Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
-
submitted
01/11/2023, 20:48
General
-
Target
NEAS.6d0f5b007beb7838545d02e034663370_JC.exe
-
Size
1.6MB
-
MD5
6d0f5b007beb7838545d02e034663370
-
SHA1
28a4554f1076a07cf0d1bd743981dd0df9e83f9e
-
SHA256
5ecee1141b1ae4bcda763c53284cd838f7fb76562457af83d9aa6b308e6bcd7f
-
SHA512
bc612efb85df37aaa2726a9d86f1597f65b810576202328b72e9e73ffb406df8b798c40a79ba857dc0d8d947d92206ab011fa09049be26adaae7b64e8ff7c06a
-
SSDEEP
24576:jq4gu5YyCtCCm0BmmvFimm00Ph2kkkkK4kXkkkkkkkkhLX3a20R0v50+YNpsKv2Y:tgu5RCtCmiFbazR0vKLXZ+Ktz
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
-
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
-
Executes dropped EXE 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.6d0f5b007beb7838545d02e034663370_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.6d0f5b007beb7838545d02e034663370_JC.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Kcbnnpka.exeC:\Windows\system32\Kcbnnpka.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ljobpiql.exeC:\Windows\system32\Ljobpiql.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Lgccinoe.exeC:\Windows\system32\Lgccinoe.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ljclki32.exeC:\Windows\system32\Ljclki32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Lenicahg.exeC:\Windows\system32\Lenicahg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Mkadfj32.exeC:\Windows\system32\Mkadfj32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Nclikl32.exeC:\Windows\system32\Nclikl32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Nelfeo32.exeC:\Windows\system32\Nelfeo32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Domdjj32.exeC:\Windows\system32\Domdjj32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Dnbakghm.exeC:\Windows\system32\Dnbakghm.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Deqcbpld.exeC:\Windows\system32\Deqcbpld.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Ebdcld32.exeC:\Windows\system32\Ebdcld32.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ebnfbcbc.exeC:\Windows\system32\Ebnfbcbc.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Iplkpa32.exeC:\Windows\system32\Iplkpa32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ilcldb32.exeC:\Windows\system32\Ilcldb32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Jcdjbk32.exeC:\Windows\system32\Jcdjbk32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Jcfggkac.exeC:\Windows\system32\Jcfggkac.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Mgeakekd.exeC:\Windows\system32\Mgeakekd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Nqmfdj32.exeC:\Windows\system32\Nqmfdj32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Nqpcjj32.exeC:\Windows\system32\Nqpcjj32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Njhgbp32.exeC:\Windows\system32\Njhgbp32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Njjdho32.exeC:\Windows\system32\Njjdho32.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ogekbb32.exeC:\Windows\system32\Ogekbb32.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Onapdl32.exeC:\Windows\system32\Onapdl32.exe3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\Ppgegd32.exeC:\Windows\system32\Ppgegd32.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Pjpfjl32.exeC:\Windows\system32\Pjpfjl32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
-
C:\Windows\SysWOW64\Pffgom32.exeC:\Windows\system32\Pffgom32.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Pjdpelnc.exeC:\Windows\system32\Pjdpelnc.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\Qjiipk32.exeC:\Windows\system32\Qjiipk32.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Qdaniq32.exeC:\Windows\system32\Qdaniq32.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\Ahofoogd.exeC:\Windows\system32\Ahofoogd.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Agdcpkll.exeC:\Windows\system32\Agdcpkll.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ahdpjn32.exeC:\Windows\system32\Ahdpjn32.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Aaldccip.exeC:\Windows\system32\Aaldccip.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Aopemh32.exeC:\Windows\system32\Aopemh32.exe5⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Bhhiemoj.exeC:\Windows\system32\Bhhiemoj.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Bpdnjple.exeC:\Windows\system32\Bpdnjple.exe7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Boenhgdd.exeC:\Windows\system32\Boenhgdd.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Bhmbqm32.exeC:\Windows\system32\Bhmbqm32.exe9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Bhpofl32.exeC:\Windows\system32\Bhpofl32.exe10⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Bgelgi32.exeC:\Windows\system32\Bgelgi32.exe11⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Chdialdl.exeC:\Windows\system32\Chdialdl.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Cnfkdb32.exeC:\Windows\system32\Cnfkdb32.exe13⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Cgnomg32.exeC:\Windows\system32\Cgnomg32.exe14⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Cogddd32.exeC:\Windows\system32\Cogddd32.exe15⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Dojqjdbl.exeC:\Windows\system32\Dojqjdbl.exe16⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Dakikoom.exeC:\Windows\system32\Dakikoom.exe17⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Doojec32.exeC:\Windows\system32\Doojec32.exe18⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Dhgonidg.exeC:\Windows\system32\Dhgonidg.exe19⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Dbocfo32.exeC:\Windows\system32\Dbocfo32.exe20⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ebaplnie.exeC:\Windows\system32\Ebaplnie.exe21⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Eklajcmc.exeC:\Windows\system32\Eklajcmc.exe22⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ehpadhll.exeC:\Windows\system32\Ehpadhll.exe23⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ehbnigjj.exeC:\Windows\system32\Ehbnigjj.exe24⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Fooclapd.exeC:\Windows\system32\Fooclapd.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Fdlkdhnk.exeC:\Windows\system32\Fdlkdhnk.exe26⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Fqbliicp.exeC:\Windows\system32\Fqbliicp.exe27⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Foclgq32.exeC:\Windows\system32\Foclgq32.exe28⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Fofilp32.exeC:\Windows\system32\Fofilp32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Gicgpelg.exeC:\Windows\system32\Gicgpelg.exe30⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Gbkkik32.exeC:\Windows\system32\Gbkkik32.exe31⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Gbnhoj32.exeC:\Windows\system32\Gbnhoj32.exe32⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Gpaihooo.exeC:\Windows\system32\Gpaihooo.exe33⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Gpdennml.exeC:\Windows\system32\Gpdennml.exe34⤵
-
C:\Windows\SysWOW64\Hlkfbocp.exeC:\Windows\system32\Hlkfbocp.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Hhaggp32.exeC:\Windows\system32\Hhaggp32.exe36⤵
-
C:\Windows\SysWOW64\Hiacacpg.exeC:\Windows\system32\Hiacacpg.exe37⤵
-
C:\Windows\SysWOW64\Halhfe32.exeC:\Windows\system32\Halhfe32.exe38⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Hejqldci.exeC:\Windows\system32\Hejqldci.exe39⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Haaaaeim.exeC:\Windows\system32\Haaaaeim.exe40⤵
-
C:\Windows\SysWOW64\Ibqnkh32.exeC:\Windows\system32\Ibqnkh32.exe41⤵
-
C:\Windows\SysWOW64\Iimcma32.exeC:\Windows\system32\Iimcma32.exe42⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Jblmgf32.exeC:\Windows\system32\Jblmgf32.exe43⤵
-
C:\Windows\SysWOW64\Jemfhacc.exeC:\Windows\system32\Jemfhacc.exe44⤵
-
C:\Windows\SysWOW64\Jhnojl32.exeC:\Windows\system32\Jhnojl32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Jllhpkfk.exeC:\Windows\system32\Jllhpkfk.exe46⤵
-
C:\Windows\SysWOW64\Klndfj32.exeC:\Windows\system32\Klndfj32.exe47⤵
-
C:\Windows\SysWOW64\Kheekkjl.exeC:\Windows\system32\Kheekkjl.exe48⤵
-
C:\Windows\SysWOW64\Kidben32.exeC:\Windows\system32\Kidben32.exe49⤵
-
C:\Windows\SysWOW64\Kcmfnd32.exeC:\Windows\system32\Kcmfnd32.exe50⤵
-
C:\Windows\SysWOW64\Klekfinp.exeC:\Windows\system32\Klekfinp.exe51⤵
-
C:\Windows\SysWOW64\Kpccmhdg.exeC:\Windows\system32\Kpccmhdg.exe52⤵
-
C:\Windows\SysWOW64\Lljdai32.exeC:\Windows\system32\Lljdai32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Lpgmhg32.exeC:\Windows\system32\Lpgmhg32.exe54⤵
-
C:\Windows\SysWOW64\Lomjicei.exeC:\Windows\system32\Lomjicei.exe55⤵
-
C:\Windows\SysWOW64\Lckboblp.exeC:\Windows\system32\Lckboblp.exe56⤵
-
C:\Windows\SysWOW64\Llcghg32.exeC:\Windows\system32\Llcghg32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Mapppn32.exeC:\Windows\system32\Mapppn32.exe58⤵
-
C:\Windows\SysWOW64\Modpib32.exeC:\Windows\system32\Modpib32.exe59⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Mcdeeq32.exeC:\Windows\system32\Mcdeeq32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Mqhfoebo.exeC:\Windows\system32\Mqhfoebo.exe61⤵
-
C:\Windows\SysWOW64\Momcpa32.exeC:\Windows\system32\Momcpa32.exe62⤵
-
C:\Windows\SysWOW64\Noppeaed.exeC:\Windows\system32\Noppeaed.exe63⤵
-
C:\Windows\SysWOW64\Ncmhko32.exeC:\Windows\system32\Ncmhko32.exe64⤵
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Nqaiecjd.exeC:\Windows\system32\Nqaiecjd.exe65⤵
-
C:\Windows\SysWOW64\Ocdnln32.exeC:\Windows\system32\Ocdnln32.exe66⤵
-
C:\Windows\SysWOW64\Oiagde32.exeC:\Windows\system32\Oiagde32.exe67⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Ofegni32.exeC:\Windows\system32\Ofegni32.exe68⤵
-
C:\Windows\SysWOW64\Oqklkbbi.exeC:\Windows\system32\Oqklkbbi.exe69⤵
-
C:\Windows\SysWOW64\Omalpc32.exeC:\Windows\system32\Omalpc32.exe70⤵
-
C:\Windows\SysWOW64\Oqoefand.exeC:\Windows\system32\Oqoefand.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
-
C:\Windows\SysWOW64\Oikjkc32.exeC:\Windows\system32\Oikjkc32.exe72⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Ppgomnai.exeC:\Windows\system32\Ppgomnai.exe73⤵
-
C:\Windows\SysWOW64\Piocecgj.exeC:\Windows\system32\Piocecgj.exe74⤵
-
C:\Windows\SysWOW64\Pfccogfc.exeC:\Windows\system32\Pfccogfc.exe75⤵
-
C:\Windows\SysWOW64\Pmmlla32.exeC:\Windows\system32\Pmmlla32.exe76⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Pbjddh32.exeC:\Windows\system32\Pbjddh32.exe77⤵
-
C:\Windows\SysWOW64\Ppnenlka.exeC:\Windows\system32\Ppnenlka.exe78⤵
-
C:\Windows\SysWOW64\Pmbegqjk.exeC:\Windows\system32\Pmbegqjk.exe79⤵
-
C:\Windows\SysWOW64\Qjffpe32.exeC:\Windows\system32\Qjffpe32.exe80⤵
-
C:\Windows\SysWOW64\Qfmfefni.exeC:\Windows\system32\Qfmfefni.exe81⤵
-
C:\Windows\SysWOW64\Aabkbono.exeC:\Windows\system32\Aabkbono.exe82⤵
-
C:\Windows\SysWOW64\Aimogakj.exeC:\Windows\system32\Aimogakj.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Abfdpfaj.exeC:\Windows\system32\Abfdpfaj.exe84⤵
-
C:\Windows\SysWOW64\Amkhmoap.exeC:\Windows\system32\Amkhmoap.exe85⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Abhqefpg.exeC:\Windows\system32\Abhqefpg.exe86⤵
-
C:\Windows\SysWOW64\Amnebo32.exeC:\Windows\system32\Amnebo32.exe87⤵
-
C:\Windows\SysWOW64\Abjmkf32.exeC:\Windows\system32\Abjmkf32.exe88⤵
-
C:\Windows\SysWOW64\Apnndj32.exeC:\Windows\system32\Apnndj32.exe89⤵
-
C:\Windows\SysWOW64\Ajdbac32.exeC:\Windows\system32\Ajdbac32.exe90⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Bdlfjh32.exeC:\Windows\system32\Bdlfjh32.exe91⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Biiobo32.exeC:\Windows\system32\Biiobo32.exe92⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Bbaclegm.exeC:\Windows\system32\Bbaclegm.exe93⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Bpedeiff.exeC:\Windows\system32\Bpedeiff.exe94⤵
-
C:\Windows\SysWOW64\Bphqji32.exeC:\Windows\system32\Bphqji32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Bkmeha32.exeC:\Windows\system32\Bkmeha32.exe96⤵
-
C:\Windows\SysWOW64\Bbhildae.exeC:\Windows\system32\Bbhildae.exe97⤵
-
C:\Windows\SysWOW64\Cbkfbcpb.exeC:\Windows\system32\Cbkfbcpb.exe98⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Cgiohbfi.exeC:\Windows\system32\Cgiohbfi.exe99⤵
-
C:\Windows\SysWOW64\Ckggnp32.exeC:\Windows\system32\Ckggnp32.exe100⤵
-
C:\Windows\SysWOW64\Cmgqpkip.exeC:\Windows\system32\Cmgqpkip.exe101⤵
-
C:\Windows\SysWOW64\Dkkaiphj.exeC:\Windows\system32\Dkkaiphj.exe102⤵
-
C:\Windows\SysWOW64\Dphiaffa.exeC:\Windows\system32\Dphiaffa.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Dnljkk32.exeC:\Windows\system32\Dnljkk32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Dgdncplk.exeC:\Windows\system32\Dgdncplk.exe105⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Dpmcmf32.exeC:\Windows\system32\Dpmcmf32.exe106⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Djegekil.exeC:\Windows\system32\Djegekil.exe107⤵
-
C:\Windows\SysWOW64\Ddklbd32.exeC:\Windows\system32\Ddklbd32.exe108⤵
-
C:\Windows\SysWOW64\Dncpkjoc.exeC:\Windows\system32\Dncpkjoc.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Egkddo32.exeC:\Windows\system32\Egkddo32.exe110⤵
-
C:\Windows\SysWOW64\Epdime32.exeC:\Windows\system32\Epdime32.exe111⤵
-
C:\Windows\SysWOW64\Ejlnfjbd.exeC:\Windows\system32\Ejlnfjbd.exe112⤵
-
C:\Windows\SysWOW64\Edaaccbj.exeC:\Windows\system32\Edaaccbj.exe113⤵
-
C:\Windows\SysWOW64\Eafbmgad.exeC:\Windows\system32\Eafbmgad.exe114⤵
-
C:\Windows\SysWOW64\Fnalmh32.exeC:\Windows\system32\Fnalmh32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Fdkdibjp.exeC:\Windows\system32\Fdkdibjp.exe116⤵
-
C:\Windows\SysWOW64\Fncibg32.exeC:\Windows\system32\Fncibg32.exe117⤵
-
C:\Windows\SysWOW64\Fnffhgon.exeC:\Windows\system32\Fnffhgon.exe118⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Fkjfakng.exeC:\Windows\system32\Fkjfakng.exe119⤵
-
C:\Windows\SysWOW64\Fqikob32.exeC:\Windows\system32\Fqikob32.exe120⤵
-
C:\Windows\SysWOW64\Gnmlhf32.exeC:\Windows\system32\Gnmlhf32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-