3b57166a2a67752c4f1f3adeea25470915cefbbb19cc515bcf7b0a5f6b48ed19

Analysis

max time kernel
119s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3b988601ff177c9e4249033afe554d0N.exe
Size

824KB
MD5

a3b988601ff177c9e4249033afe554d0
SHA1

5bfa70d73d1ce57fbdc4813b3da3888c27b355c1
SHA256

3b57166a2a67752c4f1f3adeea25470915cefbbb19cc515bcf7b0a5f6b48ed19
SHA512

142333f75a47b1f57143c100cece090a726aef06e643c7c5332e91898defbe5df3b74de611dbdae4c866d44325d60343884b37ccbd256729b12e4d1ffae96640
SSDEEP

6144:z4sZBOZdjEYTPXMhaMP/kFTA7OA6BOZdjEYTPXMhaMP/a:znANL8oq/kFTsO6NL8oq/a

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	dmnko.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	ozfjw.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	jcorgtn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	pqneghsj.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	a3b988601ff177c9e4249033afe554d0N.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	jcorgtn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	pqneghsj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	a3b988601ff177c9e4249033afe554d0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	dmnko.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	ozfjw.exe

Deletes itself 1 IoCs

pid	Process
8	dmnko.exe

Executes dropped EXE 64 IoCs

pid	Process
8	dmnko.exe
1480	ozfjw.exe
732	jcorgtn.exe
1492	ozfjw.exe
2476	ozfjw.exe
1440	ozfjw.exe
2160	ozfjw.exe
2928	ozfjw.exe
3012	ozfjw.exe
1616	ozfjw.exe
4560	ozfjw.exe
4400	ozfjw.exe
3404	ozfjw.exe
3044	ozfjw.exe
3888	ozfjw.exe
3128	ozfjw.exe
4108	ozfjw.exe
1444	ozfjw.exe
4536	ozfjw.exe
1820	ozfjw.exe
4508	ozfjw.exe
3612	ozfjw.exe
4032	ozfjw.exe
2196	ozfjw.exe
1308	ozfjw.exe
3944	ozfjw.exe
1688	ozfjw.exe
4956	ozfjw.exe
1864	ozfjw.exe
2592	ozfjw.exe
4288	ozfjw.exe
1536	ozfjw.exe
1044	ozfjw.exe
3932	ozfjw.exe
3444	ozfjw.exe
1492	ozfjw.exe
4188	ozfjw.exe
1592	ozfjw.exe
4348	ozfjw.exe
2928	ozfjw.exe
1392	ozfjw.exe
1204	ozfjw.exe
4592	ozfjw.exe
1780	ozfjw.exe
5104	ozfjw.exe
3776	ozfjw.exe
232	ozfjw.exe
3536	ozfjw.exe
676	ozfjw.exe
5024	ozfjw.exe
4836	ozfjw.exe
1528	ozfjw.exe
4316	ozfjw.exe
4108	ozfjw.exe
1940	ozfjw.exe
4600	ozfjw.exe
1820	ozfjw.exe
2412	ozfjw.exe
3732	ozfjw.exe
2036	ozfjw.exe
4504	ozfjw.exe
4596	ozfjw.exe
3860	ozfjw.exe
1032	ozfjw.exe

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pqneghsj = "c:\\windows\\system\\pqneghsj.exe"	jcorgtn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dmnko = "c:\\windows\\system\\dmnko.exe"	a3b988601ff177c9e4249033afe554d0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ozfjw = "c:\\windows\\system32\\ozfjw.exe"	dmnko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dmnko = "c:\\windows\\system\\dmnko.exe"	jcorgtn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ozfjw = "c:\\windows\\system32\\ozfjw.exe"	ozfjw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dmnko = "c:\\windows\\system\\dmnko.exe"	dmnko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jcorgtn = "c:\\windows\\jcorgtn.exe"	dmnko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ozfjw = "c:\\windows\\system32\\ozfjw.exe"	pqneghsj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jcorgtn = "c:\\windows\\jcorgtn.exe"	pqneghsj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ozfjw = "c:\\windows\\system32\\ozfjw.exe"	a3b988601ff177c9e4249033afe554d0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jcorgtn = "c:\\windows\\jcorgtn.exe"	a3b988601ff177c9e4249033afe554d0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pqneghsj = "c:\\windows\\system\\pqneghsj.exe"	dmnko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pqneghsj = "c:\\windows\\system\\pqneghsj.exe"	pqneghsj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pqneghsj = "c:\\windows\\system\\pqneghsj.exe"	ozfjw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dmnko = "c:\\windows\\system\\dmnko.exe"	ozfjw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jcorgtn = "c:\\windows\\jcorgtn.exe"	ozfjw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ozfjw = "c:\\windows\\system32\\ozfjw.exe"	jcorgtn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jcorgtn = "c:\\windows\\jcorgtn.exe"	jcorgtn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\szifpxzj.exe	jcorgtn.exe
File opened for modification	C:\Windows\SysWOW64\szifpxzj.exe	pqneghsj.exe
File opened for modification	C:\Windows\SysWOW64\hvdcjh.exe	pqneghsj.exe
File opened for modification	C:\Windows\SysWOW64\hvdcjh.exe	dmnko.exe
File opened for modification	C:\Windows\SysWOW64\ygassa.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\xmxupchq.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\qchgzxl.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\qchgzxl.exe	dmnko.exe
File opened for modification	C:\Windows\SysWOW64\dzts.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\ygassa.exe	jcorgtn.exe
File opened for modification	C:\Windows\SysWOW64\ezud.exe	dmnko.exe
File opened for modification	C:\Windows\SysWOW64\hqmqwbzw.exe	dmnko.exe
File opened for modification	C:\Windows\SysWOW64\bujydr.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\dfcf.exe	pqneghsj.exe
File opened for modification	C:\Windows\SysWOW64\ezud.exe	pqneghsj.exe
File opened for modification	C:\Windows\SysWOW64\szifpxzj.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\SysWOW64\mvhqlzrv.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\SysWOW64\hvdcjh.exe	jcorgtn.exe
File opened for modification	C:\Windows\SysWOW64\hqmqwbzw.exe	jcorgtn.exe
File created	C:\windows\SysWOW64\ozfjw.exepqneghsj.exe_	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\hvdcjh.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\SysWOW64\dfcf.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\windows\SysWOW64\ozfjw.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\dzts.exe	pqneghsj.exe
File opened for modification	C:\Windows\SysWOW64\qchgzxl.exe	pqneghsj.exe
File opened for modification	C:\Windows\SysWOW64\bujydr.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\SysWOW64\xmxupchq.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\SysWOW64\szifpxzj.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\dfcf.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\hqmqwbzw.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\fmujqvvs.exe	jcorgtn.exe
File opened for modification	C:\Windows\SysWOW64\ljguhwry.exe	jcorgtn.exe
File opened for modification	C:\Windows\SysWOW64\yylhnva.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\SysWOW64\dfcf.exe	dmnko.exe
File opened for modification	C:\Windows\SysWOW64\ljguhwry.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\ezud.exe	jcorgtn.exe
File opened for modification	C:\Windows\SysWOW64\mvhqlzrv.exe	jcorgtn.exe
File opened for modification	C:\windows\SysWOW64\RCX2DEC.tmp	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\ygassa.exe	pqneghsj.exe
File opened for modification	C:\Windows\SysWOW64\ljguhwry.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\SysWOW64\hvdcjh.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\ezud.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\qchgzxl.exe	jcorgtn.exe
File opened for modification	C:\Windows\SysWOW64\xmxupchq.exe	pqneghsj.exe
File created	\??\c:\windows\SysWOW64\ozfjw.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\SysWOW64\xmxupchq.exe	dmnko.exe
File opened for modification	C:\Windows\SysWOW64\bujydr.exe	pqneghsj.exe
File opened for modification	C:\Windows\SysWOW64\yylhnva.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\fmujqvvs.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\ygassa.exe	dmnko.exe
