3b57166a2a67752c4f1f3adeea25470915cefbbb19cc515bcf7b0a5f6b48ed19

Analysis

max time kernel
39s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 00:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a3b988601ff177c9e4249033afe554d0N.exe
Size

824KB
MD5

a3b988601ff177c9e4249033afe554d0
SHA1

5bfa70d73d1ce57fbdc4813b3da3888c27b355c1
SHA256

3b57166a2a67752c4f1f3adeea25470915cefbbb19cc515bcf7b0a5f6b48ed19
SHA512

142333f75a47b1f57143c100cece090a726aef06e643c7c5332e91898defbe5df3b74de611dbdae4c866d44325d60343884b37ccbd256729b12e4d1ffae96640
SSDEEP

6144:z4sZBOZdjEYTPXMhaMP/kFTA7OA6BOZdjEYTPXMhaMP/a:znANL8oq/kFTsO6NL8oq/a

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	jcorgtn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	ozfjw.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	dmnko.exe

Deletes itself 1 IoCs

pid	Process
296	dmnko.exe

Executes dropped EXE 35 IoCs

pid	Process
296	dmnko.exe
2836	ozfjw.exe
2776	jcorgtn.exe
2312	ozfjw.exe
2992	ozfjw.exe
2960	ozfjw.exe
2880	ozfjw.exe
2600	ozfjw.exe
2956	ozfjw.exe
1868	ozfjw.exe
2928	ozfjw.exe
1480	ozfjw.exe
916	ozfjw.exe
1452	ozfjw.exe
860	ozfjw.exe
2140	ozfjw.exe
1084	ozfjw.exe
1332	ozfjw.exe
2384	ozfjw.exe
2464	ozfjw.exe
2224	ozfjw.exe
2240	ozfjw.exe
2216	ozfjw.exe
2352	ozfjw.exe
2108	ozfjw.exe
2096	ozfjw.exe
984	ozfjw.exe
2468	ozfjw.exe
1412	ozfjw.exe
1092	ozfjw.exe
2200	ozfjw.exe
1640	ozfjw.exe
564	ozfjw.exe
2284	ozfjw.exe
2288	ozfjw.exe

Loads dropped DLL 64 IoCs

pid	Process
2532	a3b988601ff177c9e4249033afe554d0N.exe
2532	a3b988601ff177c9e4249033afe554d0N.exe
2532	a3b988601ff177c9e4249033afe554d0N.exe
2532	a3b988601ff177c9e4249033afe554d0N.exe
296	dmnko.exe
296	dmnko.exe
296	dmnko.exe
296	dmnko.exe
2776	jcorgtn.exe
2776	jcorgtn.exe
2776	jcorgtn.exe
2776	jcorgtn.exe
2836	ozfjw.exe
2836	ozfjw.exe
2836	ozfjw.exe
2836	ozfjw.exe
2836	ozfjw.exe
2836	ozfjw.exe
2776	jcorgtn.exe
2776	jcorgtn.exe
296	dmnko.exe
296	dmnko.exe
296	dmnko.exe
296	dmnko.exe
2836	ozfjw.exe
2836	ozfjw.exe
2836	ozfjw.exe
2836	ozfjw.exe
2836	ozfjw.exe
2836	ozfjw.exe
2776	jcorgtn.exe
2776	jcorgtn.exe
2776	jcorgtn.exe
2776	jcorgtn.exe
2776	jcorgtn.exe
2776	jcorgtn.exe
296	dmnko.exe
296	dmnko.exe
296	dmnko.exe
296	dmnko.exe
2836	ozfjw.exe
2836	ozfjw.exe
2836	ozfjw.exe
2836	ozfjw.exe
2836	ozfjw.exe
2836	ozfjw.exe
2776	jcorgtn.exe
2776	jcorgtn.exe
2776	jcorgtn.exe
2776	jcorgtn.exe
2776	jcorgtn.exe
2776	jcorgtn.exe
296	dmnko.exe
296	dmnko.exe
296	dmnko.exe
296	dmnko.exe
2836	ozfjw.exe
2836	ozfjw.exe
2836	ozfjw.exe
2836	ozfjw.exe
2836	ozfjw.exe
2836	ozfjw.exe
2776	jcorgtn.exe
2776	jcorgtn.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\ozfjw = "c:\\windows\\system32\\ozfjw.exe"	a3b988601ff177c9e4249033afe554d0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcorgtn = "c:\\windows\\jcorgtn.exe"	a3b988601ff177c9e4249033afe554d0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcorgtn = "c:\\windows\\jcorgtn.exe"	dmnko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\dmnko = "c:\\windows\\system\\dmnko.exe"	ozfjw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\ozfjw = "c:\\windows\\system32\\ozfjw.exe"	ozfjw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\dmnko = "c:\\windows\\system\\dmnko.exe"	a3b988601ff177c9e4249033afe554d0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\ozfjw = "c:\\windows\\system32\\ozfjw.exe"	dmnko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\dmnko = "c:\\windows\\system\\dmnko.exe"	jcorgtn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcorgtn = "c:\\windows\\jcorgtn.exe"	ozfjw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\ozfjw = "c:\\windows\\system32\\ozfjw.exe"	jcorgtn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\jcorgtn = "c:\\windows\\jcorgtn.exe"	jcorgtn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\dmnko = "c:\\windows\\system\\dmnko.exe"	dmnko.exe

