3b57166a2a67752c4f1f3adeea25470915cefbbb19cc515bcf7b0a5f6b48ed19

Analysis

max time kernel
119s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 00:18 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3b988601ff177c9e4249033afe554d0N.exe
Size

824KB
MD5

a3b988601ff177c9e4249033afe554d0
SHA1

5bfa70d73d1ce57fbdc4813b3da3888c27b355c1
SHA256

3b57166a2a67752c4f1f3adeea25470915cefbbb19cc515bcf7b0a5f6b48ed19
SHA512

142333f75a47b1f57143c100cece090a726aef06e643c7c5332e91898defbe5df3b74de611dbdae4c866d44325d60343884b37ccbd256729b12e4d1ffae96640
SSDEEP

6144:z4sZBOZdjEYTPXMhaMP/kFTA7OA6BOZdjEYTPXMhaMP/a:znANL8oq/kFTsO6NL8oq/a

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	dmnko.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	ozfjw.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	jcorgtn.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	pqneghsj.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	a3b988601ff177c9e4249033afe554d0N.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	jcorgtn.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	pqneghsj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	a3b988601ff177c9e4249033afe554d0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	dmnko.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	ozfjw.exe

Deletes itself 1 IoCs

pid	Process
8	dmnko.exe

Executes dropped EXE 64 IoCs

pid	Process
8	dmnko.exe
1480	ozfjw.exe
732	jcorgtn.exe
1492	ozfjw.exe
2476	ozfjw.exe
1440	ozfjw.exe
2160	ozfjw.exe
2928	ozfjw.exe
3012	ozfjw.exe
1616	ozfjw.exe
4560	ozfjw.exe
4400	ozfjw.exe
3404	ozfjw.exe
3044	ozfjw.exe
3888	ozfjw.exe
3128	ozfjw.exe
4108	ozfjw.exe
1444	ozfjw.exe
4536	ozfjw.exe
1820	ozfjw.exe
4508	ozfjw.exe
3612	ozfjw.exe
4032	ozfjw.exe
2196	ozfjw.exe
1308	ozfjw.exe
3944	ozfjw.exe
1688	ozfjw.exe
4956	ozfjw.exe
1864	ozfjw.exe
2592	ozfjw.exe
4288	ozfjw.exe
1536	ozfjw.exe
1044	ozfjw.exe
3932	ozfjw.exe
3444	ozfjw.exe
1492	ozfjw.exe
4188	ozfjw.exe
1592	ozfjw.exe
4348	ozfjw.exe
2928	ozfjw.exe
1392	ozfjw.exe
1204	ozfjw.exe
4592	ozfjw.exe
1780	ozfjw.exe
5104	ozfjw.exe
3776	ozfjw.exe
232	ozfjw.exe
3536	ozfjw.exe
676	ozfjw.exe
5024	ozfjw.exe
4836	ozfjw.exe
1528	ozfjw.exe
4316	ozfjw.exe
4108	ozfjw.exe
1940	ozfjw.exe
4600	ozfjw.exe
1820	ozfjw.exe
2412	ozfjw.exe
3732	ozfjw.exe
2036	ozfjw.exe
4504	ozfjw.exe
4596	ozfjw.exe
3860	ozfjw.exe
1032	ozfjw.exe

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pqneghsj = "c:\\windows\\system\\pqneghsj.exe"	jcorgtn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dmnko = "c:\\windows\\system\\dmnko.exe"	a3b988601ff177c9e4249033afe554d0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ozfjw = "c:\\windows\\system32\\ozfjw.exe"	dmnko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dmnko = "c:\\windows\\system\\dmnko.exe"	jcorgtn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ozfjw = "c:\\windows\\system32\\ozfjw.exe"	ozfjw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dmnko = "c:\\windows\\system\\dmnko.exe"	dmnko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jcorgtn = "c:\\windows\\jcorgtn.exe"	dmnko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ozfjw = "c:\\windows\\system32\\ozfjw.exe"	pqneghsj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jcorgtn = "c:\\windows\\jcorgtn.exe"	pqneghsj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ozfjw = "c:\\windows\\system32\\ozfjw.exe"	a3b988601ff177c9e4249033afe554d0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jcorgtn = "c:\\windows\\jcorgtn.exe"	a3b988601ff177c9e4249033afe554d0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pqneghsj = "c:\\windows\\system\\pqneghsj.exe"	dmnko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pqneghsj = "c:\\windows\\system\\pqneghsj.exe"	pqneghsj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pqneghsj = "c:\\windows\\system\\pqneghsj.exe"	ozfjw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dmnko = "c:\\windows\\system\\dmnko.exe"	ozfjw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jcorgtn = "c:\\windows\\jcorgtn.exe"	ozfjw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ozfjw = "c:\\windows\\system32\\ozfjw.exe"	jcorgtn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jcorgtn = "c:\\windows\\jcorgtn.exe"	jcorgtn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\szifpxzj.exe	jcorgtn.exe
File opened for modification	C:\Windows\SysWOW64\szifpxzj.exe	pqneghsj.exe
File opened for modification	C:\Windows\SysWOW64\hvdcjh.exe	pqneghsj.exe
File opened for modification	C:\Windows\SysWOW64\hvdcjh.exe	dmnko.exe
File opened for modification	C:\Windows\SysWOW64\ygassa.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\xmxupchq.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\qchgzxl.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\qchgzxl.exe	dmnko.exe
File opened for modification	C:\Windows\SysWOW64\dzts.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\ygassa.exe	jcorgtn.exe
File opened for modification	C:\Windows\SysWOW64\ezud.exe	dmnko.exe
File opened for modification	C:\Windows\SysWOW64\hqmqwbzw.exe	dmnko.exe
File opened for modification	C:\Windows\SysWOW64\bujydr.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\dfcf.exe	pqneghsj.exe
File opened for modification	C:\Windows\SysWOW64\ezud.exe	pqneghsj.exe
File opened for modification	C:\Windows\SysWOW64\szifpxzj.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\SysWOW64\mvhqlzrv.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\SysWOW64\hvdcjh.exe	jcorgtn.exe
File opened for modification	C:\Windows\SysWOW64\hqmqwbzw.exe	jcorgtn.exe
File created	C:\windows\SysWOW64\ozfjw.exepqneghsj.exe_	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\hvdcjh.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\SysWOW64\dfcf.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\windows\SysWOW64\ozfjw.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\dzts.exe	pqneghsj.exe
File opened for modification	C:\Windows\SysWOW64\qchgzxl.exe	pqneghsj.exe
File opened for modification	C:\Windows\SysWOW64\bujydr.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\SysWOW64\xmxupchq.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\SysWOW64\szifpxzj.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\dfcf.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\hqmqwbzw.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\fmujqvvs.exe	jcorgtn.exe
File opened for modification	C:\Windows\SysWOW64\ljguhwry.exe	jcorgtn.exe
File opened for modification	C:\Windows\SysWOW64\yylhnva.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\SysWOW64\dfcf.exe	dmnko.exe
File opened for modification	C:\Windows\SysWOW64\ljguhwry.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\ezud.exe	jcorgtn.exe
File opened for modification	C:\Windows\SysWOW64\mvhqlzrv.exe	jcorgtn.exe
File opened for modification	C:\windows\SysWOW64\RCX2DEC.tmp	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\ygassa.exe	pqneghsj.exe
File opened for modification	C:\Windows\SysWOW64\ljguhwry.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\SysWOW64\hvdcjh.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\ezud.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\qchgzxl.exe	jcorgtn.exe
File opened for modification	C:\Windows\SysWOW64\xmxupchq.exe	pqneghsj.exe
File created	\??\c:\windows\SysWOW64\ozfjw.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\SysWOW64\xmxupchq.exe	dmnko.exe
File opened for modification	C:\Windows\SysWOW64\bujydr.exe	pqneghsj.exe
File opened for modification	C:\Windows\SysWOW64\yylhnva.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\fmujqvvs.exe	ozfjw.exe
File opened for modification	C:\Windows\SysWOW64\ygassa.exe	dmnko.exe
File opened for modification	C:\Windows\SysWOW64\szifpxzj.exe	dmnko.exe
File opened for modification	C:\Windows\SysWOW64\yylhnva.exe	jcorgtn.exe
File opened for modification	C:\Windows\SysWOW64\dzts.exe	jcorgtn.exe
File opened for modification	C:\Windows\SysWOW64\dfcf.exe	jcorgtn.exe
File opened for modification	C:\Windows\SysWOW64\yylhnva.exe	dmnko.exe
File opened for modification	C:\Windows\SysWOW64\bujydr.exe	dmnko.exe
File opened for modification	C:\Windows\SysWOW64\dzts.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\SysWOW64\mvhqlzrv.exe	dmnko.exe
File opened for modification	C:\Windows\SysWOW64\fmujqvvs.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\SysWOW64\ygassa.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	\??\c:\windows\SysWOW64\ozfjw.exe	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\SysWOW64\ljguhwry.exe	dmnko.exe
File opened for modification	C:\Windows\SysWOW64\bujydr.exe	jcorgtn.exe
File opened for modification	C:\Windows\SysWOW64\xmxupchq.exe	jcorgtn.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\sn.inpvhjczc	pqneghsj.exe
File opened for modification	C:\Windows\system\iidkfhjczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\x.udjczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\hgkudhujczc	ozfjw.exe
File opened for modification	C:\Windows\system\vaprqjczc	pqneghsj.exe
File opened for modification	C:\Windows\system\kaeepjczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\xw.sksamjczc	dmnko.exe
File opened for modification	C:\Windows\system\uwenuwjczc	pqneghsj.exe
File opened for modification	C:\Windows\agaicjczc	jcorgtn.exe
File opened for modification	C:\Windows\ltywjczc	jcorgtn.exe
File opened for modification	C:\Windows\system\xntkhusjczc	pqneghsj.exe
File opened for modification	C:\Windows\system\vd.bzuijczc	pqneghsj.exe
File opened for modification	C:\Windows\system\dgarovyjczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\foimojczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\eir.ajczc	dmnko.exe
File opened for modification	C:\Windows\system\hqfajczc	dmnko.exe
File opened for modification	C:\Windows\system\qvzmcrcgjczc	pqneghsj.exe
File opened for modification	C:\Windows\system\vigovhcyjczc	pqneghsj.exe
File opened for modification	C:\Windows\system\zkdektwzjczc	pqneghsj.exe
File opened for modification	C:\Windows\system\d.dhfkjczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\sz.kuwmjczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\reqffsjczc	ozfjw.exe
File opened for modification	C:\Windows\lymajczc	jcorgtn.exe
