Windows Analysis Report
h879iieoae.exe

Overview

General Information

Sample name: h879iieoae.exe
renamed because original name is a hash value
Original sample name: 55f3f17f1a264e2b9a8aa9d5750696688fc4a7bbd530ab74224db9939c974d09.exe
Analysis ID: 1545775
MD5: b6ff4e20e2b53b684a7cb84630d836fa
SHA1: 58f690a95f195f70e6fc59ce67855941bd817f7a
SHA256: 55f3f17f1a264e2b9a8aa9d5750696688fc4a7bbd530ab74224db9939c974d09
Tags: arch-x64arch-x86exeimage-win10v2004-20241007-enlocale-en-usos-windows10-2004-x64systemhatchingtraigeneikiinsightportaluser-NeikiSamples
Infos:

Detection

Berbew
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Berbew
AI detected suspicious sample
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has a writeable .text section
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to search for IE or Outlook window (often done to steal information)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains more sections than normal
PE file contains sections with non-standard names
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: h879iieoae.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Windows\SysWOW64\Accicdme.dll Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Efgkjnfn.exe Avira: detection malicious, Label: TR/Spy.Qukart.NB
Source: C:\Windows\SysWOW64\Bgibkegc.exe Avira: detection malicious, Label: TR/Spy.Qukart.NB
Source: C:\Windows\SysWOW64\Bgamkfnl.exe Avira: detection malicious, Label: TR/Spy.Qukart.NB
Source: C:\Windows\SysWOW64\Cnjaioih.exe Avira: detection malicious, Label: TR/Spy.Qukart.NB
Source: C:\Windows\SysWOW64\Dfcboo32.exe Avira: detection malicious, Label: TR/Spy.Qukart.NB
Source: C:\Windows\SysWOW64\Ckaenpam.dll Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Baagdk32.exe Avira: detection malicious, Label: TR/Spy.Qukart.NB
Source: C:\Windows\SysWOW64\Bnnampcf.exe Avira: detection malicious, Label: TR/Spy.Qukart.NB
Source: C:\Windows\SysWOW64\Eoappk32.exe Avira: detection malicious, Label: TR/Spy.Qukart.NB
Source: C:\Windows\SysWOW64\Ajikgq32.dll Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Ajkolbad.exe Avira: detection malicious, Label: TR/Spy.Qukart.NB
Source: C:\Windows\SysWOW64\Chfnmf32.dll Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Bdlhdkdf.dll Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Cfnpmb32.exe Avira: detection malicious, Label: TR/Spy.Qukart.NB
Source: C:\Windows\SysWOW64\Clqdacnn.dll Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Dnhmjm32.exe Avira: detection malicious, Label: TR/Spy.Qukart.NB
Source: C:\Windows\SysWOW64\Bpghkh32.dll Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Edgbhcim.exe Avira: detection malicious, Label: TR/Spy.Qukart.NB
Source: C:\Windows\SysWOW64\Bnpnbp32.exe Avira: detection malicious, Label: TR/Spy.Qukart.NB
Source: C:\Windows\SysWOW64\Ekpkmk32.dll Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Ccapffke.exe Avira: detection malicious, Label: TR/Spy.Qukart.NB
Source: C:\Windows\SysWOW64\Ekpjke32.dll Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Emogai32.exe Avira: detection malicious, Label: TR/Spy.Qukart.NB
Source: C:\Windows\SysWOW64\Ahhhnd32.dll Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Windows\SysWOW64\Camgpi32.exe Avira: detection malicious, Label: TR/Spy.Qukart.NB
Source: C:\Windows\SysWOW64\Dmfdkj32.exe Avira: detection malicious, Label: TR/Spy.Qukart.NB
Source: C:\Windows\SysWOW64\Ceampi32.exe Avira: detection malicious, Label: TR/Spy.Qukart.NB
Source: C:\Windows\SysWOW64\Bqjacldl.exe Avira: detection malicious, Label: TR/Spy.Qukart.NB
Source: C:\Windows\SysWOW64\Bmlhnnne.exe Avira: detection malicious, Label: TR/Spy.Qukart.NB
Source: C:\Windows\SysWOW64\Akghbg32.dll Avira: detection malicious, Label: TR/ATRAPS.Gen
Multi AV Scanner detection for domain / URL
Source: http://tat-neftbank.ru/wcmd.htm Virustotal: Detection: 10% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Windows\SysWOW64\Accicdme.dll ReversingLabs: Detection: 90%
Source: C:\Windows\SysWOW64\Ahhhnd32.dll ReversingLabs: Detection: 96%
Source: C:\Windows\SysWOW64\Ajikgq32.dll ReversingLabs: Detection: 91%
Source: C:\Windows\SysWOW64\Akghbg32.dll ReversingLabs: Detection: 89%
Source: C:\Windows\SysWOW64\Bdlhdkdf.dll ReversingLabs: Detection: 100%
Source: C:\Windows\SysWOW64\Bpghkh32.dll ReversingLabs: Detection: 95%
Source: C:\Windows\SysWOW64\Chfnmf32.dll ReversingLabs: Detection: 88%
Source: C:\Windows\SysWOW64\Ckaenpam.dll ReversingLabs: Detection: 91%
Source: C:\Windows\SysWOW64\Clqdacnn.dll ReversingLabs: Detection: 96%
Source: C:\Windows\SysWOW64\Ekpjke32.dll ReversingLabs: Detection: 96%
Source: C:\Windows\SysWOW64\Ekpkmk32.dll ReversingLabs: Detection: 96%
Source: C:\Windows\SysWOW64\Fcjdhk32.dll ReversingLabs: Detection: 96%
Source: C:\Windows\SysWOW64\Fehgpcld.dll ReversingLabs: Detection: 92%
Source: C:\Windows\SysWOW64\Fkdfmkhi.dll ReversingLabs: Detection: 88%
Source: C:\Windows\SysWOW64\Flhljo32.dll ReversingLabs: Detection: 95%
Source: C:\Windows\SysWOW64\Foelkeee.dll ReversingLabs: Detection: 91%
Source: C:\Windows\SysWOW64\Gfdcflnh.dll ReversingLabs: Detection: 96%
Source: C:\Windows\SysWOW64\Hdgplo32.dll ReversingLabs: Detection: 91%
Source: C:\Windows\SysWOW64\Hjanmb32.dll ReversingLabs: Detection: 91%
Source: C:\Windows\SysWOW64\Hjdhea32.dll ReversingLabs: Detection: 95%
Source: C:\Windows\SysWOW64\Hjjfnehb.dll ReversingLabs: Detection: 96%
Source: C:\Windows\SysWOW64\Ibbpip32.dll ReversingLabs: Detection: 96%
Source: C:\Windows\SysWOW64\Ibigijoc.dll ReversingLabs: Detection: 88%
Source: C:\Windows\SysWOW64\Iemjhp32.dll ReversingLabs: Detection: 96%
Source: C:\Windows\SysWOW64\Ipqipqal.dll ReversingLabs: Detection: 95%
Source: C:\Windows\SysWOW64\Jcofqqkm.dll ReversingLabs: Detection: 91%