Drops file in System32 directory 59 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ezud.exe	ozfjw.exe
File opened for modification	C:\windows\SysWOW64\ozfjw.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\dfcf.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\SysWOW64\ygassa.exe	dmnko.exe
File opened for modification	C:\Windows\SysWOW64\hvdcjh.exe	dmnko.exe
File opened for modification	C:\Windows\SysWOW64\qchgzxl.exe	jcorgtn.exe
File opened for modification	C:\Windows\SysWOW64\ygassa.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\bujydr.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\SysWOW64\dzts.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\SysWOW64\yylhnva.exe	dmnko.exe
File opened for modification	C:\Windows\SysWOW64\dzts.exe	jcorgtn.exe
File opened for modification	C:\Windows\SysWOW64\dfcf.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\fmujqvvs.exe	dmnko.exe
File opened for modification	C:\Windows\SysWOW64\dzts.exe	dmnko.exe
File opened for modification	C:\Windows\SysWOW64\xmxupchq.exe	dmnko.exe
File opened for modification	C:\Windows\SysWOW64\bujydr.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\xmxupchq.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\dzts.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\mvhqlzrv.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\qchgzxl.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\yylhnva.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\SysWOW64\ygassa.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\SysWOW64\mvhqlzrv.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\SysWOW64\yylhnva.exe	jcorgtn.exe
File opened for modification	C:\Windows\SysWOW64\ygassa.exe	jcorgtn.exe
File opened for modification	C:\Windows\SysWOW64\szifpxzj.exe	dmnko.exe
File opened for modification	C:\Windows\SysWOW64\ezud.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\SysWOW64\bujydr.exe	jcorgtn.exe
File opened for modification	C:\Windows\SysWOW64\fmujqvvs.exe	jcorgtn.exe
File opened for modification	C:\Windows\SysWOW64\szifpxzj.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\ljguhwry.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\SysWOW64\ljguhwry.exe	dmnko.exe
File opened for modification	C:\Windows\SysWOW64\mvhqlzrv.exe	jcorgtn.exe
File opened for modification	C:\Windows\SysWOW64\hqmqwbzw.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\SysWOW64\qchgzxl.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\SysWOW64\qchgzxl.exe	dmnko.exe
File opened for modification	C:\Windows\SysWOW64\fmujqvvs.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\bujydr.exe	dmnko.exe
File opened for modification	C:\Windows\SysWOW64\szifpxzj.exe	jcorgtn.exe
File opened for modification	C:\Windows\SysWOW64\hvdcjh.exe	jcorgtn.exe
File opened for modification	C:\Windows\SysWOW64\dfcf.exe	jcorgtn.exe
File opened for modification	C:\Windows\SysWOW64\xmxupchq.exe	jcorgtn.exe
File opened for modification	C:\Windows\SysWOW64\fmujqvvs.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\SysWOW64\szifpxzj.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\SysWOW64\hvdcjh.exe	a3b988601ff177c9e4249033afe554d0N.exe
File created	\??\c:\windows\SysWOW64\ozfjw.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\SysWOW64\mvhqlzrv.exe	dmnko.exe