File opened for modification	C:\Windows\system\ndwgkrhpjczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\hbezqjczc	dmnko.exe
File opened for modification	C:\Windows\system\mmaujczc	pqneghsj.exe
File opened for modification	C:\Windows\system\bogrsajczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\pdaqdmkzjczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\ty.xqejczc	jcorgtn.exe
File opened for modification	C:\Windows\system\lyqqbestjczc	pqneghsj.exe
File opened for modification	C:\Windows\system\zuehkphjczc	ozfjw.exe
File opened for modification	C:\Windows\system\lkgxwnjczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\onddwjczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\gu..vmjczc	dmnko.exe
File opened for modification	C:\Windows\system\pbuutbjczc	ozfjw.exe
File opened for modification	C:\Windows\exphcsjczc	jcorgtn.exe
File opened for modification	C:\Windows\system\lfssjczc	pqneghsj.exe
File opened for modification	C:\Windows\system\uiigjczc	dmnko.exe
File opened for modification	C:\Windows\system\py.pjczc	dmnko.exe
File opened for modification	C:\Windows\zznbmjczc	jcorgtn.exe
File opened for modification	C:\Windows\wheeujczc	jcorgtn.exe
File opened for modification	C:\Windows\system\twbbmaxjczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\dklnyjczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\wufbijczc	dmnko.exe
File opened for modification	C:\Windows\gxvnjczc	jcorgtn.exe
File opened for modification	C:\Windows\system\opsbxjczc	pqneghsj.exe
File opened for modification	C:\Windows\system\vigovhcyjczc	dmnko.exe
File opened for modification	C:\Windows\system\ldmnzksjczc	ozfjw.exe
File opened for modification	C:\Windows\system\icdnjczc	ozfjw.exe
File opened for modification	C:\Windows\hfzghzbijczc	jcorgtn.exe
File opened for modification	C:\Windows\system\xvpgzljczc	dmnko.exe
File opened for modification	C:\Windows\iakrzjczc	jcorgtn.exe
File opened for modification	C:\Windows\system\fqcixjczc	pqneghsj.exe
File opened for modification	C:\Windows\system\nweeejczc	ozfjw.exe
File opened for modification	C:\Windows\system\gofhw.bajczc	pqneghsj.exe
File opened for modification	C:\Windows\system\knabzsijczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\vlkhujczc	a3b988601ff177c9e4249033afe554d0N.exe
File opened for modification	C:\Windows\system\hizpzlcjczc	dmnko.exe
File opened for modification	C:\Windows\system\vuwgchajczc	ozfjw.exe
File opened for modification	C:\Windows\system\bqpsdsjczc	dmnko.exe
File opened for modification	C:\Windows\hnxorjczc	jcorgtn.exe
File opened for modification	C:\Windows\a.ygvzjczc	jcorgtn.exe
File opened for modification	C:\Windows\system\xhnmjczc	pqneghsj.exe
File opened for modification	C:\Windows\system\zrklxfjczc	pqneghsj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jcorgtn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dmnko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ozfjw.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	a3b988601ff177c9e4249033afe554d0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dmnko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ozfjw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	jcorgtn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	pqneghsj.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1416	a3b988601ff177c9e4249033afe554d0N.exe
1416	a3b988601ff177c9e4249033afe554d0N.exe
1416	a3b988601ff177c9e4249033afe554d0N.exe
1416	a3b988601ff177c9e4249033afe554d0N.exe
1416	a3b988601ff177c9e4249033afe554d0N.exe
1416	a3b988601ff177c9e4249033afe554d0N.exe
1416	a3b988601ff177c9e4249033afe554d0N.exe
1416	a3b988601ff177c9e4249033afe554d0N.exe
8	dmnko.exe
8	dmnko.exe
1480	ozfjw.exe
1480	ozfjw.exe
732	jcorgtn.exe
732	jcorgtn.exe
8	dmnko.exe
8	dmnko.exe
8	dmnko.exe
8	dmnko.exe
8	dmnko.exe
8	dmnko.exe
8	dmnko.exe
8	dmnko.exe
1480	ozfjw.exe
1480	ozfjw.exe
1480	ozfjw.exe
1480	ozfjw.exe
1480	ozfjw.exe
1480	ozfjw.exe
732	jcorgtn.exe
732	jcorgtn.exe
732	jcorgtn.exe
732	jcorgtn.exe
732	jcorgtn.exe
732	jcorgtn.exe
1480	ozfjw.exe
1480	ozfjw.exe
732	jcorgtn.exe
732	jcorgtn.exe
8	dmnko.exe
8	dmnko.exe
8	dmnko.exe
8	dmnko.exe
8	dmnko.exe
8	dmnko.exe
8	dmnko.exe
8	dmnko.exe
1480	ozfjw.exe
1480	ozfjw.exe
1480	ozfjw.exe
1480	ozfjw.exe
1480	ozfjw.exe
1480	ozfjw.exe
732	jcorgtn.exe
732	jcorgtn.exe
732	jcorgtn.exe
732	jcorgtn.exe
732	jcorgtn.exe
732	jcorgtn.exe
1480	ozfjw.exe
1480	ozfjw.exe
732	jcorgtn.exe
732	jcorgtn.exe
8	dmnko.exe
8	dmnko.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 8	1416	a3b988601ff177c9e4249033afe554d0N.exe	88
PID 1416 wrote to memory of 8	1416	a3b988601ff177c9e4249033afe554d0N.exe	88
PID 1416 wrote to memory of 8	1416	a3b988601ff177c9e4249033afe554d0N.exe	88
PID 1416 wrote to memory of 1480	1416	a3b988601ff177c9e4249033afe554d0N.exe	89
PID 1416 wrote to memory of 1480	1416	a3b988601ff177c9e4249033afe554d0N.exe	89
PID 1416 wrote to memory of 1480	1416	a3b988601ff177c9e4249033afe554d0N.exe	89
PID 1416 wrote to memory of 732	1416	a3b988601ff177c9e4249033afe554d0N.exe	90
PID 1416 wrote to memory of 732	1416	a3b988601ff177c9e4249033afe554d0N.exe	90
PID 1416 wrote to memory of 732	1416	a3b988601ff177c9e4249033afe554d0N.exe	90
PID 8 wrote to memory of 1492	8	dmnko.exe	93
PID 8 wrote to memory of 1492	8	dmnko.exe	93
PID 8 wrote to memory of 1492	8	dmnko.exe	93
PID 1480 wrote to memory of 2476	1480	ozfjw.exe	96
PID 1480 wrote to memory of 2476	1480	ozfjw.exe	96
PID 1480 wrote to memory of 2476	1480	ozfjw.exe	96
PID 732 wrote to memory of 1440	732	jcorgtn.exe	97
PID 732 wrote to memory of 1440	732	jcorgtn.exe	97
PID 732 wrote to memory of 1440	732	jcorgtn.exe	97
PID 8 wrote to memory of 2160	8	dmnko.exe	98
PID 8 wrote to memory of 2160	8	dmnko.exe	98
PID 8 wrote to memory of 2160	8	dmnko.exe	98
PID 1480 wrote to memory of 2928	1480	ozfjw.exe	100
PID 1480 wrote to memory of 2928	1480	ozfjw.exe	100
PID 1480 wrote to memory of 2928	1480	ozfjw.exe	100
PID 732 wrote to memory of 3012	732	jcorgtn.exe	101
PID 732 wrote to memory of 3012	732	jcorgtn.exe	101
PID 732 wrote to memory of 3012	732	jcorgtn.exe	101
PID 8 wrote to memory of 1616	8	dmnko.exe	102
PID 8 wrote to memory of 1616	8	dmnko.exe	102
PID 8 wrote to memory of 1616	8	dmnko.exe	102
PID 1480 wrote to memory of 4560	1480	ozfjw.exe	105
PID 1480 wrote to memory of 4560	1480	ozfjw.exe	105
PID 1480 wrote to memory of 4560	1480	ozfjw.exe	105
PID 732 wrote to memory of 4400	732	jcorgtn.exe	106
PID 732 wrote to memory of 4400	732	jcorgtn.exe	106
PID 732 wrote to memory of 4400	732	jcorgtn.exe	106
PID 8 wrote to memory of 3404	8	dmnko.exe	107
PID 8 wrote to memory of 3404	8	dmnko.exe	107
PID 8 wrote to memory of 3404	8	dmnko.exe	107
PID 1480 wrote to memory of 3044	1480	ozfjw.exe	108
PID 1480 wrote to memory of 3044	1480	ozfjw.exe	108
PID 1480 wrote to memory of 3044	1480	ozfjw.exe	108
PID 732 wrote to memory of 3888	732	jcorgtn.exe	109
PID 732 wrote to memory of 3888	732	jcorgtn.exe	109
PID 732 wrote to memory of 3888	732	jcorgtn.exe	109
PID 8 wrote to memory of 3128	8	dmnko.exe	110
PID 8 wrote to memory of 3128	8	dmnko.exe	110
PID 8 wrote to memory of 3128	8	dmnko.exe	110
PID 1480 wrote to memory of 4108	1480	ozfjw.exe	111
PID 1480 wrote to memory of 4108	1480	ozfjw.exe	111
PID 1480 wrote to memory of 4108	1480	ozfjw.exe	111
PID 732 wrote to memory of 1444	732	jcorgtn.exe	112
PID 732 wrote to memory of 1444	732	jcorgtn.exe	112
PID 732 wrote to memory of 1444	732	jcorgtn.exe	112
PID 8 wrote to memory of 4536	8	dmnko.exe	113
PID 8 wrote to memory of 4536	8	dmnko.exe	113
PID 8 wrote to memory of 4536	8	dmnko.exe	113
PID 1480 wrote to memory of 1820	1480	ozfjw.exe	114
PID 1480 wrote to memory of 1820	1480	ozfjw.exe	114
PID 1480 wrote to memory of 1820	1480	ozfjw.exe	114
PID 732 wrote to memory of 4508	732	jcorgtn.exe	115
PID 732 wrote to memory of 4508	732	jcorgtn.exe	115
PID 732 wrote to memory of 4508	732	jcorgtn.exe	115
PID 8 wrote to memory of 3612	8	dmnko.exe	116

