2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497

Resubmissions

01-12-2024 00:29

241201-as8kssvmek 7

01-12-2024 00:19

30-11-2024 15:39

30-11-2024 15:34

07-10-2024 06:29

Analysis

max time kernel
42s
max time network
44s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2024 00:29

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
Size

5.1MB
MD5

6ee7ac1240012848440758195631f74c
SHA1

45a42a492d9d02cc3457a404377c73c69c219e92
SHA256

2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497
SHA512

e5af0638e0a44e076432ea0af9c814b3a7e2a65c4acf185a5e836ee12a317895706bf4d32ae66af829fd6bb8aac0ba3ddbd650d0a1482dcf189d930e666d0525
SSDEEP

98304:fn3Y5tIFveFoHkXrloeemyJF2yg2YsB32cgOSyj0sn1zf1x3KEkKyawM58iawWHk:fn3HJeFMkblFByfg2L32q/ndNx9kRM9P

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	desktopcal.exe

Executes dropped EXE 5 IoCs

pid	Process
4620	desktopcal.exe
3904	desktopcal.exe
4792	desktopcal.exe
3836	dkupdate.exe
3748	dkdockhost.exe

Loads dropped DLL 64 IoCs

pid	Process
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
4620	desktopcal.exe
4620	desktopcal.exe
4620	desktopcal.exe
4620	desktopcal.exe
4620	desktopcal.exe
4620	desktopcal.exe
4620	desktopcal.exe
4620	desktopcal.exe
4620	desktopcal.exe
4620	desktopcal.exe
4620	desktopcal.exe
4620	desktopcal.exe
4620	desktopcal.exe
4620	desktopcal.exe
4620	desktopcal.exe
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
3904	desktopcal.exe
3904	desktopcal.exe
3904	desktopcal.exe
3904	desktopcal.exe
3904	desktopcal.exe
3904	desktopcal.exe
3904	desktopcal.exe
3904	desktopcal.exe
3904	desktopcal.exe
3904	desktopcal.exe
3904	desktopcal.exe
3904	desktopcal.exe
3904	desktopcal.exe
3904	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DesktopCal = "C:\\Users\\Admin\\AppData\\Roaming\\CalendarTask\\desktopcal.exe"	desktopcal.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
52	raw.githubusercontent.com
53	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dkupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	desktopcal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	desktopcal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	desktopcal.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dkwebctrl.exe = "11001"	desktopcal.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	desktopcal.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\desktopcal.exe = "11001"	desktopcal.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "232"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
4792	desktopcal.exe
4792	desktopcal.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe
4792	desktopcal.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3748	dkdockhost.exe
4792	desktopcal.exe
4792	desktopcal.exe
2348	LogonUI.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 4620	1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe	100
PID 1464 wrote to memory of 4620	1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe	100
PID 1464 wrote to memory of 4620	1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe	100
PID 1464 wrote to memory of 3904	1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe	101
PID 1464 wrote to memory of 3904	1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe	101
PID 1464 wrote to memory of 3904	1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe	101
PID 1464 wrote to memory of 4792	1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe	102
PID 1464 wrote to memory of 4792	1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe	102
PID 1464 wrote to memory of 4792	1464	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe	102
PID 4792 wrote to memory of 3836	4792	desktopcal.exe	103
PID 4792 wrote to memory of 3836	4792	desktopcal.exe	103
PID 4792 wrote to memory of 3836	4792	desktopcal.exe	103
PID 4792 wrote to memory of 3748	4792	desktopcal.exe	105
PID 4792 wrote to memory of 3748	4792	desktopcal.exe	105

C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
"C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe
  "C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe" -savelang.ita
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4620
- C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe
  "C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe" -savestart
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3904
- C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe
  C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Users\Admin\AppData\Roaming\CalendarTask\dkupdate.exe
    C:\Users\Admin\AppData\Roaming\CalendarTask\dkupdate.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3836
- - C:\Users\Admin\AppData\Roaming\CalendarTask\dkdockhost.exe
    "C:\Users\Admin\AppData\Roaming\CalendarTask\dkdockhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3748

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38cf855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dkc_background.png

