15b5066a35dbc3c

Download Submit
\Program Files (x86)\DuoMi\dmlyricctrl.dll

Filesize
116KB

MD5
974c329f4fde2ba883d3ad4409b81323

SHA1
1abd7c14c88640e3923df99bcdfb8d446a9d480a

SHA256
8674340f0e0cc6e7214e5119501923259e625bf6564726d33485446c17b12d0b

SHA512
aeb038b6f1d2d6cd6838e85331ecfd6179ba7eb483c6828e105d14d8c93f9cab2a2a76d934f7db6374de537b4370cabcfcd65429efbb3cfeb73c16fd643013f5

Download Submit
\Program Files (x86)\DuoMi\dmobject.dll

Filesize
73KB

MD5
824fc40bd871979a38101220a3e1faa1

SHA1
7fbe5ff358cc4c20ecb3c84219ce2cb43a40bcd9

SHA256
de9cddad2d4757149ad30a7b9051a0233a1b95cb50ff514f04ffc92c4d0bcfa2

SHA512
40e32018fec23a9c8f3537c6cb9815878b0a6f802b55e6fcb26bcee8203da27fa3fed88d0cdf5f7da881f0607a82f665f843f04d7b8072e10426ce4eed1e0e14

Download Submit
\Program Files (x86)\DuoMi\dmsysinfo.dll

Filesize
23KB

MD5
50c674228e4efcb542fd6966fdc3e7de

SHA1
090932b5e7087007f074dd57ba7f4946ee0fb7d9

SHA256
e77218b465b287d7793dab47109f652e437fb77a6dfd24b573095b928bc90911

SHA512
6ce972ecdd545695dab423be3a023c3489e4ad5bec4c247095f0667a53d2e8609f8ee5d4ae34437ce1ffbd134a1947f0c4c7db374d05ee74d799cfd4a9cdfc16

Download Submit
\Program Files (x86)\DuoMi\mfc71.dll

Filesize
222KB

MD5
1b7762a3ea7bdd8a0554b166319edebc

SHA1
ab92d55d61a39190bab89495255ebf7545c25625

SHA256
dfa1642134aa53a68f7aa496953bc9a4a786e0951f4df2a4aad9f8e4284b068e

SHA512
e3de8625a8c2f8e2bf0609dbf2b6de2b578d14ad47a3991942ffa6c3c630d001bf0c2dce7dde97b2a71bc8c8e4316dfcb8599a5b6fa10b8254b6ffa33cb01700

Download Submit
\Program Files (x86)\DuoMi\mfc71.dll

Filesize
412KB

MD5
2b47d866074db3cb58e8cc58aefb2b78

SHA1
10fa50971a7b3df1170e3950e3b6e9646168e3f8

SHA256
4d43e00013b8b7090c06fdf867aa6df0b85c88c3ad2ca075f5336f8483a5fb8a

SHA512
3cf026b3b599b86d25a9f01433999b718f21e282dd77e4bbc4f680b9fcf1f2d3f6ab9510caf95f9d000f2a9e8fbc0648f9ffcb8bab9637251c915c989a61ada3

Download Submit
\Program Files (x86)\DuoMi\mfc71.dll

Filesize
788KB

MD5
c9b842afd0640d7d0e1fa8b8357bd6f7

SHA1
da5516bdfca948d500bdc7a0350a2bfa455ccd46

SHA256
82f33b3c94de8c39e1a2ebec6a2a22b2b8a777f578a7c7f57ef3ed20440a0e07

SHA512
33f9cc99aa37ee44f1d12313f804d046922ae5f2d0d15270daed53dabb4cbbd5fb483fcab1afa557a28baf5e80090587ff997c82860f309e5b684d30d9195a5b

Download Submit
\Program Files (x86)\DuoMi\msvcp71.dll

Filesize
251KB

MD5
aa651ab204ff1bf24ed8022537c90941

SHA1
caca2ea86b4f1af45ae42803f412ddb07aa47594

SHA256
0925a13cd95661023dc9a50811d25e40f7c7b07407023e33404888dba1d65000

SHA512
c49e41fa96cac1c9bef7767f54d8b4898c02e0537e78f1279219aa610de50d33ac164b8a1e460c8f796b23710c1cd99bfa8ebe0a1037e601b027b49db39c611b

Download Submit
\Program Files (x86)\DuoMi\msvcp71.dll

Filesize
488KB

MD5
561fa2abb31dfa8fab762145f81667c2

SHA1
c8ccb04eedac821a13fae314a2435192860c72b8

SHA256
df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b

SHA512
7d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43

Download Submit
\Program Files (x86)\DuoMi\msvcr71.dll

Filesize
283KB

MD5
26094cd2a03ac258b4b24c2927bbcd6f

SHA1
4939c810ddbbe628282bfb6b298d0c8bd81230d1

SHA256
d06d7fb80bf754b9f7a8b8baa8807dda3f2dce854138fb2fb7cf8747c3e7f405

SHA512
e28fc6a13c953e1491468b1299a1fde11f6a08decea569846506116524f32f02b160ed0db68f5294cf9a51502df180b8a7f759fae6f11287526bde68939ef937

Download Submit
\Program Files (x86)\DuoMi\msvcr71.dll

Filesize
340KB

MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
\Users\Admin\AppData\Local\Temp\nst88D1.tmp\AccessControl.dll

Filesize
10KB

MD5
055f4f9260e07fc83f71877cbb7f4fad

SHA1
a245131af1a182de99bd74af9ff1fab17977a72f

SHA256
4209588362785b690d08d15cd982b8d1c62c348767ca19114234b21d5df74ddc

SHA512
a8e82dc4435ed938f090f43df953ddad9b0075f16218c09890c996299420162d64b1dbfbf613af37769ae796717eec78204dc786b757e8b1d13d423d4ee82e26

Download Submit
\Users\Admin\AppData\Local\Temp\nst88D1.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nst88D1.tmp\inet.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
\Users\Admin\AppData\Local\Temp\nst88D1.tmp\rfshdktp.dll

Filesize
2KB

MD5
9410591a148871a6d0629cf25b94526f

SHA1
be1e8b0fe8327f185136a0d2460a68f720484535

SHA256
acc76e81f71e7f2ba58c36d678bc9ae4705e0187a3cdfa6d0025190467d9c0c7

SHA512
465d3e418e769b907262e07cbca3d2c5132bf328431d456be09c059821be20a6d30106562d7ef0bfa93ca219b2abe57ee891d937419fc4b8840987b184b45df0

Download Submit
memory/2372-321-0x0000000000630000-0x0000000000662000-memory.dmp

Filesize
200KB

Download
memory/2400-36-0x00000000004E0000-0x00000000004F1000-memory.dmp

Filesize
68KB

Download
memory/2520-296-0x0000000000020000-0x000000000002D000-memory.dmp

Filesize
52KB

Download
memory/2520-329-0x0000000005EE0000-0x0000000005EFE000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads