Analysis
-
max time kernel
22s -
max time network
71s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
30/12/2023, 01:21
General
-
Target
09ec2458a746ed795c88a62729a3d30e.exe
-
Size
46KB
-
MD5
09ec2458a746ed795c88a62729a3d30e
-
SHA1
750cbd39b147e19cd38c6cf305487ee7d25243d8
-
SHA256
c6e1325d7043ee9af9529565e9a2ac16d56c2f1f8365d1dd469a0d3ea497c62a
-
SHA512
8e96b91af9e65097c41f4edade11219962220418a770d57977fe979bd2c50fe505f8eac367de22c53c9b4baf11cbac73d5a6d5f2190f3e70d672cfbc5402fca4
-
SSDEEP
768:j7RNHmpC97r/hgGxtPuC+uwkIuIe98PXs4/wKUUpWL9Sfc3VkX0BoEoc5un:j7x97r/doawVur4YKUOWxVFIi5un
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 62 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 64 IoCs
-
Adds Run key to start application 2 TTPs 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\09ec2458a746ed795c88a62729a3d30e.exe"C:\Users\Admin\AppData\Local\Temp\09ec2458a746ed795c88a62729a3d30e.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\USERS\ADMIN\APPDATA\LOCAL\TEMP\09EC2458A746ED795C88A62729A3D30E.EXE2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\SysWOW64\jhxwxwhqxx.exe"C:\WINDOWS\SYSTEM32\jhxwxwhqxx.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
-
-
C:\WINDOWS\SysWOW64\mommyooluq.exe"C:\WINDOWS\SYSTEM32\mommyooluq.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\WINDOWS\SysWOW64\xjnefipiib.exe"C:\WINDOWS\SYSTEM32\xjnefipiib.exe" mElTC:\WINDOWS\SYSWOW64\MOMMYOOLUQ.EXE2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\XJNEFIPIIB.EXE3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\SysWOW64\gfphpphxby.exe"C:\WINDOWS\SYSTEM32\gfphpphxby.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
-
-
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\UZNBBMJTYV.EXE1⤵
-
C:\WINDOWS\SysWOW64\tagaswzgsg.exe"C:\WINDOWS\SYSTEM32\tagaswzgsg.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\TAGASWZGSG.EXE2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\RFFNKQROHD.EXE1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\SysWOW64\oumndxevin.exe"C:\WINDOWS\SYSTEM32\oumndxevin.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
-
C:\WINDOWS\SysWOW64\eatiwrfkqk.exe"C:\WINDOWS\SYSTEM32\eatiwrfkqk.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\EATIWRFKQK.EXE2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\SysWOW64\wzwgnwjxys.exe"C:\WINDOWS\SYSTEM32\wzwgnwjxys.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\SysWOW64\gvxycrrdmd.exe"C:\WINDOWS\SYSTEM32\gvxycrrdmd.exe" mElTC:\WINDOWS\SYSWOW64\WZWGNWJXYS.EXE4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\GVXYCRRDMD.EXE5⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
-
-
-
-
C:\WINDOWS\SysWOW64\yymjebcszz.exe"C:\WINDOWS\SYSTEM32\yymjebcszz.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\YYMJEBCSZZ.EXE2⤵
-
-
C:\WINDOWS\SysWOW64\rvluskgdvm.exe"C:\WINDOWS\SYSTEM32\rvluskgdvm.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\RVLUSKGDVM.EXE2⤵
-
C:\WINDOWS\SysWOW64\jjlepllvig.exe"C:\WINDOWS\SYSTEM32\jjlepllvig.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE3⤵
-
C:\WINDOWS\SysWOW64\rkkedaprjq.exe"C:\WINDOWS\SYSTEM32\rkkedaprjq.exe" mElTC:\WINDOWS\SYSWOW64\JJLEPLLVIG.EXE4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\RKKEDAPRJQ.EXE5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\WINDOWS\SysWOW64\lepuvtxows.exe"C:\WINDOWS\SYSTEM32\lepuvtxows.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE6⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\LEPUVTXOWS.EXE7⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\WINDOWS\SysWOW64\jjoponyvmp.exe"C:\WINDOWS\SYSTEM32\jjoponyvmp.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE8⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\JJOPONYVMP.EXE9⤵
-
C:\WINDOWS\SysWOW64\gdkdeieiam.exe"C:\WINDOWS\SYSTEM32\gdkdeieiam.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE10⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\GDKDEIEIAM.EXE11⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\WINDOWS\SysWOW64\weevfmknig.exe"C:\WINDOWS\SYSTEM32\weevfmknig.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE12⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\WEEVFMKNIG.EXE13⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\WINDOWS\SysWOW64\tjlqxgkvpd.exe"C:\WINDOWS\SYSTEM32\tjlqxgkvpd.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE14⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\TJLQXGKVPD.EXE15⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\WINDOWS\SysWOW64\jcjqtbseyp.exe"C:\WINDOWS\SYSTEM32\jcjqtbseyp.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE16⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\JCJQTBSEYP.EXE17⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\WINDOWS\SysWOW64\yohwwcfmsw.exe"C:\WINDOWS\SYSTEM32\yohwwcfmsw.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE18⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\WINDOWS\SysWOW64\tfjzmrgots.exe"C:\WINDOWS\SYSTEM32\tfjzmrgots.exe" mElTC:\WINDOWS\SYSWOW64\YOHWWCFMSW.EXE19⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\TFJZMRGOTS.EXE20⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\WINDOWS\SysWOW64\mnmjcsfkif.exe"C:\WINDOWS\SYSTEM32\mnmjcsfkif.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE21⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\WINDOWS\SysWOW64\qdreyyrnpb.exe"C:\WINDOWS\SYSTEM32\qdreyyrnpb.exe" mElTC:\WINDOWS\SYSWOW64\MNMJCSFKIF.EXE22⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\QDREYYRNPB.EXE23⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\WINDOWS\SysWOW64\mraheqzeyi.exe"C:\WINDOWS\SYSTEM32\mraheqzeyi.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\MRAHEQZEYI.EXE25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\WINDOWS\SysWOW64\gicctfahzw.exe"C:\WINDOWS\SYSTEM32\gicctfahzw.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE26⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\GICCTFAHZW.EXE27⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\WINDOWS\SysWOW64\onlqrfhsud.exe"C:\WINDOWS\SYSTEM32\onlqrfhsud.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE28⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\ONLQRFHSUD.EXE29⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\WINDOWS\SysWOW64\dkuvpfovpc.exe"C:\WINDOWS\SYSTEM32\dkuvpfovpc.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE30⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\DKUVPFOVPC.EXE31⤵
-
C:\WINDOWS\SysWOW64\wgmomgtodx.exe"C:\WINDOWS\SYSTEM32\wgmomgtodx.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE32⤵
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\WGMOMGTODX.EXE33⤵
-
C:\WINDOWS\SysWOW64\rxoqjvcqet.exe"C:\WINDOWS\SYSTEM32\rxoqjvcqet.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE34⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\RXOQJVCQET.EXE35⤵
-
C:\WINDOWS\SysWOW64\wkieoemqta.exe"C:\WINDOWS\SYSTEM32\wkieoemqta.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE36⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\WKIEOEMQTA.EXE37⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\WINDOWS\SysWOW64\vrihkhxnwj.exe"C:\WINDOWS\SYSTEM32\vrihkhxnwj.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE38⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\VRIHKHXNWJ.EXE39⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\WINDOWS\SysWOW64\jionsjpual.exe"C:\WINDOWS\SYSTEM32\jionsjpual.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE40⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\JIONSJPUAL.EXE41⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\WINDOWS\SysWOW64\wwpaehwpxu.exe"C:\WINDOWS\SYSTEM32\wwpaehwpxu.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE42⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\WINDOWS\SysWOW64\quyvgflpxr.exe"C:\WINDOWS\SYSTEM32\quyvgflpxr.exe" mElTC:\WINDOWS\SYSWOW64\WWPAEHWPXU.EXE43⤵
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\QUYVGFLPXR.EXE44⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\WINDOWS\SysWOW64\qvjgyzypaz.exe"C:\WINDOWS\SYSTEM32\qvjgyzypaz.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE45⤵
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\QVJGYZYPAZ.EXE46⤵
-
C:\WINDOWS\SysWOW64\whmzwqfgke.exe"C:\WINDOWS\SYSTEM32\whmzwqfgke.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE47⤵
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\WHMZWQFGKE.EXE48⤵
-
C:\WINDOWS\SysWOW64\otcpkhnnzy.exe"C:\WINDOWS\SYSTEM32\otcpkhnnzy.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE49⤵
-
C:\WINDOWS\SysWOW64\izqazzwjts.exe"C:\WINDOWS\SYSTEM32\izqazzwjts.exe" mElTC:\WINDOWS\SYSWOW64\OTCPKHNNZY.EXE50⤵
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\IZQAZZWJTS.EXE51⤵
-
C:\WINDOWS\SysWOW64\ihqdwcpowb.exe"C:\WINDOWS\SYSTEM32\ihqdwcpowb.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE52⤵
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\IHQDWCPOWB.EXE53⤵
-
C:\WINDOWS\SysWOW64\vxwjeezvad.exe"C:\WINDOWS\SYSTEM32\vxwjeezvad.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE54⤵
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\VXWJEEZVAD.EXE55⤵
-
C:\WINDOWS\SysWOW64\nmxrfamwxi.exe"C:\WINDOWS\SYSTEM32\nmxrfamwxi.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE56⤵
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\NMXRFAMWXI.EXE57⤵
-
C:\WINDOWS\SysWOW64\tdefzvaiab.exe"C:\WINDOWS\SYSTEM32\tdefzvaiab.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE58⤵
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\TDEFZVAIAB.EXE59⤵
-
C:\WINDOWS\SysWOW64\ahyiwasowi.exe"C:\WINDOWS\SYSTEM32\ahyiwasowi.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE60⤵
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\AHYIWASOWI.EXE61⤵
-
C:\WINDOWS\SysWOW64\qtggwiiffd.exe"C:\WINDOWS\SYSTEM32\qtggwiiffd.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE62⤵
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\QTGGWIIFFD.EXE63⤵
-
C:\WINDOWS\SysWOW64\atvggbufjs.exe"C:\WINDOWS\SYSTEM32\atvggbufjs.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE64⤵
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\ATVGGBUFJS.EXE65⤵
-
C:\WINDOWS\SysWOW64\pftzkyqsgz.exe"C:\WINDOWS\SYSTEM32\pftzkyqsgz.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE66⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\PFTZKYQSGZ.EXE67⤵
-
C:\WINDOWS\SysWOW64\liiahztyrf.exe"C:\WINDOWS\SYSTEM32\liiahztyrf.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE68⤵
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\LIIAHZTYRF.EXE69⤵
-
C:\WINDOWS\SysWOW64\igqgmfeemw.exe"C:\WINDOWS\SYSTEM32\igqgmfeemw.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE70⤵
-
C:\WINDOWS\SysWOW64\fsmbkikjtt.exe"C:\WINDOWS\SYSTEM32\fsmbkikjtt.exe" mElTC:\WINDOWS\SYSWOW64\IGQGMFEEMW.EXE71⤵
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\FSMBKIKJTT.EXE72⤵
-
C:\WINDOWS\SysWOW64\nhigifrtvt.exe"C:\WINDOWS\SYSTEM32\nhigifrtvt.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE73⤵
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\NHIGIFRTVT.EXE74⤵
-
C:\WINDOWS\SysWOW64\pgybzjkfda.exe"C:\WINDOWS\SYSTEM32\pgybzjkfda.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE75⤵
-
C:\WINDOWS\SysWOW64\npibnikpxk.exe"C:\WINDOWS\SYSTEM32\npibnikpxk.exe" mElTC:\WINDOWS\SYSWOW64\PGYBZJKFDA.EXE76⤵
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\NPIBNIKPXK.EXE77⤵
-
C:\WINDOWS\SysWOW64\pkvxfpuzob.exe"C:\WINDOWS\SYSTEM32\pkvxfpuzob.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE78⤵
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\PKVXFPUZOB.EXE79⤵
-
C:\WINDOWS\SysWOW64\cbsxbkopxx.exe"C:\WINDOWS\SYSTEM32\cbsxbkopxx.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE80⤵
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\CBSXBKOPXX.EXE81⤵
-
C:\WINDOWS\SysWOW64\cfonviarnb.exe"C:\WINDOWS\SYSTEM32\cfonviarnb.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE82⤵
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\CFONVIARNB.EXE83⤵
-