Filesize
5KB

MD5
7f10e2778be436731dd8491d492f5207

SHA1
de7da03d5b3c710382d21c0956d8df5c36326cef

SHA256
a0586fe99c9e0d1e94fbdc4173015dbc28735684813f50aed517af8cf61bffe0

SHA512
4e62d720eb039d2a15811226ed94814e106079facfa37e0ca244e2402b26274d13384f65c1ada643f3708bde61c8ca26fcf0a21d8265b42d9fccb177b027d1f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkc_bottom.png

Filesize
708B

MD5
0f07fe3eec21fcdc8bf97bd865c6500b

SHA1
56da55b18d81d57a8d33c8514f0cd81789dd989a

SHA256
6f8cc3644f2095b33cbd5c31c4870d15ef04c9c7be0126e4e66d40e888eb964d

SHA512
701f8aa4bc18acb838d8997e94ee3c0df92af1c5dc7a41795b043119d1c4c6f278612d83ece496c6066192854d1da0477b0037fc7728263fa9b2bd3600b7f1b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkc_close.png

Filesize
712B

MD5
e7a889b50ae9afefa73045ba670db165

SHA1
71202f829dfdea761fca99a6c1d7f76c2cd5a412

SHA256
2a9def0150983b2d7176b61146dd57d05a44e0f4452ac0574e309542f3d9782b

SHA512
12110fa84bd2282b4b805ee8c0958fbd73344c110a1ec8349a00155636453bfab3296a3f8fc07391ac72e9f45df47cae29c391e53448afc70bcb3344a4ce3584

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkc_onkeybutton.png

Filesize
903B

MD5
f49b9fcf13339ed99722f9976ce0f32d

SHA1
c9207f7626b923528c1acaf36390875718e2246d

SHA256
aa24761f9fa2596c6c51fc81adfce41424f1f8f8e7a0047653a62fc8137f3e6f

SHA512
07bee7f88af4ba24f772a401e6982f7bad85eada263ae04962cc205ac88cfb1a6672fd87e83eb3f650d12665d4cb387811a960217a1f3d5fe0f5ade84b78af87

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkc_onlangbutton.png

Filesize
1KB

MD5
3a9674dbcf2f39809a5e118a3a512409

SHA1
3c624d1a3cea4dcc2db45ecb6dead387844f8655

SHA256
2be27ce3398d5f58504524f580c948f89712ff1de89a99b54706c0e0c93bff45

SHA512
f436d2cae388a9c82e8baa32a2d6184d656fbf94142e5b66ec4aec68e35b8bad2f3163ef0b228f84adeccf88b6ff49a476de277a6bca32c71d1320da9a68fa84

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkc_progress_background.png

Filesize
2KB

MD5
348f6de2fbc51323084ac4ba3c9d2002

SHA1
0edb2b6876c0301c4d8a68ae290ba78445c0c484

SHA256
c43168daa882b6715028d6fd6d69272def885fa13b94836b730bec3faf6854af

SHA512
8f6754d47034e29fcc8900331c4bd068e5eefbd447e261503bd248b2a2140a6990610a8ecff6e1ce88538cb9031463ca98783de2fa40b6e7eacab3dcca3daf9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkc_progress_bar_bk.png

Filesize
131B

MD5
5017b8b0edc93fbca26cb412262ac6ec

SHA1
5796a012a5a1671cee4e4b0cfb062a837070c42b

SHA256
0a9286dba766de0eabd58e9bfb489782c64db16bfb3f978e94e5990e58ca09c8

SHA512
1435ba51ff93ace1aa84d45160bfba309752be660d6e1fc017f75651a51f5e39939bba6de47ed7eea5b40cb2fa10d1b236716932f8151c8bdc0600ba0167b110

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkc_progress_bar_go.png

Filesize
129B

MD5
0a535097bf2375674264d93db75b7c87

SHA1
ad5eca6f2ce9331508d69f54e24c6f508d079315

SHA256
2d0a117f54a5df5cbd75620bfa70fcafc098dbbf882f1fda2c6af73fa483c8ad

SHA512
912c79e1440e49e2f551828878191fb6c419cf082570e961f8dc5dc1860318541d9d470e990853e49b31c745a19034b90bf5cb4591730a89582dd5a48f0ba8e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkc_progress_bottom.png

Filesize
366B

MD5
a6af35e0db291dc9505e9438f9e97ce9

SHA1
cc321c583c01971c7af5e814a432c7c4f8d7132b

SHA256
e540880ade05d1826d5d6610a348e74b05e181d0330687bbdd039dc0ee4a6faa

SHA512
b5f5f30e8a7f8ae88866845b2266a68083314d5366af9f032cdcde366a70978795135da8c8734db3b20f84edf70bbddd0e88efe6c77db39e505a6a7819ff25a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkc_skin.txt

Filesize
170KB

MD5
00c6dbb5b70e4054d84b14bf6a4660c2

SHA1
2d2475848e4316c790134aa124aa7156c0ec7b2e

SHA256
4049ea8f4bdfcd260be37254b6ff5573ba05fa96610c43754def662cea8d6b39

SHA512
b57873b895948b80b57d8a0a841e7301b18c0028aa587d86dd8eb5d208ae7bf79d64af25e4019ceb551cf079602edcb7a2a0eef539b3aae54c30a99c628d63dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkc_title.png

Filesize
375B

MD5
c36c136fcc7e375532f35078b3fb80ee

SHA1
0cf9ffb2d7fdea950e69e4b934982ba55bca8822

SHA256
1871548bca7e034c4022ee1041f0ebe1e215adb82a6a9566bcbfd0e57bc6e125

SHA512
3bd72b5f8279cf9a36a8bffe90781a1cab3160a932b82416d136d2de12b6de7c95e332cea2a76c5d1ee035704f483d835ef3b0b8617f84e5dafd36b4afff561e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkcuninstall.dll

Filesize
109KB

MD5
826fe2f255324f7ab00cc90d3f0747b6

SHA1
c7056ee14d12423422376fe950753ac599f5a6ca

SHA256
54d3b13339ab132e4d2a61ae5a272deb0aca8d9108ff19a9831f6c73da3fd289

SHA512
e4352cd497c8bc72cdadb6fe02e24a687d7e4989455e208d9bc437f9ef64f370fb8231fb749189e736a7a7146b54ed0c721f548bf000cbd4fb36b3426ae8b90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz8455.tmp\LangDLL.dll

Filesize
5KB

MD5
410a586735f45164c86bda363ad8446f

SHA1
a68d18a8c72ffaa8f8d9ed9f76ea9b0ed397821b

SHA256
b15b1fc88d1b56088b2d3738d76772a91fa186a316a3e0a154358820d0fb9005

SHA512
d12083f67df132b2be57c202601a0cf82dba4c234910e780d2723aac14ae68407b824405b04737b55104bc97750550a3271a944d647661b067ce134075e6cc2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz8455.tmp\Processes.dll

Filesize
49KB

MD5
138869ba3c86d7546f8c24e424dcd114

SHA1
db7f3227a7671ac9fb2fd017eca10e390cae2a8c

SHA256
71630aea3eef367f9a88bafb6ad3511a3bc7dcc4995e9eb84b09f8f777b22d65

SHA512
85a94b8fc6e0497a21a4d982e62405725b4d18a0a3c65f5f58b40e93bedd8bea5103f6ac9baff7bd3c93d4f08e0eb24f2c4e0e24dc346c231b87deeb725e1230

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz8455.tmp\SimpleFC.dll

Filesize
175KB

MD5
d38543fc9ae37d188a23e06ee11d3504

SHA1
174fe778f66db4a527fddf21b1c23e1bc1ceceeb

SHA256
72f33da081b8d579f437e7aa2ba8d9cb9602270b88093ff9411ac6316b52fc6e

SHA512
43d1874e5821d8e5530eaa34d42b76aa867528368779fadcfd2691825297accf04e94bd34867442a76c25d4729edefba9469de6500acfe6f665949f11878c54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz8455.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz8455.tmp\nsSkinEngine.dll

Filesize
519KB

MD5
eab7fd287509faec84e23cbdc1a709a8

SHA1
b6d659af538f7d57bd679e8c7626d470392c4429

SHA256
9702f538888f45fca67a1e2c2d7aa46fe42010c1aed5b0f34a51f989347ed9f0

SHA512
701f089f55bba49e0a9ba906fafce581693ccc99d445265ec1ea3794a4b5044f1011d90a9214c60dc0ed6be48f4fc4e9882ba07136268f7ebb0156e0b206d15d

Download Submit
C:\Users\Admin\AppData\Roaming\CALEND~1\update\xdiarys-setup-v3.cab

Filesize
5.4MB

MD5
5a2c75508ee146731507b535237fa13f

SHA1
b2a4159fedf737342a3d2640e3ea9667727832c3

SHA256
40f7a84e4261b46edf9069520d2aa87e4865e6523212c9ca817b0c004bc8d23d

SHA512
a15da9317c4e17d7c6ee632d9534a799c6a142d2e1bfb31e6400fd04ad2a40c5a2442ee351ec9cfe4c56f348deca9bef6f915841ffba5b6042811f8e26df1917

Download Submit
C:\Users\Admin\AppData\Roaming\CalendarTask\ATL80.DLL

Filesize
95KB

MD5
3e9a33113d663d8bd5ed38858e669652

SHA1
1292dc7ffc35a1ef2b761672361bcffa7483169e

SHA256
63e1985a37d5993d170373bc28d067c13c1541ca2b63968b82e35eaacd927b49

SHA512
a2dcd0d5db662653d3085d2ab39e8697b25e096fd2093e3f5ca2edb3087356814adb9f99e490dc95293198e05551a3ddbb3fa2918b8ed5f76d84a22268bfbe7a

Download Submit
C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe

Filesize
697KB

MD5
ba7c2285afc82949168424d8858376e4

SHA1
1564cdddd14640ec820bc04a64c3a632d0ffb167

SHA256
ab224dbb3b114cca10fc923436cd42808687b4cf7c2863c806c22f49a8628411

SHA512
cbf6e84e2d01f2920d352be8ec202c41753884813e75428bdde434107b7910cda7043f491e28cbffc7bc6409db8ce8310c5a4379f1c6e7f10f864906288c21a2

Download Submit
C:\Users\Admin\AppData\Roaming\CalendarTask\dkbase.dll

Filesize
801KB

MD5
d20804a5475463e243a8166b98e008d3

SHA1
8e04961fc03159f5e378b8de6c4db170172a35fd

SHA256
69916fe86baf461a8ad756283312bf1135c89747f341c995618b7f363eb49446

SHA512
2a0eb2f1aed74bfd75de3bfe87e716f1bc20a12cb059e61306cc3d330eeaf79caab6592e978eec57a348a42be2e6775e894b4a20bb3b0da3867dc7e275932944

Download Submit
C:\Users\Admin\AppData\Roaming\CalendarTask\dkcore.dll

Filesize
444KB

MD5
3a5849e599fb7b72a5cd8b2cec35e394

SHA1
5f73010ef0ac585b1fee44c120c3b3f6627f9689

SHA256
8af997f6c3589fb09b3b9c8651bd9631818ff39d064a1a0bfee005538aca7754

SHA512
6e8c343f61006949b75853175bb527c04d360f023eba3c6a369c97dd1bc7703f0afe70ac32447675a9759715c25ac935ba55f26c3bd383f027f25256b6edc5c8

Download Submit
C:\Users\Admin\AppData\Roaming\CalendarTask\dkctrl.dll

Filesize
1005KB

MD5
f5621e1becdb5cd4dba2dc83054544d3

SHA1
bb5f4313456e0afcec4a516484e1700282f22499

SHA256
ef618545cd37507b72788427f4cab4249725d231a4a873e1ca404e30fb007c17

SHA512
bcb8add217e7c6ccf35bae3afc1edb435c5f4d3b246aacdbe1573005ce92e58d13366dc810916f517d8c8271a6581223a896b854c5d89c1e512b321b5b30d420

Download Submit
C:\Users\Admin\AppData\Roaming\CalendarTask\dkui.dll

Filesize
1012KB

MD5
474aef5811effbd9abc306925a2834b1

SHA1
3522629070ff4d0806c1e2b891ce2ecb54fb3a48

SHA256
2d9281bc4e842cc4e4afacf74c118f8d8c5a2197f3254454b00ba3d7baead001

SHA512
a9f2a960e0c31eae983caecd3f6941ce23515ef5bab42c4b4148158b07a02a8cebd0548721f44e8eb7cd83d3760e3dadc90e02f721ec5dbefc8bea4acc097e8c