File opened for modification	C:\Windows\SysWOW64\hqmqwbzw.exe	dmnko.exe
File opened for modification	C:\Windows\SysWOW64\ljguhwry.exe	jcorgtn.exe
File opened for modification	C:\Windows\SysWOW64\ljguhwry.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\hqmqwbzw.exe	jcorgtn.exe
File opened for modification	C:\Windows\SysWOW64\hqmqwbzw.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\xmxupchq.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\SysWOW64\dfcf.exe	dmnko.exe
File opened for modification	C:\Windows\SysWOW64\ezud.exe	dmnko.exe
File opened for modification	C:\Windows\SysWOW64\ezud.exe	jcorgtn.exe
File opened for modification	\??\c:\windows\SysWOW64\ozfjw.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\SysWOW64\yylhnva.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\hvdcjh.exe	ozfjw.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\adnchjczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\uxxbaodtjczc	dmnko.exe
File opened for modification	C:\Windows\system\skxckdjczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\vfvxuyrjczc	ozfjw.exe
File opened for modification	C:\Windows\kdxesnjczc	jcorgtn.exe
File opened for modification	C:\Windows\system\ak.djczc	ozfjw.exe
File opened for modification	C:\Windows\system\nbbxjczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\lkhnffowjczc	dmnko.exe
File opened for modification	C:\Windows\bgevijczc	jcorgtn.exe
File opened for modification	C:\Windows\system\lobopjczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\wxwexonkjczc	jcorgtn.exe
File opened for modification	C:\Windows\mqgxljczc	jcorgtn.exe
File opened for modification	C:\Windows\system\tyrzjczc	dmnko.exe
File opened for modification	C:\Windows\yh.ttlujczc	jcorgtn.exe
File opened for modification	C:\Windows\system\vodrojczc	ozfjw.exe
File opened for modification	C:\Windows\system\rlukjczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\iaaqxiprjczc	dmnko.exe
File opened for modification	C:\Windows\pgvzchjczc	jcorgtn.exe
File opened for modification	C:\Windows\ie.hemsjczc	jcorgtn.exe
File opened for modification	C:\Windows\system\drvcyljczc	dmnko.exe
File opened for modification	C:\Windows\system\fvlufzfsjczc	ozfjw.exe
File opened for modification	C:\Windows\system\ewszxhejczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\gkbvqejczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\xocpnjczc	ozfjw.exe
File opened for modification	C:\Windows\ynispkwfjczc	jcorgtn.exe
File opened for modification	C:\Windows\system\pka.uoysjczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\tziggsgjczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\qngiupzqjczc	dmnko.exe
File opened for modification	C:\Windows\system\qtubqljczc	ozfjw.exe
File opened for modification	C:\Windows\system\nmpsvcfjczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\.zlkzswjczc	jcorgtn.exe
File opened for modification	C:\Windows\system\bvylwvjczc	ozfjw.exe
File opened for modification	C:\Windows\system\gzlkxajczc	dmnko.exe
File opened for modification	C:\Windows\fzybjczc	jcorgtn.exe
File opened for modification	C:\Windows\vdydmtfjczc	jcorgtn.exe
File opened for modification	C:\Windows\system\emgpioqtjczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\nciaerrjczc	dmnko.exe
File opened for modification	C:\Windows\system\uzs.sajczc	dmnko.exe
File opened for modification	C:\Windows\system\lfrojczc	ozfjw.exe
File opened for modification	C:\Windows\system\digspxrjczc	ozfjw.exe
File opened for modification	C:\Windows\system\evghujczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\dyqbmmyfjczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\retnbbjczc	dmnko.exe
File opened for modification	C:\Windows\ppbgijczc	jcorgtn.exe
File opened for modification	C:\Windows\system\nmpsvcfjczc	ozfjw.exe
File opened for modification	C:\Windows\system\xxcxyqojczc	ozfjw.exe
File opened for modification	C:\Windows\system\cvyxh.jczc	ozfjw.exe
File opened for modification	C:\Windows\cbnxwjczc	jcorgtn.exe
File opened for modification	C:\Windows\system\xvqxpogjczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\oqwanijczc	dmnko.exe
File opened for modification	C:\Windows\ozuxrqjczc	jcorgtn.exe
File opened for modification	C:\Windows\system\epuvkjczc	ozfjw.exe
File opened for modification	C:\Windows\system\rveljczc	ozfjw.exe
File opened for modification	C:\Windows\mlqyihcjczc	jcorgtn.exe
File opened for modification	C:\Windows\system\esxsjczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\.kpgmjczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\ynwnjczc	dmnko.exe
File opened for modification	C:\Windows\system\xuazefxjczc	ozfjw.exe
File opened for modification	C:\Windows\system\lzuzphrcjczc	dmnko.exe
File opened for modification	C:\Windows\system\kqodjczc	dmnko.exe
File opened for modification	C:\Windows\elhnbfjczc	jcorgtn.exe
File opened for modification	C:\Windows\system\gpipuernjczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\tyvexvajczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\suvruijczc	jcorgtn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a3b988601ff177c9e4249033afe554d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dmnko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jcorgtn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2532	a3b988601ff177c9e4249033afe554d0N.exe
2532	a3b988601ff177c9e4249033afe554d0N.exe
2532	a3b988601ff177c9e4249033afe554d0N.exe
2532	a3b988601ff177c9e4249033afe554d0N.exe
296	dmnko.exe
2776	jcorgtn.exe
2836	ozfjw.exe
296	dmnko.exe
296	dmnko.exe
296	dmnko.exe
296	dmnko.exe
2776	jcorgtn.exe
2776	jcorgtn.exe
2776	jcorgtn.exe
2836	ozfjw.exe
2836	ozfjw.exe
2836	ozfjw.exe
2836	ozfjw.exe
2776	jcorgtn.exe
296	dmnko.exe
296	dmnko.exe
296	dmnko.exe
296	dmnko.exe
2836	ozfjw.exe
2836	ozfjw.exe
2836	ozfjw.exe
2836	ozfjw.exe
2776	jcorgtn.exe
2776	jcorgtn.exe
2776	jcorgtn.exe
2776	jcorgtn.exe
296	dmnko.exe
296	dmnko.exe
296	dmnko.exe
296	dmnko.exe
2836	ozfjw.exe
2836	ozfjw.exe
2836	ozfjw.exe
2776	jcorgtn.exe
2836	ozfjw.exe
2776	jcorgtn.exe
2776	jcorgtn.exe
2776	jcorgtn.exe
296	dmnko.exe
296	dmnko.exe
296	dmnko.exe
296	dmnko.exe
2836	ozfjw.exe
2836	ozfjw.exe
2836	ozfjw.exe
2836	ozfjw.exe
2776	jcorgtn.exe
2776	jcorgtn.exe
2776	jcorgtn.exe
2776	jcorgtn.exe
296	dmnko.exe
296	dmnko.exe
296	dmnko.exe
296	dmnko.exe
2836	ozfjw.exe
2836	ozfjw.exe
2836	ozfjw.exe
2836	ozfjw.exe
2776	jcorgtn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 296	2532	a3b988601ff177c9e4249033afe554d0N.exe	29
PID 2532 wrote to memory of 296	2532	a3b988601ff177c9e4249033afe554d0N.exe	29
PID 2532 wrote to memory of 296	2532	a3b988601ff177c9e4249033afe554d0N.exe	29