Source: C:\Windows\SysWOW64\Jdackq32.dll ReversingLabs: Detection: 95%
Source: C:\Windows\SysWOW64\Jgemldcp.dll ReversingLabs: Detection: 96%
Source: C:\Windows\SysWOW64\Kfnpbj32.dll ReversingLabs: Detection: 96%
Source: C:\Windows\SysWOW64\Khlnhl32.dll ReversingLabs: Detection: 100%
Source: C:\Windows\SysWOW64\Lbfpda32.dll ReversingLabs: Detection: 96%
Source: C:\Windows\SysWOW64\Lfcadoap.dll ReversingLabs: Detection: 89%
Source: C:\Windows\SysWOW64\Lfjejf32.dll ReversingLabs: Detection: 96%
Multi AV Scanner detection for submitted file
Source: h879iieoae.exe ReversingLabs: Detection: 81%
Source: h879iieoae.exe Virustotal: Detection: 81% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Windows\SysWOW64\Accicdme.dll Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Efgkjnfn.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Bgibkegc.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Bgamkfnl.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Cnjaioih.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Dfcboo32.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Ckaenpam.dll Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Baagdk32.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Bnnampcf.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Eoappk32.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Ajikgq32.dll Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Ajkolbad.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Chfnmf32.dll Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Bdlhdkdf.dll Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Cfnpmb32.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Clqdacnn.dll Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Dnhmjm32.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Bpghkh32.dll Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Edgbhcim.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Bnpnbp32.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Ekpkmk32.dll Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Ccapffke.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Ekpjke32.dll Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Emogai32.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Ahhhnd32.dll Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Camgpi32.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Dmfdkj32.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Ceampi32.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Bqjacldl.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Bmlhnnne.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Akghbg32.dll Joe Sandbox ML: detected
Machine Learning detection for sample
Source: h879iieoae.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: h879iieoae.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 4x nop then mov ecx, dword ptr [eax+04h] 0_2_00403A6B
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 4x nop then add ebx, 04h 0_2_00403A6B
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 4x nop then jl 00403A8Fh 0_2_00403A6B
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 4x nop then add eax, 0Ch 0_2_00403A6B
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 4x nop then popad 0_2_00403A6B
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 4x nop then mov ebx, dword ptr [eax] 0_2_0042E00C
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 4x nop then pop edi 0_2_00403AC7
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 4x nop then mov ebx, 00407EF8h 0_2_00403AC7
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 4x nop then sub ecx, eax 0_2_00403AC7
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 4x nop then xor edx, edx 0_2_00403AC7
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 4x nop then push eax 0_2_00403AC7
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 4x nop then div edi 0_2_00403AC7
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 4x nop then xchg eax, ecx 0_2_00403AC7
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 4x nop then add eax, edi 0_2_00403AC7
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 4x nop then loop 00403B3Eh 0_2_00403AC7
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 4x nop then mov eax, 0042A000h 0_2_00403AC7
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 4x nop then mov ebx, 0042CD70h 0_2_00403AC7
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 4x nop then sub ecx, eax 0_2_00403AC7
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 4x nop then xor edx, edx 0_2_00403AC7
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 4x nop then push eax 0_2_00403AC7
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 4x nop then div edi 0_2_00403AC7
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 4x nop then xchg eax, ecx 0_2_00403AC7
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 4x nop then add eax, edi 0_2_00403AC7
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 4x nop then loop 00403B9Eh 0_2_00403AC7
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 4x nop then popad 0_2_00403AC7
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 4x nop then je 00403A1Ch 0_2_004039CE
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 4x nop then xor dword ptr [eax], ecx 0_2_004039CE
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 4x nop then inc eax 0_2_004039CE
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 4x nop then jne 004039F2h 0_2_004039CE
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 4x nop then mov eax, 0042A000h 0_2_004039CE
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 4x nop then je 00403A52h 0_2_004039CE
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 4x nop then xor dword ptr [eax], ecx 0_2_004039CE