C:\Users\Admin\AppData\Local\Temp\a3b988601ff177c9e4249033afe554d0N.exe
"C:\Users\Admin\AppData\Local\Temp\a3b988601ff177c9e4249033afe554d0N.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1416
- C:\windows\system\dmnko.exe
  "C:\windows\system\dmnko.exe" "C:\Users\Admin\AppData\Local\Temp\a3b988601ff177c9e4249033afe554d0N.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:8
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1492
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2160
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1616
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:3404
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:3128
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4536
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:3612
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1308
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4956
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:4288
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:3932
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4188
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2928
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4592
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:3776
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:676
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1528
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:1940
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:2412
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4504
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1032
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2732
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4036
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:776
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2728
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2932
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2264
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:3104
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4868
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:5080
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5084
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:1336
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2276
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe" "C:\windows\system\dmnko.exe"
    3⤵
    PID:1128
- C:\windows\SysWOW64\ozfjw.exe
  "C:\windows\system32\ozfjw.exe" "C:\Users\Admin\AppData\Local\Temp\a3b988601ff177c9e4249033afe554d0N.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2476
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2928
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:4560
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3044
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:4108
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1820
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4032
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:1688
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:2592
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1044
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3444
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:1592
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1204
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5104
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3536
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:4836
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4108
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1820
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:2036
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3860
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3980
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:1536
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4216
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:5016
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:1568
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1496
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4976
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3100
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4020
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4600
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1760
- - C:\windows\system\pqneghsj.exe
    "C:\windows\system\pqneghsj.exe"
    3⤵
    - Drops file in Drivers directory
    - Checks computer location settings
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    PID:4188
  - - C:\windows\SysWOW64\ozfjw.exe
      "C:\windows\system32\ozfjw.exe"
      4⤵
      PID:4416
  - - C:\windows\SysWOW64\ozfjw.exe
      "C:\windows\system32\ozfjw.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5104
  - - C:\windows\SysWOW64\ozfjw.exe
      "C:\windows\system32\ozfjw.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5084
  - - C:\windows\SysWOW64\ozfjw.exe
      "C:\windows\system32\ozfjw.exe"
      4⤵
      PID:2604
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4944
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5080
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:4020
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2684
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4136
- C:\windows\jcorgtn.exe
  "C:\windows\jcorgtn.exe" "C:\Users\Admin\AppData\Local\Temp\a3b988601ff177c9e4249033afe554d0N.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:732
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1440
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:3012
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4400
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3888
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1444
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4508
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:2196
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3944
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1864
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:1536
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:1492
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:4348
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:1392
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:1780
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:232
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5024
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4316
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    PID:4600
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3732
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4596
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:1680
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:4848
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2660
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:3216
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:3076
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:840
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:2160
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5060
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:1616
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5104
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:832
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:4884
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:4488
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4360
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:1864
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4676
- - C:\windows\SysWOW64\ozfjw.exe
    "C:\windows\system32\ozfjw.exe"
    3⤵
    PID:3928

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

13.107.21.237

dual-a-0034.a-msedge.net

IN A

204.79.197.237
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=de70e41203ba40d5b53b1d35ab959447&localId=w:58F15D5C-450D-8348-2910-A8A47129F4C2&deviceId=6825833575955334&anid=

Remote address:

13.107.21.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=de70e41203ba40d5b53b1d35ab959447&localId=w:58F15D5C-450D-8348-2910-A8A47129F4C2&deviceId=6825833575955334&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=21EB1F8BE96267B603630B6AE8456650; domain=.bing.com; expires=Sun, 14-Sep-2025 00:18:16 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 82F952F9530D48C5A7E337AF768A73FC Ref B: LON04EDGE0721 Ref C: 2024-08-20T00:18:16Z
date: Tue, 20 Aug 2024 00:18:16 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=de70e41203ba40d5b53b1d35ab959447&localId=w:58F15D5C-450D-8348-2910-A8A47129F4C2&deviceId=6825833575955334&anid=

Remote address:

13.107.21.237:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=de70e41203ba40d5b53b1d35ab959447&localId=w:58F15D5C-450D-8348-2910-A8A47129F4C2&deviceId=6825833575955334&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=21EB1F8BE96267B603630B6AE8456650

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=gQn40pT2lBGo8rA2uIHj2mAbyQrHY1evp16wgqR3l1U; domain=.bing.com; expires=Sun, 14-Sep-2025 00:18:16 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1DBC298340AC44608653823891A04532 Ref B: LON04EDGE0721 Ref C: 2024-08-20T00:18:16Z
date: Tue, 20 Aug 2024 00:18:16 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=de70e41203ba40d5b53b1d35ab959447&localId=w:58F15D5C-450D-8348-2910-A8A47129F4C2&deviceId=6825833575955334&anid=

Remote address:

13.107.21.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=de70e41203ba40d5b53b1d35ab959447&localId=w:58F15D5C-450D-8348-2910-A8A47129F4C2&deviceId=6825833575955334&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=21EB1F8BE96267B603630B6AE8456650; MSPTC=gQn40pT2lBGo8rA2uIHj2mAbyQrHY1evp16wgqR3l1U

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 9186072923D84BB9AFA3E4BDED009943 Ref B: LON04EDGE0721 Ref C: 2024-08-20T00:18:16Z
date: Tue, 20 Aug 2024 00:18:16 GMT
DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
DNS

237.21.107.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.21.107.13.in-addr.arpa

IN PTR

Response
DNS

20.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

20.160.190.20.in-addr.arpa

IN PTR

Response
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

73.144.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.144.22.2.in-addr.arpa

IN PTR

Response

73.144.22.2.in-addr.arpa

IN PTR

a2-22-144-73deploystaticakamaitechnologiescom
DNS

11.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.227.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.27.10

ax-0001.ax-msedge.net

IN A

150.171.28.10
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340417880_1PRMSECURT9IUDN7Q&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239340417880_1PRMSECURT9IUDN7Q&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 664785
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8651616DB8604B8BAECDA2A2AE306989 Ref B: LON04EDGE0614 Ref C: 2024-08-20T00:19:55Z
date: Tue, 20 Aug 2024 00:19:55 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360607350_1DIIHMLKOJP4KM45O&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239360607350_1DIIHMLKOJP4KM45O&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 502729
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B5486E65F7FF4305A455D4AAFDB42678 Ref B: LON04EDGE0614 Ref C: 2024-08-20T00:19:55Z
date: Tue, 20 Aug 2024 00:19:55 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360607351_1LWNG3EPOKCB0ST8C&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239360607351_1LWNG3EPOKCB0ST8C&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 542449
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 071541A561FB4A5EBB275EFD184CD224 Ref B: LON04EDGE0614 Ref C: 2024-08-20T00:19:55Z
date: Tue, 20 Aug 2024 00:19:55 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388043_1HMYXED637CKIBU88&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239339388043_1HMYXED637CKIBU88&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 682955
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6D45A9891AAD4A0DB07372D3E8B050DD Ref B: LON04EDGE0614 Ref C: 2024-08-20T00:19:55Z
date: Tue, 20 Aug 2024 00:19:55 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388042_1APSAGRCSB9NM0S8N&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239339388042_1APSAGRCSB9NM0S8N&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 665915
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 397597CAE57A4259B01425F9302A1CE7 Ref B: LON04EDGE0614 Ref C: 2024-08-20T00:19:55Z
date: Tue, 20 Aug 2024 00:19:55 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418534_1SATV94N425TECTRU&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239340418534_1SATV94N425TECTRU&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 473680
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 85F55526695C4D2A89081B56EDCEFC29 Ref B: LON04EDGE0614 Ref C: 2024-08-20T00:19:55Z
date: Tue, 20 Aug 2024 00:19:55 GMT
DNS

10.27.171.150.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.27.171.150.in-addr.arpa

IN PTR

Response

13.107.21.237:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=de70e41203ba40d5b53b1d35ab959447&localId=w:58F15D5C-450D-8348-2910-A8A47129F4C2&deviceId=6825833575955334&anid=

tls, http2

2.0kB
9.3kB
21
18

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=de70e41203ba40d5b53b1d35ab959447&localId=w:58F15D5C-450D-8348-2910-A8A47129F4C2&deviceId=6825833575955334&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=de70e41203ba40d5b53b1d35ab959447&localId=w:58F15D5C-450D-8348-2910-A8A47129F4C2&deviceId=6825833575955334&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=de70e41203ba40d5b53b1d35ab959447&localId=w:58F15D5C-450D-8348-2910-A8A47129F4C2&deviceId=6825833575955334&anid=

HTTP Response

204
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.27.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239340418534_1SATV94N425TECTRU&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

127.1kB
3.7MB
2663
2657

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340417880_1PRMSECURT9IUDN7Q&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360607350_1DIIHMLKOJP4KM45O&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360607351_1LWNG3EPOKCB0ST8C&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388043_1HMYXED637CKIBU88&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388042_1APSAGRCSB9NM0S8N&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418534_1SATV94N425TECTRU&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13

8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

13.107.21.237

204.79.197.237
8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

237.21.107.13.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

237.21.107.13.in-addr.arpa
8.8.8.8:53

20.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

20.160.190.20.in-addr.arpa
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

73.144.22.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

73.144.22.2.in-addr.arpa
8.8.8.8:53

11.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

11.227.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.27.10

150.171.28.10
8.8.8.8:53

10.27.171.150.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

10.27.171.150.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a3b988601ff177c9e4249033afe554d0N.exedmnko.exe_

Filesize
824KB

MD5
a3b988601ff177c9e4249033afe554d0

SHA1
5bfa70d73d1ce57fbdc4813b3da3888c27b355c1

SHA256
3b57166a2a67752c4f1f3adeea25470915cefbbb19cc515bcf7b0a5f6b48ed19

SHA512
142333f75a47b1f57143c100cece090a726aef06e643c7c5332e91898defbe5df3b74de611dbdae4c866d44325d60343884b37ccbd256729b12e4d1ffae96640

Download Submit
C:\Windows\SysWOW64\ozfjw.exe

Filesize
678KB

MD5
072ed5c7b1f18c383b8ccdb0dd3edb4b

SHA1
2ed84152b9ea71e267dd4d1af22df852080a3be4

SHA256
b386b5165f88a6301eeb7637786625f8bf3f29030ebf7c827e8096a3e68ec0a0

SHA512
df673216c1eaa194adeb28c3008be0248b0e120db2d879bdd707cc680705f419f228dbf052edf7f66f6d26496cc81e0f293885e0081e4ebe696d78b7f15f1c55

Download Submit
C:\Windows\SysWOW64\ozfjw.exepqneghsj.exe_

Filesize
532KB

MD5
91a28047a2f0ee1660e5b3c54288a58d

SHA1
0c291a456c547b00403849abf6d7000da9a9f6ef

SHA256
e8a4e44b78a1916b51302b44c2d5d6104596b7f6b7d04613b65ff7450f3c9948

SHA512
94fec00c45c5a095f03e9c0241f7f9414b1600db9e6d8fa1f6ab09dcee5e7a2b21ea53ed1e6a0f6a05411ea1bd65a802f1e0ab75cf98051501e46c6a503b9297

Download Submit
C:\Windows\jcorgtn.exe

Filesize
727KB

MD5
d86fbbb69b1f3b8a5be4ceb3ee17759c

SHA1
fc409cfcb3e8257494d70be0c175aac38ccc556f

SHA256
8090a85de17923fb19d011be7c39edad71c694146481d808a074c2a77bc63e4a

SHA512
d5a0872ff7b76cc10d679c4cb374c8e1be3d3f51c4c2a14e0cbd3fc1c7bcd1ef89b320617e60c3e54b5752badf7b0e91b8f1f19d8f9267c7817f5f6e1a139e8c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.