Download Submit
C:\Users\Admin\AppData\Roaming\CalendarTask\libcurl.dll

Filesize
482KB

MD5
b1f4e12129881373bd2017ba6fd1e50b

SHA1
530006812211677e593d87b12f808a3070a76468

SHA256
f11d86d65ebd3406cd876e96aaea7f1a0b316efb5887baf3625556e247621cfd

SHA512
c5923a17b5444e3a5543359547d4089d0c3d2d4be11e8d48ebace13b204f8c1edcb439507c5f874de26c6907c89a1ab8cae9fe0b83087b8aaf53441bc0a9031a

Download Submit
C:\Users\Admin\AppData\Roaming\CalendarTask\lua51.dll

Filesize
136KB

MD5
590d9c36dfad77891d55165b27b6b048

SHA1
8b28a217188139d208a7a882e18a7b103f2e51df

SHA256
198b37482d8c1be56bf80b0b55d3d33b63e0868fe39908a82e0ff56bf5ad9d6b

SHA512
e45a0c3d6a18927ba095b014335d72e5b2545a74d3c9c8ac8608590687d8a4272b7aa14248cd3cf2a46a81dc7ee21352b6ccca87834c1cd4de70e892954ccc50

Download Submit
C:\Users\Admin\AppData\Roaming\CalendarTask\msvcp80.dll

Filesize
541KB

MD5
8c53ccd787c381cd535d8dcca12584d8

SHA1
bc7ce60270a58450596aa3e3e5d0a99f731333d9

SHA256
384aaee2a103f7ed5c3ba59d4fb2ba22313aaa1fbc5d232c29dbc14d38e0b528

SHA512
e86c1426f1ad62d8f9bb1196dee647477f71b9aacafabb181f35e639c105779f95f1576b72c0a9216e876430383b8d44f27748b13c25e0548c254a0f641e4755

Download Submit
C:\Users\Admin\AppData\Roaming\CalendarTask\msvcr80.dll

Filesize
617KB

MD5
1169436ee42f860c7db37a4692b38f0e

SHA1
4ccd15bf2c1b1d541ac883b0f42497e8ced6a5a3

SHA256
9382aaed2db19cd75a70e38964f06c63f19f63c9dfb5a33b0c2d445bb41b6e46

SHA512
e06064eb95a2ab9c3343672072f5b3f5983fc8ea9e5c92f79e50ba2e259d6d5fa8ed97170dea6d0d032ea6c01e074eefaab850d28965c7522fb7e03d9c65eae0

Download Submit
C:\Users\Admin\AppData\Roaming\CalendarTask\sqlite3.dll

Filesize
552KB

MD5
fc7db46484442ed0deb46f93f58cf573

SHA1
5195565f5e753fba6a077fa92d608e5dc57abaab

SHA256
4f9a4eeecf20a98a38117d3ef334c8a8270f8bcbeb07bf0d1a86b56fe5a53aea

SHA512
fe9bae58dd480b9bbf9b98902f8901a71fb43c9c1da5ffdd93fd08e4ec1c63894c11de58fdfa69a8122639870ea1c3b9672b584ee646c36b8d241d740a1a2cb2

Download Submit
C:\Users\Admin\AppData\Roaming\CalendarTask\update\updateinfo.xml

Filesize
194B

MD5
28135b7fb22fbd5fe8d1e69d8065267e

SHA1
00ecbe803ae575d1e7e3d7cb6a5aa92b72ead26e

SHA256
812d9853918d840172b272f3d638dae55c5b3ad78dc84ec80705fb18d6234e07

SHA512
4e48b77568d197c51f6c3f0c9280a0f440248d5844536a0ebd598e3e0c67c0fa9f863ff7c870b86c483933d713081684a9786a11b53202a9bc6aa05ab5254ca5

Download Submit
C:\Users\Admin\AppData\Roaming\CalendarTask\update\xdiarys-setup-v3.cab.ini

Filesize
21B

MD5
952c667569cd9b383387317615e533a6

SHA1
1ae8becf616c2974e7b1489be116d6ab10af4322

SHA256
d69cc03a7b416bc58a4edffce564f30ef5097806ab1d12999e4d8263ae243b33

SHA512
796e4aca92887e5d0d2f9f120cafe207fb8013c7950532cdf211a91447a0974fed67098eab9c77fb169ed954380ed814a69815036d9f002f871fda3d93258f9d