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 4x nop then add eax, 04h 0_2_004039CE
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 4x nop then jne 00403A3Ah 0_2_004039CE
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 4x nop then popad 0_2_004039CE
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then mov ecx, dword ptr [eax+04h] 1_2_00403A6B
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then add ebx, 04h 1_2_00403A6B
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then jl 00403A8Fh 1_2_00403A6B
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then add eax, 0Ch 1_2_00403A6B
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then popad 1_2_00403A6B
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then call 0042E00Ch 1_2_0042E000
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then xor dword ptr [ebx], edx 1_2_0042E00C
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then cmp ebx, ecx 1_2_0042E00C
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then jl 0042E030h 1_2_0042E00C
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then popad 1_2_0042E00C
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then pop edi 1_2_00403AC7
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then mov ebx, 00407EF8h 1_2_00403AC7
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then sub ecx, eax 1_2_00403AC7
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then xor edx, edx 1_2_00403AC7
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then push eax 1_2_00403AC7
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then div edi 1_2_00403AC7
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then xchg eax, ecx 1_2_00403AC7
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then add eax, edi 1_2_00403AC7
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then loop 00403B3Eh 1_2_00403AC7
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then mov eax, 0042A000h 1_2_00403AC7
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then mov ebx, 0042CD70h 1_2_00403AC7
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then sub ecx, eax 1_2_00403AC7
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then xor edx, edx 1_2_00403AC7
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then push eax 1_2_00403AC7
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then div edi 1_2_00403AC7
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then xchg eax, ecx 1_2_00403AC7
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then add eax, edi 1_2_00403AC7
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then loop 00403B9Eh 1_2_00403AC7
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then popad 1_2_00403AC7
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then je 00403A1Ch 1_2_004039CE
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then xor dword ptr [eax], ecx 1_2_004039CE
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then inc eax 1_2_004039CE
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then jne 004039F2h 1_2_004039CE
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then mov eax, 0042A000h 1_2_004039CE
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then je 00403A52h 1_2_004039CE
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then xor dword ptr [eax], ecx 1_2_004039CE
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then add eax, 04h 1_2_004039CE
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then jne 00403A3Ah 1_2_004039CE
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 4x nop then popad 1_2_004039CE
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 4x nop then mov ecx, dword ptr [eax+04h] 2_2_00403A6B
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 4x nop then add ebx, 04h 2_2_00403A6B
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 4x nop then jl 00403A8Fh 2_2_00403A6B
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 4x nop then add eax, 0Ch 2_2_00403A6B
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 4x nop then popad 2_2_00403A6B
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 4x nop then jne 0042E06Ch 2_2_0042E000
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 4x nop then pop edi 2_2_00403AC7
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 4x nop then mov ebx, 00407EF8h 2_2_00403AC7
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 4x nop then sub ecx, eax 2_2_00403AC7
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 4x nop then xor edx, edx 2_2_00403AC7
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 4x nop then push eax 2_2_00403AC7
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 4x nop then div edi 2_2_00403AC7
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 4x nop then xchg eax, ecx 2_2_00403AC7
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 4x nop then add eax, edi 2_2_00403AC7
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 4x nop then loop 00403B3Eh 2_2_00403AC7
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 4x nop then mov eax, 0042A000h 2_2_00403AC7
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 4x nop then mov ebx, 0042CD70h 2_2_00403AC7
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 4x nop then sub ecx, eax 2_2_00403AC7
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 4x nop then xor edx, edx 2_2_00403AC7
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 4x nop then push eax 2_2_00403AC7
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 4x nop then div edi 2_2_00403AC7
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 4x nop then xchg eax, ecx 2_2_00403AC7
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 4x nop then add eax, edi 2_2_00403AC7
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 4x nop then loop 00403B9Eh 2_2_00403AC7
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 4x nop then popad 2_2_00403AC7
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 4x nop then xor dword ptr [eax], esi 2_2_0042E0A1
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 4x nop then jmp 00401219h 2_2_0042E0A1
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 4x nop then je 00403A1Ch 2_2_004039CE
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 4x nop then xor dword ptr [eax], ecx 2_2_004039CE
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 4x nop then inc eax 2_2_004039CE
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 4x nop then jne 004039F2h 2_2_004039CE
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 4x nop then mov eax, 0042A000h 2_2_004039CE
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 4x nop then je 00403A52h 2_2_004039CE
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 4x nop then xor dword ptr [eax], ecx 2_2_004039CE
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 4x nop then add eax, 04h 2_2_004039CE
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 4x nop then jne 00403A3Ah 2_2_004039CE
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 4x nop then popad 2_2_004039CE
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then mov ecx, dword ptr [eax+04h] 3_2_00403A6B
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then add ebx, 04h 3_2_00403A6B
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then jl 00403A8Fh 3_2_00403A6B
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then add eax, 0Ch 3_2_00403A6B
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then popad 3_2_00403A6B
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then pushad 3_2_0042E000
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then mov ebx, 00407EF8h 3_2_0042E000
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then mov ecx, ebx 3_2_0042E000
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then push eax 3_2_0042E000
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then pop eax 3_2_0042E000
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then mov esi, 2D4E56AAh 3_2_0042E000
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then je 0042E0D2h 3_2_0042E000
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then push eax 3_2_0042E000
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then xchg eax, ecx 3_2_0042E000
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then add eax, edi 3_2_0042E000
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then pop edi 3_2_00403AC7
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then mov ebx, 00407EF8h 3_2_00403AC7
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then sub ecx, eax 3_2_00403AC7
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then xor edx, edx 3_2_00403AC7
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then push eax 3_2_00403AC7
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then div edi 3_2_00403AC7
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then xchg eax, ecx 3_2_00403AC7
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then add eax, edi 3_2_00403AC7
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then loop 00403B3Eh 3_2_00403AC7
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then mov eax, 0042A000h 3_2_00403AC7
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then mov ebx, 0042CD70h 3_2_00403AC7
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then sub ecx, eax 3_2_00403AC7
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then xor edx, edx 3_2_00403AC7
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then push eax 3_2_00403AC7
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then div edi 3_2_00403AC7
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then xchg eax, ecx 3_2_00403AC7
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then add eax, edi 3_2_00403AC7
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then loop 00403B9Eh 3_2_00403AC7
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then popad 3_2_00403AC7
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then je 00403A1Ch 3_2_004039CE
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then xor dword ptr [eax], ecx 3_2_004039CE
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then inc eax 3_2_004039CE
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then jne 004039F2h 3_2_004039CE
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then mov eax, 0042A000h 3_2_004039CE
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then je 00403A52h 3_2_004039CE
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then xor dword ptr [eax], ecx 3_2_004039CE
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then add eax, 04h 3_2_004039CE
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then jne 00403A3Ah 3_2_004039CE
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 4x nop then popad 3_2_004039CE
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4x nop then mov ecx, dword ptr [eax+04h] 4_2_00403A6B
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4x nop then add ebx, 04h 4_2_00403A6B
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4x nop then jl 00403A8Fh 4_2_00403A6B
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4x nop then add eax, 0Ch 4_2_00403A6B
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4x nop then popad 4_2_00403A6B
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4x nop then mov ecx, dword ptr [eax+04h] 4_2_0042E00C
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4x nop then pop edi 4_2_00403AC7
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4x nop then mov ebx, 00407EF8h 4_2_00403AC7