C:\WINDOWS\SysWOW64\ftrwqxixjw.exe"C:\WINDOWS\SYSTEM32\ftrwqxixjw.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE84⤵
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\FTRWQXIXJW.EXE85⤵
-
C:\WINDOWS\SysWOW64\ucmbdbtumo.exe"C:\WINDOWS\SYSTEM32\ucmbdbtumo.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE86⤵
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\UCMBDBTUMO.EXE87⤵
-
C:\WINDOWS\SysWOW64\ksjnjnkrjx.exe"C:\WINDOWS\SYSTEM32\ksjnjnkrjx.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE88⤵
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\KSJNJNKRJX.EXE89⤵
-
C:\WINDOWS\SysWOW64\xybvjdtmdp.exe"C:\WINDOWS\SYSTEM32\xybvjdtmdp.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE90⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\XYBVJDTMDP.EXE91⤵
-
C:\WINDOWS\SysWOW64\ukxizgzzrn.exe"C:\WINDOWS\SYSTEM32\ukxizgzzrn.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE92⤵
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\UKXIZGZZRN.EXE93⤵
-
C:\WINDOWS\SysWOW64\ssiqueyjtx.exe"C:\WINDOWS\SYSTEM32\ssiqueyjtx.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE94⤵
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\SSIQUEYJTX.EXE95⤵
-
C:\WINDOWS\SysWOW64\xczqwjkgvj.exe"C:\WINDOWS\SYSTEM32\xczqwjkgvj.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE96⤵
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\XCZQWJKGVJ.EXE97⤵
-
C:\WINDOWS\SysWOW64\uovwgyacqs.exe"C:\WINDOWS\SYSTEM32\uovwgyacqs.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE98⤵
-
C:\WINDOWS\SysWOW64\xjyttmudyz.exe"C:\WINDOWS\SYSTEM32\xjyttmudyz.exe" mElTC:\WINDOWS\SYSWOW64\UOVWGYACQS.EXE99⤵
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\XJYTTMUDYZ.EXE100⤵
-
C:\WINDOWS\SysWOW64\zbzwxhibzx.exe"C:\WINDOWS\SYSTEM32\zbzwxhibzx.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE101⤵
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\ZBZWXHIBZX.EXE102⤵
-
C:\WINDOWS\SysWOW64\fzgcqdondq.exe"C:\WINDOWS\SYSTEM32\fzgcqdondq.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE103⤵
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\FZGCQDONDQ.EXE104⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\WINDOWS\SysWOW64\hywktpfzyv.exe"C:\WINDOWS\SYSTEM32\hywktpfzyv.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE105⤵
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\HYWKTPFZYV.EXE106⤵
-
C:\WINDOWS\SysWOW64\cxnlobwebz.exe"C:\WINDOWS\SYSTEM32\cxnlobwebz.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE107⤵
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\CXNLOBWEBZ.EXE108⤵
-
C:\WINDOWS\SysWOW64\rrtedjfdqw.exe"C:\WINDOWS\SYSTEM32\rrtedjfdqw.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE109⤵
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\RRTEDJFDQW.EXE110⤵
-
C:\WINDOWS\SysWOW64\hzqpjnwavn.exe"C:\WINDOWS\SYSTEM32\hzqpjnwavn.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE111⤵
-
C:\WINDOWS\SysWOW64\wwzuhnddqu.exe"C:\WINDOWS\SYSTEM32\wwzuhnddqu.exe" mElTC:\WINDOWS\SYSWOW64\HZQPJNWAVN.EXE112⤵
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\WWZUHNDDQU.EXE113⤵
-
C:\WINDOWS\SysWOW64\jzinktunzb.exe"C:\WINDOWS\SYSTEM32\jzinktunzb.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE114⤵
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\JZINKTUNZB.EXE115⤵
-
C:\WINDOWS\SysWOW64\rggybqhodi.exe"C:\WINDOWS\SYSTEM32\rggybqhodi.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE116⤵
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\RGGYBQHODI.EXE117⤵
-
C:\WINDOWS\SysWOW64\urhtzgwvla.exe"C:\WINDOWS\SYSTEM32\urhtzgwvla.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE118⤵
-
C:\WINDOWS\SysWOW64\gcasServ32.exe"C:\WINDOWS\SYSTEM32\gcasServ32.exe" mElTC:\WINDOWS\SYSWOW64\URHTZGWVLA.EXE119⤵
-
C:\WINDOWS\SysWOW64\uohkwwcscd.exe"C:\WINDOWS\SYSTEM32\uohkwwcscd.exe" mElTC:\WINDOWS\SYSWOW64\GCASSERV32.EXE120⤵
-
C:\WINDOWS\SysWOW64\klqxuwjdxc.exe"C:\WINDOWS\SYSTEM32\klqxuwjdxc.exe" mElTC:\WINDOWS\SYSWOW64\UOHKWWCSCD.EXE121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-