Download Submit
\??\c:\users\admin\appdata\roaming\calendartask\resource.zip

Filesize
79KB

MD5
ac637a3a9ff6c74375edaa0ac0a20180

SHA1
aabc500757a8afcecf44d7ac0853d3943058d51f

SHA256
2f8fb59ba5fde76041bc4293683a2c21b234289090c78c7af30a85c1463b3538

SHA512
8f99b28925f48c50fa095b24c125964ee8d900db645d72d88506f6026c45e06e9d6e942425ab10dd3e9737a7d973ada6bf2551849d1eb7d679aa07fcc06e75a8

Download Submit
memory/1464-144-0x0000000004CE0000-0x0000000004CFB000-memory.dmp

Filesize
108KB

Download
memory/1464-10-0x0000000004970000-0x000000000498B000-memory.dmp

Filesize
108KB

Download
memory/1464-39-0x0000000004990000-0x0000000004A17000-memory.dmp

Filesize
540KB

Download
memory/1464-119-0x0000000004CE0000-0x0000000004CF1000-memory.dmp

Filesize
68KB

Download
memory/1464-301-0x00000000059E0000-0x0000000005A10000-memory.dmp

Filesize
192KB

Download
memory/3836-703-0x0000000060900000-0x0000000060979000-memory.dmp

Filesize
484KB

Download
memory/3836-396-0x0000000002960000-0x0000000002A27000-memory.dmp

Filesize
796KB

Download
memory/3836-389-0x0000000002740000-0x0000000002762000-memory.dmp

Filesize
136KB

Download
memory/3836-387-0x0000000002640000-0x000000000273E000-memory.dmp

Filesize
1016KB

Download
memory/3904-330-0x0000000000610000-0x0000000000632000-memory.dmp

Filesize
136KB

Download
memory/3904-337-0x0000000010000000-0x0000000010071000-memory.dmp

Filesize
452KB

Download
memory/3904-340-0x0000000002A20000-0x0000000002B19000-memory.dmp

Filesize
996KB

Download
memory/3904-344-0x00000000027F0000-0x00000000028B7000-memory.dmp

Filesize
796KB

Download
memory/3904-347-0x0000000010000000-0x0000000010071000-memory.dmp

Filesize
452KB

Download
memory/3904-352-0x0000000010000000-0x0000000010071000-memory.dmp

Filesize
452KB

Download
memory/3904-351-0x0000000060900000-0x0000000060979000-memory.dmp

Filesize
484KB

Download
memory/3904-326-0x00000000008C0000-0x00000000009BE000-memory.dmp

Filesize
1016KB

Download
memory/4620-287-0x0000000010000000-0x00000000100FE000-memory.dmp

Filesize
1016KB

Download
memory/4620-286-0x0000000060900000-0x0000000060979000-memory.dmp

Filesize
484KB

Download
memory/4620-247-0x0000000002C50000-0x0000000002D17000-memory.dmp

Filesize
796KB

Download
memory/4620-238-0x0000000010000000-0x00000000100FE000-memory.dmp

Filesize
1016KB

Download
memory/4620-227-0x0000000000950000-0x00000000009C1000-memory.dmp

Filesize
452KB

Download
memory/4620-252-0x0000000010000000-0x00000000100FE000-memory.dmp

Filesize
1016KB

Download
memory/4620-242-0x00000000028F0000-0x00000000029E9000-memory.dmp

Filesize
996KB

Download
memory/4620-232-0x000000001005A000-0x000000001005B000-memory.dmp

Filesize
4KB

Download
memory/4620-225-0x0000000000540000-0x0000000000562000-memory.dmp

Filesize
136KB

Download
memory/4792-372-0x0000000002CD0000-0x0000000002D97000-memory.dmp

Filesize
796KB

Download
memory/4792-420-0x0000000004810000-0x000000000483F000-memory.dmp

Filesize
188KB

Download
memory/4792-398-0x0000000003980000-0x0000000003C63000-memory.dmp

Filesize
2.9MB

Download
memory/4792-371-0x00000000029E0000-0x0000000002AD9000-memory.dmp

Filesize
996KB

Download
memory/4792-363-0x00000000005F0000-0x0000000000612000-memory.dmp

Filesize
136KB

Download
memory/4792-361-0x0000000000820000-0x000000000091E000-memory.dmp

Filesize
1016KB

Download
memory/4792-705-0x0000000060900000-0x0000000060979000-memory.dmp

Filesize
484KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads