Analysis
-
max time kernel
146s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
26-07-2024 01:42
Static task
static1
Behavioral task
behavioral1
Sample
1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral2
Sample
1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
General
-
Target
1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exe
-
Size
323KB
-
MD5
13782987c9a5c4ad10e8b1383f0ac2f3
-
SHA1
3806980775dad8044b68ce95c8cb29169ca8d72b
-
SHA256
1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8
-
SHA512
453cef5bcdff5ecdd9400a0bf045ece446f8b5a7673d999840e79b0be3b7832aa677ae40fcf036ced152915ec6781bbd319af3e78fc42784ae3e5bdf1fc90d3b
-
SSDEEP
3072:l9cCrlEZG6zE3Yc8wDvjOxmQ/q8xw1J0pSsz0GK0iRkPkNF82QuH2jYbw4mLtHGE:l9celETLTuPcz0GK0nsNv2+w4Om
Malware Config
Extracted
mylobot
op17.ru:6006
eakalra.ru:1281
zgclgdb.ru:8518
hpifnad.ru:3721
lbjcwix.ru:8326
rykacfb.ru:8483
benkofx.ru:3333
fpzskbc.ru:9364
ouxtjzd.ru:8658
schwpxp.ru:2956
pspkgya.ru:2675
lmlwtdm.ru:2768
rzwnsph.ru:5898
awtiwzk.ru:9816
pzljenb.ru:3486
yhjtpyf.ru:3565
ogkbsoq.ru:2553
rjngcbj.ru:5655
jlfeopz.ru:4698
wqcruiz.ru:2165
dtbmosz.ru:5482
cedzwym.ru:5178
lfodgsy.ru:2787
kyadfij.ru:7727
sqzqfpi.ru:6183
bngkuxd.ru:3656
uwbdgwk.ru:9788
coflexo.ru:5788
dtisylr.ru:3414
lnxjwru.ru:8822
zgplspa.ru:5944
zhxxatz.ru:4692
uirxfpw.ru:3795
ddmysat.ru:6971
gwkyldh.ru:6439
nebcigp.ru:2656
udgsdda.ru:3787
deosyae.ru:4487
eyusuku.ru:6718
yeqrpiu.ru:8994
qqwyalf.ru:8479
ohldijw.ru:1393
slcldlk.ru:9813
cegbdrd.ru:4317
ttjyemg.ru:8947
coezoqc.ru:9952
gokumtm.ru:6351
wlxlunm.ru:5266
fqqcwhi.ru:6447
eswujje.ru:4626
xxlncuh.ru:4322
zboxkzt.ru:2557
ahnmlsh.ru:4668
qgoktpn.ru:6725
hyzaifx.ru:7547
cesejhl.ru:4629
xfaydww.ru:5496
trlpqoh.ru:8289
atwirgt.ru:5353
wriymdo.ru:3342
dxoyayx.ru:3438
fsgxnnp.ru:4124
gokhdft.ru:7267
gsuaodq.ru:2438
xzoswpg.ru:6487
umwdrhs.ru:6433
efgjeph.ru:2344
rmrfdka.ru:4646
lpedkeq.ru:2247
zhwtbep.ru:9518
pwpoycz.ru:2639
txykchz.ru:9881
qtwmsfn.ru:2911
fjbpwlp.ru:8513
pjrurrp.ru:7647
fnygihe.ru:6493
inuedbr.ru:4493
tlbfmty.ru:7985
aukdzhw.ru:2816
trdiacy.ru:6465
srhfgzs.ru:7227
gjocmdx.ru:2982
zrfezjh.ru:7716
xoeihot.ru:7338
oirqzku.ru:3921
zwqlmae.ru:6893
xfsbbft.ru:9361
xntsxno.ru:3691
esxsxqy.ru:3642
rngmdcn.ru:6296
cwrrjzu.ru:6412
aqzmtyx.ru:4566
gnzqowj.ru:8254
xbnodqo.ru:7154
jrsakgt.ru:7437
mdyxzrg.ru:7329
xjkhjaa.ru:4998
tzobylw.ru:8844
kfsdypf.ru:8812
llfbdxc.ru:1398
ymamust.ru:6947
rqyptph.com:5493
iecwtoh.com:9788
odogltu.com:4386
dgiyfas.com:1878
yjyoafd.com:5314
awaosyk.com:6945
gxzwxyi.com:7818
byytbao.com:4738
ahstbxa.com:1213
hfqsehb.com:1988
efdcdns.com:2338
dabweox.com:4126
pezcgnx.com:8277
injkamg.com:5295
qymahqn.com:4826
kzzlnkf.com:9359
jazzham.com:3243
yqoyhwe.com:6418
uwejurm.com:2131
xfhkcus.com:5577
nlblxiy.com:9414
juiozwx.com:1219
ugpmrum.com:5229
oaidpsi.com:8438
rnlzozl.com:4887
dcqesgc.com:9224
wxctcrw.com:5913
cotrokd.com:9444
ticfptx.com:1156
qgkkzlg.com:7889
fpucrfa.com:9179
tbsnzww.com:8479
gakkhek.com:3991
uanugod.com:7856
kjyzegn.com:4857
bzjnbxl.com:2999
zcflfhl.com:7784
wxbksmp.com:2928
kkwdswu.com:6178
oyqqsql.com:8886
kiidrms.com:4473
ejbgrpl.com:9941
xjnpziz.com:6676
wbiougw.com:1625
yuoxcci.com:6898
upcitje.com:2846
aleukrx.com:8547
ypawugw.com:8428
oezjmkt.com:4248
afnbycy.com:5383
rktkgnl.com:9155
etqzdnl.com:6993
juycste.com:9145
kyrfhpx.com:2333
ewresus.com:4761
lpmjumf.com:3941
wldqfhi.com:6943
tkoknzo.com:7132
djwyapw.com:7977
khcikch.com:2329
yhefchl.com:5174
dcnrmbo.com:7117
jtnmuld.com:1657
gmnabqj.com:8845
fpxbome.com:8115
rfwtlxl.com:7784
uputsdp.com:5644
qjfxkpl.com:6826
hxfxuuu.com:2164
tubizhk.com:9327
irakhgo.com:6214
yfrkwyr.com:7946
ixotiot.com:5934
zsklatu.com:9384
tcgxhoz.com:6199
xaguysc.com:5444
lobtkhe.com:5588
nfuozol.com:4242
mymjcct.com:8992
xewukyq.com:1538
gaxxure.com:5544
buyexsr.com:6675
pxjcugo.com:1794
isbumkw.com:4647
wpdeppt.com:8373
sstsueb.com:9413
bzfztec.com:6773
lcysuae.com:1576
pjaohzi.com:5582
yjixtbp.com:8666
bkpbhtn.com:2689
ljnfmmk.com:4571
hujgsks.com:9819
expcofy.com:5281
bmterdk.com:4827
qqmuisx.com:5159
jgfiadq.com:7565
alsffnw.com:2983
cocdpif.com:7591
jyppbor.ru:3485
nugisfp.ru:7689
amfnaui.ru:5418
wshakrt.ru:9298
exnhamw.ru:8755
dlcmbcd.ru:1791
takhnqk.ru:6585
ccnkngq.ru:4794
ggcggux.ru:3796
kqgjsnb.ru:6677
pydzqce.ru:6766
kwidwap.ru:6597
dgpclgy.ru:2679
fkhqrqc.ru:3314
sabmzhq.ru:8294
ezwaeqs.ru:8522
znntfzo.ru:4533
ojyoghr.ru:5587
kjkewpn.ru:9882
bmejaqp.ru:5799
nfwppfx.ru:8152
cmchnlm.ru:5476
imrtyde.ru:8179
hdnfuhq.ru:6387
qeqxpng.ru:1158
attcddz.ru:5291
ckeldra.ru:3287
ahuykif.ru:1235
elbanza.ru:2336
ufjtazd.ru:3716
icligpc.ru:7165
ddfaagk.ru:3684
lhkoczo.ru:2658
bemwzel.ru:2562
tmutnbl.ru:7396
ixxdbsq.ru:9448
fxhgrik.ru:9958
rqhzzmd.ru:7611
ycslqlb.ru:5617
mxmtmim.ru:4447
taltbdc.ru:4439
aqeogjr.ru:7162
ixwphir.ru:6781
tqpqdus.ru:9532
sdaqawu.ru:1376
ybrlhpe.ru:6379
cjbhkao.ru:3977
etqpmtq.ru:8791
zfsuauz.ru:5699
nyttyrw.ru:7541
xgfmfdk.ru:8827
yubseyf.ru:3233
bobfetg.ru:8837
qndonjo.ru:1813
gtqxacm.ru:8852
rrwmzwy.ru:7592
sbanafs.ru:3963
lslactz.ru:4519
kxnwrpb.ru:2546
knkoder.ru:4492
wfzidwb.ru:6613
pudtfwo.ru:4936
xdmmchm.ru:7161
nfaadeo.ru:6644
jatwcah.ru:6676
iblipcr.ru:2336
jonyotb.ru:4588
cehupwj.ru:8823
sadimow.ru:3654
ogubkup.ru:3714
ixbmeky.ru:8499
baeozef.ru:2337
gpbeuwb.ru:7923
sxpobet.ru:4834
qdrccob.ru:8782
swncgbc.ru:5475
mwpqner.ru:4192
jtiiijc.ru:3138
mnrcbxj.ru:2669
zewkzwg.ru:8181
frlegsb.ru:4228
xolanwb.ru:1157
llunbdh.ru:5371
ksmzkji.ru:1261
yhemqfh.ru:4468
hephgzq.ru:5883
ghrrtiu.ru:7118
nbkbale.ru:7325
oijlmxl.ru:2548
esadarj.ru:4541
ldwgdgz.ru:1436
gxhnlsr.ru:7335
jtqfmto.ru:9745
pkfzihi.ru:7133
exunbjm.ru:9739
fqwqcje.ru:3469
nnfrcft.ru:4394
eaflknp.ru:7276
yczxjab.ru:4357
gzgsylu.ru:7946
xlefzdz.ru:3385
fyfuska.ru:6788
erpmuii.ru:4933
euhnqjt.ru:8156
lkthqmr.ru:1324
gewjyiy.ru:5192
giksmcy.ru:2691
gekdcdj.ru:2428
xwrtmoi.ru:5726
djipobz.ru:6879
phezrnz.ru:4623
gwebrlo.ru:5637
swwcrcr.ru:3126
zefjrtb.ru:8377
cpudseh.ru:3123
bdgkfeg.ru:1831
otpzcan.ru:2189
recsqyj.ru:7742
dguwsbl.ru:4668
mytdchj.ru:6123
zfwdkju.ru:1973
zkkibgs.ru:5852
hqmondd.ru:7936
lhjsksp.ru:4889
yggseaj.ru:2968
gjfhigf.ru:6714
ytzrhfn.ru:7741
qatlwrw.ru:9225
ldnkqrt.ru:1866
kdfptak.ru:8247
jbujluu.ru:6841
uypbgml.ru:8679
jzdjtat.ru:7755
nmzqnic.ru:9982
ysexzqp.ru:9688
ulfjfxf.ru:8964
imygddx.ru:6268
hworjgr.ru:3165
otwzgnl.ru:9586
fsuxufu.ru:8865
wbllihr.ru:3977
mwtxclf.ru:1538
jshitfi.ru:9291
bhzbplx.ru:1942
lmkcrom.ru:8648
fbrsoll.ru:1333
oczzzxc.ru:8464
jjhcmht.ru:6491
awnurlo.ru:6539
eialwnq.ru:8981
acmmecs.ru:7279
qwbygaq.ru:5447
wuweotb.ru:2564
pxagaxo.ru:1468
tnsogul.ru:1957
yyuojrq.ru:6446
hhxrrur.ru:8915
rcqagfk.ru:2283
gjynpza.ru:5566
opnckzl.ru:9861
obtpxtu.ru:8512
ccgcsad.ru:2519
ketzrlh.ru:7143
sxjleym.ru:4179
knosmzq.ru:1554
ftjgoda.ru:7582
jocnwob.ru:4865
ewytcur.ru:3216
szzekbg.ru:5311
xwtdmin.ru:2268
ykuaklh.ru:6248
kykdafl.ru:4667
yrruqmc.ru:6632
lbpzbwu.ru:6689
yyizowk.ru:6515
zqibpzo.ru:8925
lhutehx.ru:8916
fezqdaw.ru:7672
nyzosdy.ru:4825
rzqkpmi.ru:9643
qwxynxl.ru:7999
slpfgox.ru:4141
ijwggxz.ru:2471
ledsmih.ru:4519
bfzkjsd.ru:2576
fuojgch.ru:6145
oqyzzbl.ru:3199
jiwbdyo.ru:9812
pugkngx.ru:3165
qbyoiin.ru:4265
miicskm.ru:6196
gpmfppx.ru:2454
mkialie.ru:5333
lzqwbfu.ru:5628
lsnidky.ru:2532
xcsgsjs.ru:7953
tqxbure.ru:4771
ontnsui.ru:9953
nudqkub.ru:1675
zrbosqq.ru:7696
ousmbdb.net:2571
coaazbs.net:7113
jxezfur.su:5977
piabruw.eu:7993
cndnagb.biz:6314
ozsbrca.bz:2567
tgedezf.tv:1252
wbxsljd.org:2143
suaxltb.org:3333
txknxnp.org:4646
widbnfml.net:3463
qjszjmht.net:5722
gbqosyht.net:6435
muwsotge.net:1957
ijynjghu.net:1658
olwbxxdc.net:3795
bzsqndui.net:1539
jblpbiby.net:8489
jyzkflaq.net:2728
tnngbnmd.net:6621
zhquqsrh.net:4978
kpzhzeen.net:4473
jpjrnkix.net:2853
fejsqrcf.net:2686
axmjcbai.net:6369
gubunpom.net:6583
nlrkwrsc.net:4845
mpalxmot.net:2188
hyoqdhne.net:9886
udjdsict.net:4388
tonzqkfa.net:5414
zddnhant.net:4155
eglrlwps.net:5357
bxjrisjy.net:4459
mhsnxnkb.net:5724
nibuquba.net:8553
zpnjtnyu.net:9612
ymjttirr.net:4617
orzkjedk.net:8754
jrxcrfbp.net:8728
wdibzeog.net:9952
gqesxetc.net:6126
huukfcpp.net:9426
ctfkeuqh.net:9773
srypsstj.net:7548
meenacxd.net:6964
zfmgxyby.net:5325
ipcrppnu.net:3633
gifbpzsi.net:7463
wuaaphjy.net:8679
dgxuftsn.net:6855
yhwwhslh.net:3859
kolyroro.net:8672
udriklye.net:6255
dkgtxirc.net:5491
lbaizkfo.net:8958
rtkntqob.net:2819
jmfhbjbo.net:7731
ftgrwlwd.net:9676
jwdlwrrs.net:4583
unbhxddu.net:8356
qsqtadib.net:6767
gjrnplpe.net:1388
tprqornh.net:9723
ocnilbnd.net:9456
xgyzqpzh.net:9539
tlmcplxk.net:6554
grzcuubq.net:1841
uqapbzjd.net:3453
jrpbuuxb.net:1322
pcmftuby.net:5223
wfzwjkfl.net:1242
gxmnfipy.net:5154
bbadzdnn.net:1329
bhkholoc.net:5179
xldkazjb.net:7175
hdwclykg.net:7848
ueucxars.net:4976
mmporhdy.net:8975
wgkyinht.net:7796
ctlkbeun.net:6721
yfdmqzmx.net:1823
jccqfnim.net:3879
fgbrmcwh.net:4125
fuibykao.net:8755
jthkjfct.net:3435
dliqeerh.net:5734