File opened for modification	C:\Windows\SysWOW64\szifpxzj.exe	dmnko.exe
File opened for modification	C:\Windows\SysWOW64\yylhnva.exe	jcorgtn.exe
File opened for modification	C:\Windows\SysWOW64\dzts.exe	jcorgtn.exe
File opened for modification	C:\Windows\SysWOW64\dfcf.exe	jcorgtn.exe
File opened for modification	C:\Windows\SysWOW64\yylhnva.exe	dmnko.exe
File opened for modification	C:\Windows\SysWOW64\bujydr.exe	dmnko.exe
File opened for modification	C:\Windows\SysWOW64\dzts.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\SysWOW64\mvhqlzrv.exe	dmnko.exe
File opened for modification	C:\Windows\SysWOW64\fmujqvvs.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\SysWOW64\ygassa.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	\??\c:\windows\SysWOW64\ozfjw.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\SysWOW64\ljguhwry.exe	dmnko.exe
File opened for modification	C:\Windows\SysWOW64\bujydr.exe	jcorgtn.exe
File opened for modification	C:\Windows\SysWOW64\xmxupchq.exe	jcorgtn.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\sn.inpvhjczc	pqneghsj.exe
File opened for modification	C:\Windows\system\iidkfhjczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\x.udjczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\hgkudhujczc	ozfjw.exe
File opened for modification	C:\Windows\system\vaprqjczc	pqneghsj.exe
File opened for modification	C:\Windows\system\kaeepjczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\xw.sksamjczc	dmnko.exe
File opened for modification	C:\Windows\system\uwenuwjczc	pqneghsj.exe
File opened for modification	C:\Windows\agaicjczc	jcorgtn.exe
File opened for modification	C:\Windows\ltywjczc	jcorgtn.exe
File opened for modification	C:\Windows\system\xntkhusjczc	pqneghsj.exe
File opened for modification	C:\Windows\system\vd.bzuijczc	pqneghsj.exe
File opened for modification	C:\Windows\system\dgarovyjczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\foimojczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\eir.ajczc	dmnko.exe
File opened for modification	C:\Windows\system\hqfajczc	dmnko.exe
File opened for modification	C:\Windows\system\qvzmcrcgjczc	pqneghsj.exe
File opened for modification	C:\Windows\system\vigovhcyjczc	pqneghsj.exe
File opened for modification	C:\Windows\system\zkdektwzjczc	pqneghsj.exe
File opened for modification	C:\Windows\system\d.dhfkjczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\sz.kuwmjczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\reqffsjczc	ozfjw.exe
File opened for modification	C:\Windows\lymajczc	jcorgtn.exe
File opened for modification	C:\Windows\system\ndwgkrhpjczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\hbezqjczc	dmnko.exe
File opened for modification	C:\Windows\system\mmaujczc	pqneghsj.exe
File opened for modification	C:\Windows\system\bogrsajczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\pdaqdmkzjczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\ty.xqejczc	jcorgtn.exe
File opened for modification	C:\Windows\system\lyqqbestjczc	pqneghsj.exe
File opened for modification	C:\Windows\system\zuehkphjczc	ozfjw.exe
File opened for modification	C:\Windows\system\lkgxwnjczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\onddwjczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\gu..vmjczc	dmnko.exe
File opened for modification	C:\Windows\system\pbuutbjczc	ozfjw.exe
File opened for modification	C:\Windows\exphcsjczc	jcorgtn.exe
File opened for modification	C:\Windows\system\lfssjczc	pqneghsj.exe
File opened for modification	C:\Windows\system\uiigjczc	dmnko.exe
File opened for modification	C:\Windows\system\py.pjczc	dmnko.exe
File opened for modification	C:\Windows\zznbmjczc	jcorgtn.exe
File opened for modification	C:\Windows\wheeujczc	jcorgtn.exe
File opened for modification	C:\Windows\system\twbbmaxjczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\dklnyjczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\wufbijczc	dmnko.exe
File opened for modification	C:\Windows\gxvnjczc	jcorgtn.exe
File opened for modification	C:\Windows\system\opsbxjczc	pqneghsj.exe
File opened for modification	C:\Windows\system\vigovhcyjczc	dmnko.exe
File opened for modification	C:\Windows\system\ldmnzksjczc	ozfjw.exe
File opened for modification	C:\Windows\system\icdnjczc	ozfjw.exe
File opened for modification	C:\Windows\hfzghzbijczc	jcorgtn.exe
File opened for modification	C:\Windows\system\xvpgzljczc	dmnko.exe
File opened for modification	C:\Windows\iakrzjczc	jcorgtn.exe
File opened for modification	C:\Windows\system\fqcixjczc	pqneghsj.exe
File opened for modification	C:\Windows\system\nweeejczc	ozfjw.exe
File opened for modification	C:\Windows\system\gofhw.bajczc	pqneghsj.exe
File opened for modification	C:\Windows\system\knabzsijczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\vlkhujczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\hizpzlcjczc	dmnko.exe
File opened for modification	C:\Windows\system\vuwgchajczc	ozfjw.exe
File opened for modification	C:\Windows\system\bqpsdsjczc	dmnko.exe
File opened for modification	C:\Windows\hnxorjczc	jcorgtn.exe
File opened for modification	C:\Windows\a.ygvzjczc	jcorgtn.exe
File opened for modification	C:\Windows\system\xhnmjczc	pqneghsj.exe
File opened for modification	C:\Windows\system\zrklxfjczc	pqneghsj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jcorgtn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dmnko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	a3b988601ff177c9e4249033afe554d0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dmnko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ozfjw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	jcorgtn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	pqneghsj.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1416	a3b988601ff177c9e4249033afe554d0N.exe
1416	a3b988601ff177c9e4249033afe554d0N.exe
1416	a3b988601ff177c9e4249033afe554d0N.exe
1416	a3b988601ff177c9e4249033afe554d0N.exe
1416	a3b988601ff177c9e4249033afe554d0N.exe
1416	a3b988601ff177c9e4249033afe554d0N.exe
1416	a3b988601ff177c9e4249033afe554d0N.exe
1416	a3b988601ff177c9e4249033afe554d0N.exe
8	dmnko.exe
8	dmnko.exe
1480	ozfjw.exe
1480	ozfjw.exe
732	jcorgtn.exe
732	jcorgtn.exe
8	dmnko.exe
8	dmnko.exe
8	dmnko.exe
8	dmnko.exe
8	dmnko.exe
8	dmnko.exe
8	dmnko.exe
8	dmnko.exe
1480	ozfjw.exe
1480	ozfjw.exe
1480	ozfjw.exe
1480	ozfjw.exe
1480	ozfjw.exe
1480	ozfjw.exe
732	jcorgtn.exe
732	jcorgtn.exe
732	jcorgtn.exe
732	jcorgtn.exe
732	jcorgtn.exe
732	jcorgtn.exe
1480	ozfjw.exe
1480	ozfjw.exe
732	jcorgtn.exe
732	jcorgtn.exe
8	dmnko.exe
8	dmnko.exe
8	dmnko.exe
8	dmnko.exe
8	dmnko.exe
8	dmnko.exe
8	dmnko.exe
8	dmnko.exe
1480	ozfjw.exe
1480	ozfjw.exe
1480	ozfjw.exe
1480	ozfjw.exe
1480	ozfjw.exe
1480	ozfjw.exe
732	jcorgtn.exe
732	jcorgtn.exe
732	jcorgtn.exe
732	jcorgtn.exe
732	jcorgtn.exe
732	jcorgtn.exe
1480	ozfjw.exe
1480	ozfjw.exe
732	jcorgtn.exe
732	jcorgtn.exe
8	dmnko.exe
8	dmnko.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 8	1416	a3b988601ff177c9e4249033afe554d0N.exe	88
PID 1416 wrote to memory of 8	1416	a3b988601ff177c9e4249033afe554d0N.exe	88
PID 1416 wrote to memory of 8	1416	a3b988601ff177c9e4249033afe554d0N.exe	88
PID 1416 wrote to memory of 1480	1416	a3b988601ff177c9e4249033afe554d0N.exe	89
PID 1416 wrote to memory of 1480	1416	a3b988601ff177c9e4249033afe554d0N.exe	89
PID 1416 wrote to memory of 1480	1416	a3b988601ff177c9e4249033afe554d0N.exe	89
PID 1416 wrote to memory of 732	1416	a3b988601ff177c9e4249033afe554d0N.exe	90
PID 1416 wrote to memory of 732	1416	a3b988601ff177c9e4249033afe554d0N.exe	90
PID 1416 wrote to memory of 732	1416	a3b988601ff177c9e4249033afe554d0N.exe	90
PID 8 wrote to memory of 1492	8	dmnko.exe	93
PID 8 wrote to memory of 1492	8	dmnko.exe	93
PID 8 wrote to memory of 1492	8	dmnko.exe	93
PID 1480 wrote to memory of 2476	1480	ozfjw.exe	96
PID 1480 wrote to memory of 2476	1480	ozfjw.exe	96
PID 1480 wrote to memory of 2476	1480	ozfjw.exe	96
PID 732 wrote to memory of 1440	732	jcorgtn.exe	97
PID 732 wrote to memory of 1440	732	jcorgtn.exe	97
PID 732 wrote to memory of 1440	732	jcorgtn.exe	97
PID 8 wrote to memory of 2160	8	dmnko.exe	98
PID 8 wrote to memory of 2160	8	dmnko.exe	98
PID 8 wrote to memory of 2160	8	dmnko.exe	98
PID 1480 wrote to memory of 2928	1480	ozfjw.exe	100
PID 1480 wrote to memory of 2928	1480	ozfjw.exe	100
PID 1480 wrote to memory of 2928	1480	ozfjw.exe	100
PID 732 wrote to memory of 3012	732	jcorgtn.exe	101
PID 732 wrote to memory of 3012	732	jcorgtn.exe	101
PID 732 wrote to memory of 3012	732	jcorgtn.exe	101
PID 8 wrote to memory of 1616	8	dmnko.exe	102
PID 8 wrote to memory of 1616	8	dmnko.exe	102
PID 8 wrote to memory of 1616	8	dmnko.exe	102
PID 1480 wrote to memory of 4560	1480	ozfjw.exe	105
PID 1480 wrote to memory of 4560	1480	ozfjw.exe	105
PID 1480 wrote to memory of 4560	1480	ozfjw.exe	105
PID 732 wrote to memory of 4400	732	jcorgtn.exe	106
PID 732 wrote to memory of 4400	732	jcorgtn.exe	106
PID 732 wrote to memory of 4400	732	jcorgtn.exe	106
PID 8 wrote to memory of 3404	8	dmnko.exe	107
PID 8 wrote to memory of 3404	8	dmnko.exe	107
PID 8 wrote to memory of 3404	8	dmnko.exe	107
PID 1480 wrote to memory of 3044	1480	ozfjw.exe	108
PID 1480 wrote to memory of 3044	1480	ozfjw.exe	108
PID 1480 wrote to memory of 3044	1480	ozfjw.exe	108
PID 732 wrote to memory of 3888	732	jcorgtn.exe	109
PID 732 wrote to memory of 3888	732	jcorgtn.exe	109
PID 732 wrote to memory of 3888	732	jcorgtn.exe	109
PID 8 wrote to memory of 3128	8	dmnko.exe	110
PID 8 wrote to memory of 3128	8	dmnko.exe	110
PID 8 wrote to memory of 3128	8	dmnko.exe	110
PID 1480 wrote to memory of 4108	1480	ozfjw.exe	111
PID 1480 wrote to memory of 4108	1480	ozfjw.exe	111
PID 1480 wrote to memory of 4108	1480	ozfjw.exe	111
PID 732 wrote to memory of 1444	732	jcorgtn.exe	112
PID 732 wrote to memory of 1444	732	jcorgtn.exe	112
PID 732 wrote to memory of 1444	732	jcorgtn.exe	112
PID 8 wrote to memory of 4536	8	dmnko.exe	113
PID 8 wrote to memory of 4536	8	dmnko.exe	113
PID 8 wrote to memory of 4536	8	dmnko.exe	113
PID 1480 wrote to memory of 1820	1480	ozfjw.exe	114
PID 1480 wrote to memory of 1820	1480	ozfjw.exe	114
PID 1480 wrote to memory of 1820	1480	ozfjw.exe	114
PID 732 wrote to memory of 4508	732	jcorgtn.exe	115
PID 732 wrote to memory of 4508	732	jcorgtn.exe	115
PID 732 wrote to memory of 4508	732	jcorgtn.exe	115
PID 8 wrote to memory of 3612	8	dmnko.exe	116

C:\Users\Admin\AppData\Local\Temp\a3b988601ff177c9e4249033afe554d0N.exe
"C:\Users\Admin\AppData\Local\Temp\a3b988601ff177c9e4249033afe554d0N.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1416
- C:\windows\system\dmnko.exe
  "C:\windows\system\dmnko.exe" "C:\Users\Admin\AppData\Local\Temp\a3b988601ff177c9e4249033afe554d0N.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:8
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1492
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2160
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1616
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:3404
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:3128
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4536
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:3612
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1308
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4956
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:4288
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:3932
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4188
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2928
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4592
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:3776
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:676
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1528
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:1940
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:2412
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4504
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1032
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2732
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4036
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:776
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2728
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2932
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2264
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:3104
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4868
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:5080
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5084
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:1336
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2276
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe" "C:\windows\system\dmnko.exe"
    3⤵
    PID:1128
- C:\windows\SysWOW64\ozfjw.exe
  "C:\windows\system32\ozfjw.exe" "C:\Users\Admin\AppData\Local\Temp\a3b988601ff177c9e4249033afe554d0N.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2476
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2928
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:4560
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3044
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:4108
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1820
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4032
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:1688
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:2592
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1044
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3444
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:1592
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1204
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5104
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3536
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:4836
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4108
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1820
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:2036
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3860
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3980
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:1536
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4216
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:5016
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:1568
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1496
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4976
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3100
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4020
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4600
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1760
- - C:\windows\system\pqneghsj.exe
    "C:\windows\system\pqneghsj.exe"
    3⤵
    - Drops file in Drivers directory
    - Checks computer location settings
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    PID:4188
  - - C:\windows\SysWOW64\ozfjw.exe
      "C:\windows\system32\ozfjw.exe"
      4⤵
      PID:4416
  - - C:\windows\SysWOW64\ozfjw.exe
      "C:\windows\system32\ozfjw.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5104
  - - C:\windows\SysWOW64\ozfjw.exe
      "C:\windows\system32\ozfjw.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5084
  - - C:\windows\SysWOW64\ozfjw.exe
      "C:\windows\system32\ozfjw.exe"
      4⤵
      PID:2604
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4944
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5080
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:4020
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2684
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4136
- C:\windows\jcorgtn.exe
  "C:\windows\jcorgtn.exe" "C:\Users\Admin\AppData\Local\Temp\a3b988601ff177c9e4249033afe554d0N.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:732
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1440
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:3012
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4400
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3888
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1444
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4508
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:2196
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3944
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1864
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:1536
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:1492
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:4348
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:1392
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:1780
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:232
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5024
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4316
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:4600
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3732
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4596
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:1680
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:4848
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2660
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:3216
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:3076
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:840
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2160
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5060
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:1616
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5104
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:832
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:4884
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:4488
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4360
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:1864
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4676
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:3928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a3b988601ff177c9e4249033afe554d0N.exedmnko.exe_

Filesize
824KB

MD5
a3b988601ff177c9e4249033afe554d0

SHA1
5bfa70d73d1ce57fbdc4813b3da3888c27b355c1

SHA256
3b57166a2a67752c4f1f3adeea25470915cefbbb19cc515bcf7b0a5f6b48ed19

SHA512
142333f75a47b1f57143c100cece090a726aef06e643c7c5332e91898defbe5df3b74de611dbdae4c866d44325d60343884b37ccbd256729b12e4d1ffae96640

Download Submit
C:\Windows\SysWOW64\ozfjw.exe

Filesize
678KB

MD5
072ed5c7b1f18c383b8ccdb0dd3edb4b

SHA1
2ed84152b9ea71e267dd4d1af22df852080a3be4

SHA256
b386b5165f88a6301eeb7637786625f8bf3f29030ebf7c827e8096a3e68ec0a0

SHA512
df673216c1eaa194adeb28c3008be0248b0e120db2d879bdd707cc680705f419f228dbf052edf7f66f6d26496cc81e0f293885e0081e4ebe696d78b7f15f1c55

Download Submit
C:\Windows\SysWOW64\ozfjw.exepqneghsj.exe_

Filesize
532KB

MD5
91a28047a2f0ee1660e5b3c54288a58d

SHA1
0c291a456c547b00403849abf6d7000da9a9f6ef

SHA256
e8a4e44b78a1916b51302b44c2d5d6104596b7f6b7d04613b65ff7450f3c9948

SHA512
94fec00c45c5a095f03e9c0241f7f9414b1600db9e6d8fa1f6ab09dcee5e7a2b21ea53ed1e6a0f6a05411ea1bd65a802f1e0ab75cf98051501e46c6a503b9297

Download Submit
C:\Windows\jcorgtn.exe

Filesize
727KB

MD5
d86fbbb69b1f3b8a5be4ceb3ee17759c

SHA1
fc409cfcb3e8257494d70be0c175aac38ccc556f

SHA256
8090a85de17923fb19d011be7c39edad71c694146481d808a074c2a77bc63e4a

SHA512
d5a0872ff7b76cc10d679c4cb374c8e1be3d3f51c4c2a14e0cbd3fc1c7bcd1ef89b320617e60c3e54b5752badf7b0e91b8f1f19d8f9267c7817f5f6e1a139e8c

Download Submit