PID 2532 wrote to memory of 296	2532	a3b988601ff177c9e4249033afe554d0N.exe	29
PID 2532 wrote to memory of 2836	2532	a3b988601ff177c9e4249033afe554d0N.exe	30
PID 2532 wrote to memory of 2836	2532	a3b988601ff177c9e4249033afe554d0N.exe	30
PID 2532 wrote to memory of 2836	2532	a3b988601ff177c9e4249033afe554d0N.exe	30
PID 2532 wrote to memory of 2836	2532	a3b988601ff177c9e4249033afe554d0N.exe	30
PID 2532 wrote to memory of 2776	2532	a3b988601ff177c9e4249033afe554d0N.exe	31
PID 2532 wrote to memory of 2776	2532	a3b988601ff177c9e4249033afe554d0N.exe	31
PID 2532 wrote to memory of 2776	2532	a3b988601ff177c9e4249033afe554d0N.exe	31
PID 2532 wrote to memory of 2776	2532	a3b988601ff177c9e4249033afe554d0N.exe	31
PID 296 wrote to memory of 2312	296	dmnko.exe	32
PID 296 wrote to memory of 2312	296	dmnko.exe	32
PID 296 wrote to memory of 2312	296	dmnko.exe	32
PID 296 wrote to memory of 2312	296	dmnko.exe	32
PID 2836 wrote to memory of 2992	2836	ozfjw.exe	33
PID 2836 wrote to memory of 2992	2836	ozfjw.exe	33
PID 2836 wrote to memory of 2992	2836	ozfjw.exe	33
PID 2836 wrote to memory of 2992	2836	ozfjw.exe	33
PID 2776 wrote to memory of 2960	2776	jcorgtn.exe	34
PID 2776 wrote to memory of 2960	2776	jcorgtn.exe	34
PID 2776 wrote to memory of 2960	2776	jcorgtn.exe	34
PID 2776 wrote to memory of 2960	2776	jcorgtn.exe	34
PID 296 wrote to memory of 2880	296	dmnko.exe	35
PID 296 wrote to memory of 2880	296	dmnko.exe	35
PID 296 wrote to memory of 2880	296	dmnko.exe	35
PID 296 wrote to memory of 2880	296	dmnko.exe	35
PID 2836 wrote to memory of 2600	2836	ozfjw.exe	36
PID 2836 wrote to memory of 2600	2836	ozfjw.exe	36
PID 2836 wrote to memory of 2600	2836	ozfjw.exe	36
PID 2836 wrote to memory of 2600	2836	ozfjw.exe	36
PID 2776 wrote to memory of 2956	2776	jcorgtn.exe	37
PID 2776 wrote to memory of 2956	2776	jcorgtn.exe	37
PID 2776 wrote to memory of 2956	2776	jcorgtn.exe	37
PID 2776 wrote to memory of 2956	2776	jcorgtn.exe	37
PID 296 wrote to memory of 1868	296	dmnko.exe	38
PID 296 wrote to memory of 1868	296	dmnko.exe	38
PID 296 wrote to memory of 1868	296	dmnko.exe	38
PID 296 wrote to memory of 1868	296	dmnko.exe	38
PID 2836 wrote to memory of 2928	2836	ozfjw.exe	39
PID 2836 wrote to memory of 2928	2836	ozfjw.exe	39
PID 2836 wrote to memory of 2928	2836	ozfjw.exe	39
PID 2836 wrote to memory of 2928	2836	ozfjw.exe	39
PID 2776 wrote to memory of 1480	2776	jcorgtn.exe	40
PID 2776 wrote to memory of 1480	2776	jcorgtn.exe	40
PID 2776 wrote to memory of 1480	2776	jcorgtn.exe	40
PID 2776 wrote to memory of 1480	2776	jcorgtn.exe	40
PID 296 wrote to memory of 916	296	dmnko.exe	41
PID 296 wrote to memory of 916	296	dmnko.exe	41
PID 296 wrote to memory of 916	296	dmnko.exe	41
PID 296 wrote to memory of 916	296	dmnko.exe	41
PID 2836 wrote to memory of 1452	2836	ozfjw.exe	42
PID 2836 wrote to memory of 1452	2836	ozfjw.exe	42
PID 2836 wrote to memory of 1452	2836	ozfjw.exe	42
PID 2836 wrote to memory of 1452	2836	ozfjw.exe	42
PID 2776 wrote to memory of 860	2776	jcorgtn.exe	43
PID 2776 wrote to memory of 860	2776	jcorgtn.exe	43
PID 2776 wrote to memory of 860	2776	jcorgtn.exe	43
PID 2776 wrote to memory of 860	2776	jcorgtn.exe	43
PID 296 wrote to memory of 2140	296	dmnko.exe	44
PID 296 wrote to memory of 2140	296	dmnko.exe	44
PID 296 wrote to memory of 2140	296	dmnko.exe	44
PID 296 wrote to memory of 2140	296	dmnko.exe	44