jnkmjwcb.net:2664
odwjnnuq.net:7292
fntlgzud.net:4637
arasqflo.net:8326
ppawfxxr.net:6357
lrqytctc.net:4546
zlzgiuta.net:8572
yrenoekw.net:8293
rffroddi.net:2389
eglyuwao.net:8257
ceezkaue.net:1237
jtuhnjyb.net:7662
akdlfbgy.net:4183
bncjycan.net:9185
cnkmzbok.net:1672
guynsjqc.net:9243
kzqnzyjs.net:2472
jmftmarj.net:4255
hsiwwwba.net:6675
uxkeyhod.net:1942
zxesneyp.net:3663
bziesaye.net:3879
subpkdsc.net:2672
lktcdhsc.com:4322
xsnnouxn.com:8341
rxmtsfwr.com:2859
bdbjfaiy.com:3587
spdjotbw.com:5681
lwuohtfs.com:4332
lrifeskb.com:1364
jnbuzdsj.com:1582
aybuqwns.com:5354
uyiynfdg.com:6658
tpuzgcjx.com:1672
euynheug.com:6579
oikdrwrt.com:2666
ajknoerg.com:4112
iehqrpew.com:3891
cflyucjs.com:1118
jsjlulwi.com:7557
okjnznul.com:4476
cmcmistx.com:7696
zoiauqxo.com:6142
xidszdqf.com:8777
ryftnrek.com:4292
wurrgkqu.com:5867
mxylguqs.com:2248
abtyprgd.com:4394
ykrybyyy.com:5331
jnlsqolj.com:2432
hpjdpxhn.com:2851
cxiqrmxb.com:5824
endeioun.com:1358
dyjtlhdy.com:8497
qzcmqeye.com:8229
mdliouct.com:2163
imehzptq.com:1956
fkgdnmop.com:2814
nnaxlexa.com:4943
tbkpridy.com:3889
nlxggyad.com:6432
hujlhwqw.com:1645
ghfxgxtz.com:9972
jaxwsikr.com:5868
qtlmzqwq.com:5723
ixhiusbo.com:6273
nxzjhixa.com:1226
llcfmsmx.com:9181
pozlkbcu.com:1554
kajcnodf.com:1747
fqxxtfez.com:8954
hpyyiabe.com:8317
llmdwapw.com:4249
wkpiyffp.com:5449
xkzxiskg.com:1551
dszuhygq.com:2292
hfxpyhzt.com:7953
ytmewsdd.com:3286
pznzstai.com:9386
hzwwholr.com:5853
irdmnkss.com:6817
kqjiibgf.com:5235
oiqhfate.com:2317
isrnaili.com:3954
orzalhri.com:2858
ypfzqugc.com:2187
guduiwle.com:3782
czdbedlq.com:8788
satngkrc.com:2939
rhfjlafg.com:4665
enkwxewz.com:7966
hmboassc.com:5348
uxlwfhms.com:4832
hzzxkefr.com:7293
uujhtnpm.com:5269
rknyjitw.com:2812
lpgnaxon.com:1162
txarhwmj.com:9975
lodauofo.com:7787
uksrosxf.com:7187
ioskxygw.com:3673
hrzzqabo.com:7134
apdiskpa.com:4372
sgqrguhc.com:9715
jupwgffh.com:4833
eoihwhsh.com:6788
bcuiyaik.com:4722
feejexze.com:3814
lkpftdrg.com:2677
ragawmap.com:3186
otpemngc.com:6729
haucfcjl.com:6849
jridaafg.com:2759
atoreyxb.com:5976
umupwrks.com:1112
izpqfqko.com:4714
pydyojke.com:8497
zppjpssx.com:1863
hphdugbr.com:8196
ypbnsmkc.com:4548
ihaculzy.com:7273
zizcigfq.com:8923
nfrqneii.ru:8823
plzidkwc.ru:2874
epokrlpm.ru:7211
ymodnpbm.ru:3595
zozqcijm.ru:8758
whidhlhj.ru:1137
enqptaro.ru:9585
dnkkmsdk.ru:8474
ynkppmys.ru:2861
yncumjgt.ru:9944
qxnnyojs.ru:7394
bfmygact.ru:8457
kupkcalu.ru:5252
tsgpjccs.ru:1694
ygmskriz.ru:2829
faqerplr.ru:8557
zodqeasa.ru:2862
trnfttwo.ru:1362
mbxnqkpa.ru:3996
gomfjthg.ru:9425
onodfwcp.ru:6485
ubiknoew.ru:9424
oezqztpr.ru:6382
mxgnffgc.ru:9861
mmhdynab.ru:3797
bqpgmrdt.ru:6341
fguoszyh.ru:5169
bxnzpnjo.ru:4815
gslukycn.ru:9898
utsoiydn.ru:2351
daztbzdx.ru:5987
qpljfpxh.ru:8495
khrpziyg.ru:9157
jqkhhbws.ru:3153
kpreqrsz.ru:6786
lugxsxgl.ru:5475
kkdnbqyx.ru:5424
zunujdzs.ru:5313
qgnoxmck.ru:1696
acjfywyf.ru:6512
qxhsbzht.ru:5334
riyjuueb.ru:1784
qeiyjmgf.ru:9879
bmdgkhgy.ru:4186
bkuofuwo.ru:2254
ellmhzxp.ru:5915
gkatexrr.ru:6347
kqwfpwiw.ru:8935
fbkiknuj.ru:4882
qrtfqtji.ru:7388
muqoknkx.ru:8166
xjldmfyc.ru:2559
dmwihrxf.ru:9983
sldptgij.ru:9431
cucdfcsx.ru:5681
exneoohj.ru:8187
dnqlulxl.ru:1195
iekempcm.ru:5757
pkzzsnbk.ru:6222
ojfctycf.ru:1591
rjbkkxxb.ru:7678
myxymodm.ru:4847
gtprulxu.ru:1311
dbxneqff.ru:2369
kzxeomuc.ru:1362
jpdgcygn.ru:9726
rpwgznqx.ru:7745
huglbquq.ru:3399
uoklclma.ru:6777
ykxteoho.ru:8271
zlwogtoy.ru:8722
uncmswyt.ru:3745
ewgxnamc.ru:8611
yfyddgbp.ru:5349
kccpeane.ru:5358
rkefhnnb.ru:1798
noelkwbq.ru:6188
xxacpreh.ru:7662
mzgbkfag.ru:1569
bidtqrkt.ru:7777
lrdzaout.ru:1192
sqpclazb.ru:8787
okxkyxwp.ru:4211
zhizinxe.ru:8869
zwzjcytf.ru:8124
xqzoogkp.ru:2681
zgpprkgq.ru:3982
jttwjqza.ru:9285
kticyhgf.ru:3796
aaueuoti.ru:3996
wapfmkmi.ru:9797
xaxzdpxu.ru:8217
hpplezpn.ru:3146
ymgmxpwo.ru:6331
uhywzhzm.ru:1317
unowiegk.ru:7283
fjtasqfd.ru:2357
mrwaccmb.ru:7979
cfzqlhbd.ru:7313
sluerqsd.ru:4628
rdgzlqhf.ru:3528
nndwjzri.ru:4954
guonsguw.ru:9737
uuwlalbe.ru:5563
cqsqiluw.ru:4681
nowwdukb.ru:5625
dixpbqbi.ru:1884
hzudzixf.ru:9671
kmgndaij.ru:8557
skqgzili.ru:1578
qpdpzdcm.ru:3524
ncsdztpn.ru:2163
fquchbyl.ru:5562
xzwrurfg.ru:5792
umqccyqa.ru:6497
xijdajfn.ru:9833
prjtynbx.ru:3388
ebozoutc.ru:7217
kfncedxs.ru:8341
njcyrfhz.ru:2559
xjupochp.ru:3399
znmdctrt.ru:3771
bttgtczy.ru:1144
kruaxgtn.ru:6424
promdemh.ru:7883
ywozcftg.ru:2545
xfxhjxer.ru:2313
zaqousxa.ru:4443
kquosqjp.ru:6723
qigkyubu.ru:8653
sebkzmrk.ru:1635
fpeirmyx.ru:7839
sicqpdor.ru:6238
qoaunlrq.ru:6556
pasoejob.ru:9167
ltwlxiil.ru:4332
bihnxhkl.ru:1953
ixllirtx.ru:5553
wnpaatln.ru:2722
gbhiolil.ru:6281
ihmkqfxz.ru:1259
olcsyeeh.ru:8676
yzrmraod.ru:8564
ftxpqtyf.ru:2581
ecxfpwlu.ru:6522
zbeuhamm.ru:4954
jrwrscox.ru:1181
zjuuqjwf.ru:1826
rhobekxn.ru:5487
jcrribai.ru:1825
liwrnskz.ru:6192
zqurqugi.ru:3561
fmoncrhz.ru:1596
beetxiij.ru:1214
hijgnafy.ru:6326
kjekdmsh.ru:3488
hulboiuo.ru:2718
iloesokc.ru:3312
qgncxqeg.ru:8382
aklcrcda.ru:9419
nbnkamox.ru:3158
pzdefglk.ru:6571
sbcoklho.ru:4875
agnefwla.ru:2311
ninzuwow.ru:7638
fzhlhfta.ru:7619
dsgslnog.ru:5778
bjitmdsr.ru:6422
pfjdnjpe.ru:2338
emlpjbnq.ru:7955
rjiuttmn.ru:4118
xowafmuu.ru:3988
xfkpjiat.ru:3676
hmbjeiur.ru:4878
kuxsliga.ru:4646
liwltjju.ru:5598
yfwzkxpc.ru:7944
uihfnbjh.ru:5656
ismfrtib.ru:4295
pixkihth.ru:3398
wsbwfmpm.ru:5111
leamldny.ru:6656
fhokrood.ru:2292
bodkkfud.ru:3686
zickxamo.ru:8196
djqxwndr.ru:7249
tkjepnae.ru:1578
hzfmyasf.ru:7898
ybssxlts.ru:7313
bszykufq.ru:4646
eatijcry.ru:8662
gpdpdwam.ru:2659
hrkdwazf.ru:5356
hzfeomei.ru:6766
eqcfprpl.ru:5271
ngdbilhn.ru:6428
rhyonsnx.ru:6417
zdppgkkz.ru:2248
ypdbkeoi.ru:3996
znnsxnfw.ru:9329
limzorog.net:7398
zxoexbgy.net:7866
toydieze.su:5988
pksozeih.eu:5271
sjlqqjwb.biz:7637
swizfzyc.bz:1129
frrkdlwy.tv:4216
prwangyk.org:9463
ceguyepo.org:7538
hfasdchg.org:5443
tgoswjqh.org:1198
ddwdeszt.org:3756
qfhpkqjz.org:4958
ethepgxk.org:6323
wtqikcca.org:2185
ezijzazl.org:9294
tbxuiabs.org:5681
cnoiolph.org:8578
mpwcucbk.org:2147
jjfoknti.org:7133
cqxbljoa.org:5388
xcnbsdsm.org:8478
nfpzrnnn.org:6496
doamfsml.org:2552
gtxgrfwy.org:2836
owfdoure.org:9152
enajlnjs.org:7787
doggfxjm.org:8743
tjwxarre.org:6357
xmubagbc.org:4374
djkoyrga.org:7995
oesofetb.org:5484
dycolcob.org:8563
nlnylxjf.org:7287
fsmylhnf.org:9817
rpdgzdwa.org:2416
kzcdufre.org:4914
sbphsgya.org:4321
ljcnowcr.org:6319
atcnzboa.org:5584
fdmiqnrp.org:8884
hdzdrgtw.org:7336
xybhbjgj.org:8733
xryjhjms.org:1451
rytycwlj.org:5732
lghnjpmi.org:5158
klclqsql.org:3738
pwoyozsh.org:1761
gwkhsphs.org:3861
sctxqggr.org:6356
qqsbbecl.org:4988
cmjysquq.org:2448
ltkopcns.org:6344
tzzgirje.org:9724
wnccrljw.org:9841
yffabknz.org:6483
almiwzli.org:5578
gyxywill.org:2542
xkuctmhi.org:9858
eccbwysz.org:6549
mttosqgz.org:7976
tlnnexgy.org:6841
upaiunkd.org:6821
ffcpnuli.org:1292
hfqmmoww.org:7813
spdrstkc.org:2863
coyiapzm.org:5632
pzjjicka.org:3972
odwogsuj.org:4116
elqdhjib.org:5395
fmcepxsb.org:6981
clwifmgs.org:1527
ahbbuxck.org:2523
qnagwrgr.org:3249
rlyxedyd.org:3547
hyiiuxff.org:5876
qbaipacx.org:6131
ebskiixf.org:6576
azwxfxcf.org:2465
tbcifras.org:6666
zweimrkx.org:4346
zmyhsenk.org:5383
hfadecwd.org:5446
tiyxybwh.org:9423
pouwrluf.org:2961
mtbkurqf.org:2325
hpdtggzs.org:3943
clblsmdc.org:4712
exrwqfzr.org:6984
fryhagas.org:5986
jznjkydz.org:5521
auwsmdjz.org:1288
iqddymlo.org:9877
mlpyimma.org:2659
dbyjadsl.org:5819
gpwebbdr.org:4122
ngsibbpy.org:3768
luafgtud.org:4616
nthixnzt.org:6585
plofeqyh.org:7435
wcfniziy.org:9835
xmehonpr.org:9287
osqjdbmw.org:1696
dsjsjean.org:3543
aumoxfaj.org:8314
ftuueofh.org:8115
jmfqbdjj.org:9485
quiitzeh.org:3573
cskkjblx.org:1646
cpindonp.org:3818
bqqsssdr.tv:2593
wjfodgmj.in:1577
wcriyesa.xxx:3419
iydmjgzl.us:5873
oroeiodb.biz:7785
gzlbaowq.co:2326
uiqsaemc.cc:1263
dxarbdho.net:8598
aegxeken.net:4825
mnpfsdlu.net:6321
ktheexrh.net:2171
qxiezqeh.net:2632
gubwplma.net:3527
pkuoqtob.net:1281
uilajqiu.net:9993
bygcmbue.net:4751
ocyhcihr.net:7831
msxdiwen.net:4848
spzdzgud.net:1179
tmypjhge.net:3771
zhwifxkt.net:6687
mggfzygk.net:6464
jjxrcegi.net:4331
xyplrrlj.net:4717
glwympyo.net:2816
klpdrawm.net:1485
kuikiihg.net:7512
smcuawsd.net:4854
ibhfnkon.net:1394
stkgzfoh.net:1297
ksxigcie.net:4331
wccgxlzq.net:2373
qdfznnac.net:4297
ccfnttto.net:8324
cgguocaw.net:3915
rgmnfcee.net:9485
pxwspkkn.net:7882
oaysgsdo.net:5928
tsghqbmi.net:7481
yzyopjsn.net:9765
wtxpgpqu.net:1682
ejicubxq.net:8153
tqkfwtzs.net:3774
smyesmwi.net:9111
phtdopqm.net:9631
cimhthgg.net:1398
qmiyxxwh.net:7526
einbskxn.net:7438
fuidrsar.net:5956
gfwflpur.net:8788
wnbmfxhd.net:7685
sbjorjqq.net:7261
kowqgzds.net:7784
kiyaxnxe.net:5575
swjqlwod.net:8842
lfktsebh.net:7143
rkrurzph.net:9539
wyptwxup.net:9358
fcepqijw.net:7674
ofzcqtdg.net:8944
quoqntsb.net:4264
lzjoltnk.net:7769
zlbytidj.net:2736
pbhkhfri.net:6754
lpwaasxs.net:9618
ibuelfuk.net:7389
aljlbcog.net:1358
zkysqnng.net:6113
fybkenru.net:5444
bjzdpfnx.net:4549
wuuegbae.net:3925
hkaeoquj.net:4671
fceajspp.net:4461
blrkdpie.net:1542
zkubeppe.net:1874
plrwzhpu.net:4465
mmcisbgx.net:3877
zbalzusr.net:2839
fctybcye.net:7696
cfotfpcb.net:7311
blwgjxrb.net:6525
eepygxrx.net:3819
conltnfb.net:1689
cjxnllac.net:3325
hadwulws.net:3887
xscsohsx.net:6866
ghqtjrtm.net:1646
pqdldwyc.net:3663
kapemmbt.net:2672
wpgsmtrq.net:1655
uizpktjw.net:9381
ungggfuj.net:4929
sriixedf.net:4337
jltttesp.net:1885
rfwehknx.net:6983
gfbatygf.net:5784
euzedayz.net:3287
cmhkznyp.net:7484
axlsqocz.net:3737
fnqcanxw.net:7484
lmjggtuu.net:8972
ynyxlsoy.net:1654
nlktsfjo.net:7334
hrtuygtf.net:9136
pwysqgri.net:6283
uspaeloy.net:6948
zewuwkrl.net:7457
nheoqesw.com:3616
jesdggup.com:4416
xnnytbub.com:6256
hiafodqh.com:6729
abyptyuw.com:9365
lrgjfjtf.com:8768
xohdclns.com:8646
hzpbicou.com:5568
ayaxqrmq.com:6842
zjmmbwfc.com:3125
ojqgkaqe.com:1864
wzcdppwj.com:3516
nrjxxyhy.com:8375
uwkpaqwj.com:5573
bmnyahgg.com:5637
esapjqhc.com:1219
rznptjzp.com:7789
ajiwqbfh.com:1854
ffqtkexm.com:5129
khpfmkpp.com:1775
ydyljxyk.com:5462
dnjbbtsd.com:4956
zjrbsmyt.com:8891
zuxsbloy.com:4221
pdgzgipc.com:9346
rhrwdrgx.com:5896
wlxxebbh.com:7625
sygeulrj.com:4984
eiuwojyc.com:4238
ktyhgrjj.com:4471
efgsijkn.com:5199
qhsomdhk.com:9191
qlxrrlnn.com:1541
qcobjswy.com:2641
nuapotgx.com:7814
xljucbcn.com:6673
bkfzipgz.com:2333
xikzmoxm.com:4816
dkyrkaeu.com:6651
mzrlnolf.com:5388
qfgzdjmj.com:4929
yjrecqre.com:7621
dhskwijo.com:2959
kcywsrxo.com:2222
kuokyqny.com:9188
itutmyok.com:1364
fpnexhha.com:6168
eoordzgm.com:3936
iziobozb.com:3343
xqkwczpr.com:3245
ofairnur.com:9716
dupdagjj.com:8671
xgmcyiaa.com:4685
wmxiyowo.com:1336
rraaeuqm.com:3253
umxoztcz.com:7113
hrhugfzc.com:1668
kdtuyrqi.com:5258
mcwyewsq.com:5175
kmrmewyk.com:9789
btprkhof.com:2885
apzkjmga.com:8265
sxpmacqp.com:2175
zytlttky.com:1468
dkkoziha.com:7277
txjtezzh.com:4529
nunisrxw.com:4355
yscwiuft.com:3222
kryfwwuo.com:9599
tbathbof.com:9281
mrnmohku.com:7297
mwztczwd.com:5446
fqedxshk.com:4686
nsonehwi.com:3825
gljchbss.com:1866
xxnbmwxy.com:9445
jmjjcgxe.com:3813
klrfbwsg.com:7377
xwgjmkqo.com:3274
tbzyjrhw.com:1436
ycflczbu.com:1697
ufjyijuu.com:1433
dlykdyju.com:7537
sdeboyxa.com:4574
fbfgklue.com:6463
skinzusr.com:2368
xljcsgwj.com:2923
mdujbmqz.com:7459
mrgyzjgy.com:5569
bskswimo.com:7379
mmxyxymn.com:7411
kjzwmhfp.com:6588
eotpkezp.com:1197
xcwpedwr.com:8795
gtrcqict.com:6732
uiiokhcw.com:4468
dshnlbhj.com:6615
ckywwkqz.com:1565
podysnnn.com:1954
ijolxkdu.com:9152
hjpqgxrt.ru:1666
moyiufju.ru:5833
rkdicbag.ru:5921
huwcqgwk.ru:9826
wuituzew.ru:1722
gfyflggy.ru:1848
pwpdeynh.ru:8769
epdumdyj.ru:2876
qfhdjzru.ru:6745
lrupxwxh.ru:3824
whsihlcm.ru:9645
xlmlutkb.ru:7375
psrpsunb.ru:4763
ewzrnsky.ru:2757
pymubdgl.ru:9728
djocwlel.ru:3143
dbsirmpy.ru:9714
ealihbbw.ru:8473
gptetmjb.ru:8557
xyyfapit.ru:8867
jptqiats.ru:2848
ztjgabjx.ru:1381
oqcstzbp.ru:4243
stlijuns.ru:9887
pdwcmhml.ru:7772
lykowcrr.ru:3484
itpjrwmp.ru:9392
espbbskc.ru:4647
uwbzbwws.ru:6852
diaypomj.ru:2899
kawiaayn.ru:7453
zoarmwwo.ru:1151
uaurlafq.ru:1959
mrzhgpup.ru:9263
knucizwu.ru:9483
ubonwkmz.ru:1276
sdhfwjku.ru:3343
mnmsbclj.ru:1922
wlmkxpou.ru:7493
gmbhlkbr.ru:2387
jmxcrbgx.ru:6684
wdzmekox.ru:8953
sxczqdlk.ru:6727
kykjcgrz.ru:9361
pkjlzjtu.ru:2546
lfbsxoyl.ru:6439
qprjzxif.ru:8942
gxdjltim.ru:8153
urnqsrrl.ru:1627
pbbidsgj.ru:9791
lehcuizd.ru:3696
zeoglcfg.ru:5293
byhkflwp.ru:6713
qbnzpits.ru:5613
klkfetfm.ru:7756
gykcokzs.ru:3569
paijmxju.ru:9128
cykwnxil.ru:1362
qykhmjrs.ru:5469
xjaykakk.ru:6818
kfghrzhe.ru:4717
fjmppybw.ru:5652
petixyxl.ru:6116
wqssublx.ru:1783
ebbqijri.ru:7269
fcwftrlz.ru:4332
gaqrswqb.ru:4858
ywkekluo.ru:5312
acouwdij.ru:6451
rkdtffzz.ru:9477
qgbtxxpx.ru:8147
ztopbtiu.ru:4568
ruqoystn.ru:9659
cozobcij.ru:2987
epicaely.ru:5253
htbtxdel.ru:1277
cpshswzf.ru:1138
adjroixs.ru:4812
ymoagxjr.ru:5752
budzcyka.ru:4219
kmeplhkw.ru:6191
lgzcpiyq.ru:3565
ecytflkf.ru:7426
pczobygh.ru:1942
sdlmpwrr.ru:5152
lgpmwrhl.ru:9376
pzzepzus.ru:9674
ycdfsbok.ru:9484
ipuxleyu.ru:2935
hspckajg.ru:2851
xfcpnpmu.ru:3457
xlskceds.ru:4821
ajltgqww.ru:5389
uicmbzwt.ru:2174
xayuyzfy.ru:8588
utbrmczo.ru:4945
nzzywglz.ru:7594
bmlsmzuf.ru:5543
axqxskgp.ru:9971
okreajxe.ru:6788
xeszumgr.ru:8952
gpqybejc.ru:8445
sgibommf.ru:4339
hqbuyetn.ru:2182
wpfyafqx.ru:2548
orpjshsd.ru:3257
xlmowhzq.ru:8296
lfsuxhxj.ru:3673
eukmxmlk.ru:7235
ghrdtmwd.ru:3194
dofoiyfo.ru:3492
kkwamujw.ru:5369
cyeosnzf.ru:4154
diyhxjqa.ru:9984
bjtajoox.ru:4669
txlhndoq.ru:1171
psshjlrb.ru:6815
wdllwoli.ru:3634
yetnkkqa.ru:2481
qnxtmrjq.ru:6945
ymuzekln.ru:3329
jewwryhm.ru:5111
tosfgiqj.ru:6949
eheotdpy.ru:1378
xtetrbwu.ru:7676
jwqeaekm.ru:9676
xniqlxso.ru:7122
uehpfxko.ru:4514
bhaxyxso.ru:6852
krnlqxmt.ru:3144
gcwpsikc.ru:8283
rasqhcso.ru:8493
nxhaqrkx.ru:4955
oxtutjfc.ru:6257
rjkejezi.ru:6722
djsatpkt.ru:2826
ylboxsea.ru:9561
rhrmjmim.ru:9785
ojphngsf.ru:6511
umrpsuxo.ru:3543
bmwljnnl.ru:7167
rkysppka.ru:4448
xtqxqrpj.ru:1634
hyppfmjy.ru:5828
aleuoptp.ru:9494
bbulfhyu.ru:7412
ubwrtmfu.ru:5689
iuimnpfh.ru:8285
ufselndu.ru:5958
glwkwmut.ru:5885
zaxcbsmw.ru:6539
ikbyojki.ru:5218
pcwzrugd.ru:8192
wxytmcqo.ru:9333
xbjzafzb.ru:5469
obnmezxw.ru:2948
cxzsznpf.ru:7688
gtzitahj.ru:7392
ircqxlez.ru:3479
sdqqpkyr.ru:6945
zkuulmwi.ru:2141
tkxakzaz.ru:7259
qqhsdkyd.ru:1869
fwtqypjr.ru:5921
csuhfzda.ru:3349
dxjaojzi.ru:2943
griyspww.ru:5667
kfxjfaii.ru:6657
fssumooc.ru:2425
wczpdgqu.ru:4921
wjtbmupf.ru:3541
gthfcqgx.ru:4472
yeqlcenm.ru:7623
qgtbhcbs.ru:4975
ydzuoxit.ru:2624
opswaxjb.ru:8843
kpptutbf.ru:9419
reigrqil.ru:6967
cafruyco.ru:1959
gdxisleb.ru:8141
oayluigc.ru:8614
bxozzyye.ru:4382
lnjtzsdz.ru:4453
yautpbsg.ru:1663
myogwpoq.ru:6459
dqqmabbt.ru:5779
zpctgbhm.ru:3392
czdhyobh.ru:2516
xfkyyfje.ru:1342
ysumlact.ru:5469
wmesrhks.ru:8817
ownxlrlu.ru:3245
jyudkhci.ru:1362
mihzyqyd.ru:7118
yocbjjqg.ru:9753
aeeipzyh.ru:2238
udxennsf.ru:9154
hleenphf.ru:5136
bddfaozk.ru:4639
bjxzalpc.ru:9971
tzuzsyfd.net:3318
otiifafm.net:3975
jmaudqif.su:7757
tktsquzf.eu:1247
yijzasrq.biz:6819
pnbrzljq.bz:4215
wqdgpigi.tv:8215
erlwnbld.org:1929
juculhdd.org:1721
kjjhnwjh.org:4972
ohxuxoct.org:3115
lblwunnt.org:4524
zqznhajz.org:4667
rfkujjhw.org:1155
aqgkndkx.org:7525
inokhrki.org:8192
umkepbuh.org:1292
pfuokfzm.org:9659
qfwkkojg.org:1188
oiicszdf.org:3848
lhatnjnt.org:6526
unzhfphb.org:2393
dyrshgfm.org:4167
foflisct.org:9888
mgqfqouq.org:9541
bfpzjmtr.org:2932
tsflxxid.org:7927
bgetacjh.org:1712
tpablqmo.org:1366
ngawypqa.org:4555
urwxrucp.org:5163
zczysufy.org:6752
uqwnmaii.org:1242
edlfsgpw.org:6189
xpjiynsx.org:4597
gnlicfdj.org:6426
hkmgbijz.org:8737
aaohwewc.org:3271
kggbdsdr.org:2559
bjctlyqy.org:4923
epegijhl.org:1535
qkqewkpp.org:2677
xxzzlfya.org:4527
wtggkyjh.org:1122
hpitwwwp.org:8948
pefnghne.org:3416
jjowfpbg.org:7581
mgoyghmk.org:1372
qfadxjec.org:1347
rheqxdzc.org:4296
qxuuymbz.org:1374
aiiagdej.org:2532
xmjpshhd.org:8542
hwhighmn.org:7141
xzqnbaiw.org:3323
omylzlxk.org:1753
lwwjenfl.org:4757
wwppxxby.org:1152
ugswdtuk.org:3396
gfcctzuo.org:8337
eqsgxnrf.org:4895
garrwuqe.org:8833
dinufbza.org:8631
cplieefr.org:1678
nhjssdht.org:3922
cwgxylkh.org:3476
auxogeou.org:2432
olqccxth.org:6983
dxqrdiup.org:2294
fjcmcsdm.org:9321
fziantsk.org:3323
dxzqlnak.org:4449
xljmlgug.org:5732
waamxuqx.org:8184
ttmaynlx.org:6622
ipqogpqm.org:3699
Signatures
-
Processes:
resource yara_rule behavioral1/files/0x0008000000012118-2.dat aspack_v212_v242 -
Deletes itself 1 IoCs
Processes:
svchost.exepid Process 5796 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
DNjTeg.exepid Process 2148 DNjTeg.exe -
Loads dropped DLL 2 IoCs
Processes:
1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exepid Process 2012 1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exe 2012 1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\{20EB70A6-F012-E1C2-6E08-57736034243F} = "c:\\users\\admin\\appdata\\roaming\\{BCFB5896-D822-7DD2-6E08-57736034243F}\\11448809.exe" 1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exedescription pid Process procid_target PID 2012 set thread context of 5680 2012 1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exe 32 -
Drops file in Program Files directory 64 IoCs
Processes:
DNjTeg.exedescription ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe DNjTeg.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe DNjTeg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe DNjTeg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe DNjTeg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe DNjTeg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe DNjTeg.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe DNjTeg.exe File opened for modification C:\Program Files\Windows Mail\wabmig.exe DNjTeg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe DNjTeg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe DNjTeg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe DNjTeg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe DNjTeg.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe DNjTeg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE DNjTeg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe DNjTeg.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe DNjTeg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe DNjTeg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe DNjTeg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE DNjTeg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE DNjTeg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe DNjTeg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe DNjTeg.exe File opened for modification C:\Program Files\7-Zip\7z.exe DNjTeg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe DNjTeg.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe DNjTeg.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe DNjTeg.exe File opened for modification C:\Program Files\Windows Mail\WinMail.exe DNjTeg.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\sidebar.exe DNjTeg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe DNjTeg.exe File opened for modification C:\Program Files\Windows Sidebar\sidebar.exe DNjTeg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe DNjTeg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe DNjTeg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe DNjTeg.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe DNjTeg.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe DNjTeg.exe File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe DNjTeg.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe DNjTeg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe DNjTeg.exe File opened for modification C:\Program Files (x86)\Windows Mail\WinMail.exe DNjTeg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe DNjTeg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe DNjTeg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe DNjTeg.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe DNjTeg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe DNjTeg.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe DNjTeg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE DNjTeg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE DNjTeg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe DNjTeg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE DNjTeg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE DNjTeg.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe DNjTeg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe DNjTeg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe DNjTeg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe DNjTeg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe DNjTeg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE DNjTeg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe DNjTeg.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe DNjTeg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe DNjTeg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe DNjTeg.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe DNjTeg.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe DNjTeg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE DNjTeg.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe DNjTeg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
notepad.exe1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exeDNjTeg.exe1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exesvchost.execmd.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DNjTeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 3 IoCs
Processes:
svchost.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\CLSID\{E6DE7F6B-FFDF-27F7-6E08-57736034243F} svchost.exe Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\CLSID\{BCFB5895-D821-7DD2-6E08-57736034243F} svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\CLSID\{BCFB5895-D821-7DD2-6E08-57736034243F}\ = "1721958140" svchost.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exesvchost.exepid Process 5680 1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exe 5680 1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exe 5796 svchost.exe 5796 svchost.exe 5796 svchost.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exepid Process 5680 1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exe1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exesvchost.exeDNjTeg.exedescription pid Process procid_target PID 2012 wrote to memory of 2148 2012 1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exe 31 PID 2012 wrote to memory of 2148 2012 1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exe 31 PID 2012 wrote to memory of 2148 2012 1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exe 31 PID 2012 wrote to memory of 2148 2012 1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exe 31 PID 2012 wrote to memory of 5680 2012 1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exe 32 PID 2012 wrote to memory of 5680 2012 1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exe 32 PID 2012 wrote to memory of 5680 2012 1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exe 32 PID 2012 wrote to memory of 5680 2012 1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exe 32 PID 2012 wrote to memory of 5680 2012 1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exe 32 PID 2012 wrote to memory of 5680 2012 1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exe 32 PID 2012 wrote to memory of 5680 2012 1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exe 32 PID 2012 wrote to memory of 5680 2012 1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exe 32 PID 2012 wrote to memory of 5680 2012 1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exe 32 PID 2012 wrote to memory of 5680 2012 1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exe 32 PID 5680 wrote to memory of 5796 5680 1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exe 33 PID 5680 wrote to memory of 5796 5680 1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exe 33 PID 5680 wrote to memory of 5796 5680 1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exe 33 PID 5680 wrote to memory of 5796 5680 1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exe 33 PID 5680 wrote to memory of 5796 5680 1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exe 33 PID 5796 wrote to memory of 2148 5796 svchost.exe 31 PID 5796 wrote to memory of 2148 5796 svchost.exe 31 PID 2148 wrote to memory of 6080 2148 DNjTeg.exe 34 PID 2148 wrote to memory of 6080 2148 DNjTeg.exe 34 PID 2148 wrote to memory of 6080 2148 DNjTeg.exe 34 PID 2148 wrote to memory of 6080 2148 DNjTeg.exe 34 PID 5796 wrote to memory of 6080 5796 svchost.exe 34 PID 5796 wrote to memory of 6080 5796 svchost.exe 34 PID 5796 wrote to memory of 2884 5796 svchost.exe 36 PID 5796 wrote to memory of 2884 5796 svchost.exe 36 PID 5796 wrote to memory of 2884 5796 svchost.exe 36 PID 5796 wrote to memory of 2884 5796 svchost.exe 36 PID 5796 wrote to memory of 2884 5796 svchost.exe 36 PID 5796 wrote to memory of 2884 5796 svchost.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exe"C:\Users\Admin\AppData\Local\Temp\1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\DNjTeg.exeC:\Users\Admin\AppData\Local\Temp\DNjTeg.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\0b49748e.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:6080
-
-
-
C:\Users\Admin\AppData\Local\Temp\1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exe"C:\Users\Admin\AppData\Local\Temp\1be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8.exe"2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5680 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5796 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2884
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187B
MD5aa4e9543420aede32b271cba4d4125ab
SHA1b45b4c4f09a8815af29bbd0aa192a84f9f9bbefb
SHA256e03cb9418a07072ce665b78b3cca1a70c6e82962e1403aa71bdcfade8ebe9669
SHA512702eb5786f9707f121f786faab976143c8122ecdaa430746c9218d1af570b9c4d38f2a113a9264a60c88f6e42946671d5123443edcea2e1b9a8dd5f701eea591
-
Filesize
4B
MD520879c987e2f9a916e578386d499f629
SHA1c7b33ddcc42361fdb847036fc07e880b81935d5d
SHA2569f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31
SHA512bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f
-
Filesize
323KB
MD513782987c9a5c4ad10e8b1383f0ac2f3
SHA13806980775dad8044b68ce95c8cb29169ca8d72b
SHA2561be7ffe419c1bac287de46b6fcb9ac986ee8d739b4803956fc114e6edcdf98e8
SHA512453cef5bcdff5ecdd9400a0bf045ece446f8b5a7673d999840e79b0be3b7832aa677ae40fcf036ced152915ec6781bbd319af3e78fc42784ae3e5bdf1fc90d3b
-
Filesize
15KB
MD5f7d21de5c4e81341eccd280c11ddcc9a
SHA1d4e9ef10d7685d491583c6fa93ae5d9105d815bd
SHA2564485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794
SHA512e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3