C:\Users\Admin\AppData\Local\Temp\a3b988601ff177c9e4249033afe554d0N.exe
"C:\Users\Admin\AppData\Local\Temp\a3b988601ff177c9e4249033afe554d0N.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2532
- C:\windows\system\dmnko.exe
  "C:\windows\system\dmnko.exe" "C:\Users\Admin\AppData\Local\Temp\a3b988601ff177c9e4249033afe554d0N.exe"
  2⤵
  - Drops file in Drivers directory
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:296
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2312
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2880
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1868
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:916
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2140
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2384
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2240
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2108
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2468
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2200
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2284
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:1516
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:112
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2196
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:1208
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:276
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:1756
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2032
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:472
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2088
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2308
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:1792
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2180
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:1600
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2920
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2136
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2724
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2432
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2740
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2896
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:3064
- - C:\windows\system\pqneghsj.exe
    "C:\windows\system\pqneghsj.exe" "C:\windows\system\dmnko.exe"
    3⤵
    PID:3044
  - - C:\windows\SysWOW64\ozfjw.exe
      "C:\windows\system32\ozfjw.exe"
      4⤵
      PID:2876
  - - C:\windows\SysWOW64\ozfjw.exe
      "C:\windows\system32\ozfjw.exe"
      4⤵
      PID:2856
  - - C:\windows\SysWOW64\ozfjw.exe
      "C:\windows\system32\ozfjw.exe"
      4⤵
      PID:2956
  - - C:\windows\SysWOW64\ozfjw.exe
      "C:\windows\system32\ozfjw.exe"
      4⤵
      PID:1868
  - - C:\windows\SysWOW64\ozfjw.exe
      "C:\windows\system32\ozfjw.exe"
      4⤵
      PID:1376
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe" "C:\windows\system\dmnko.exe"
    3⤵
    PID:2944
- C:\windows\SysWOW64\ozfjw.exe
  "C:\windows\system32\ozfjw.exe" "C:\Users\Admin\AppData\Local\Temp\a3b988601ff177c9e4249033afe554d0N.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2992
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2600
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2928
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1452
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1084
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2464
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2216
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2096
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1412
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1640
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2288
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:1988
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2212
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2120
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:1684
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:1764
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2040
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2292
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:584
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:1492
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:836
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:1804
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2340
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:1788
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:3052
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:1032
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2744
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2824
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2904
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:556
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2948
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2532
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2936
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2852
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2092
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2100
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:940
- C:\windows\jcorgtn.exe
  "C:\windows\jcorgtn.exe" "C:\Users\Admin\AppData\Local\Temp\a3b988601ff177c9e4249033afe554d0N.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2960
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2956
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1480
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:860
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1332
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2224
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2352
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:984
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1092
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:564
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:1668
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2208
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2480
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2508
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:1956
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:1752
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2420
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2260
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:1680
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:1976
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:1100
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:1676
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:1592
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2084
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2236
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2528
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2820
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2888
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2416
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2808
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2520
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:568
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2684
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2672
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:1364
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a3b988601ff177c9e4249033afe554d0N.exedmnko.exe_

Filesize
824KB

MD5
a3b988601ff177c9e4249033afe554d0

SHA1
5bfa70d73d1ce57fbdc4813b3da3888c27b355c1

SHA256
3b57166a2a67752c4f1f3adeea25470915cefbbb19cc515bcf7b0a5f6b48ed19

SHA512
142333f75a47b1f57143c100cece090a726aef06e643c7c5332e91898defbe5df3b74de611dbdae4c866d44325d60343884b37ccbd256729b12e4d1ffae96640

Download Submit
\Windows\SysWOW64\ozfjw.exe

Filesize
629KB

MD5
559eb11ec5db5286a777fb815e5dbdaa

SHA1
703d24d40345dfacde4aef16275f5298b6590656

SHA256
85ce7cbd1b05cf343c36426b23c59711eca50c94bd3d0c871ab8c22b045551b2

SHA512
e2aaf68cf5cfcdd119c8f461c4d02c86dc07d0bdf926d3fab4e897401ea31853a9cbbfb9b507c3fc770751c279580c401a2f79d4e7e9cf426e59fee871aa60b1

Download Submit