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4x nop then sub ecx, eax 4_2_00403AC7
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4x nop then xor edx, edx 4_2_00403AC7
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4x nop then push eax 4_2_00403AC7
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4x nop then div edi 4_2_00403AC7
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4x nop then xchg eax, ecx 4_2_00403AC7
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4x nop then add eax, edi 4_2_00403AC7
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4x nop then loop 00403B3Eh 4_2_00403AC7
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4x nop then mov eax, 0042A000h 4_2_00403AC7
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4x nop then mov ebx, 0042CD70h 4_2_00403AC7
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4x nop then sub ecx, eax 4_2_00403AC7
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4x nop then xor edx, edx 4_2_00403AC7
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4x nop then push eax 4_2_00403AC7
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4x nop then div edi 4_2_00403AC7
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4x nop then xchg eax, ecx 4_2_00403AC7
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4x nop then add eax, edi 4_2_00403AC7
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4x nop then loop 00403B9Eh 4_2_00403AC7
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4x nop then popad 4_2_00403AC7
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4x nop then je 00403A1Ch 4_2_004039CE
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4x nop then xor dword ptr [eax], ecx 4_2_004039CE
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4x nop then inc eax 4_2_004039CE
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4x nop then jne 004039F2h 4_2_004039CE
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4x nop then mov eax, 0042A000h 4_2_004039CE
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4x nop then je 00403A52h 4_2_004039CE
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4x nop then xor dword ptr [eax], ecx 4_2_004039CE
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4x nop then add eax, 04h 4_2_004039CE
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4x nop then jne 00403A3Ah 4_2_004039CE
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4x nop then popad 4_2_004039CE
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then mov ecx, dword ptr [eax+04h] 5_2_00403A6B
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then add ebx, 04h 5_2_00403A6B
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then jl 00403A8Fh 5_2_00403A6B
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then add eax, 0Ch 5_2_00403A6B
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then popad 5_2_00403A6B
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then test eax, eax 5_2_0042E000
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then inc eax 5_2_0042E000
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then cmp eax, ebx 5_2_0042E000
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then pop edi 5_2_00403AC7
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then mov ebx, 00407EF8h 5_2_00403AC7
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then sub ecx, eax 5_2_00403AC7
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then xor edx, edx 5_2_00403AC7
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then push eax 5_2_00403AC7
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then div edi 5_2_00403AC7
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then xchg eax, ecx 5_2_00403AC7
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then add eax, edi 5_2_00403AC7
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then loop 00403B3Eh 5_2_00403AC7
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then mov eax, 0042A000h 5_2_00403AC7
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then mov ebx, 0042CD70h 5_2_00403AC7
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then sub ecx, eax 5_2_00403AC7
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then xor edx, edx 5_2_00403AC7
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then push eax 5_2_00403AC7
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then div edi 5_2_00403AC7
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then xchg eax, ecx 5_2_00403AC7
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then add eax, edi 5_2_00403AC7
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then loop 00403B9Eh 5_2_00403AC7
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then popad 5_2_00403AC7
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then xchg eax, ecx 5_2_0042E0A0
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then add eax, edi 5_2_0042E0A0
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then je 00403A1Ch 5_2_004039CE
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then xor dword ptr [eax], ecx 5_2_004039CE
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then inc eax 5_2_004039CE
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then jne 004039F2h 5_2_004039CE
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then mov eax, 0042A000h 5_2_004039CE
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then je 00403A52h 5_2_004039CE
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then xor dword ptr [eax], ecx 5_2_004039CE
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then add eax, 04h 5_2_004039CE
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then jne 00403A3Ah 5_2_004039CE
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 4x nop then popad 5_2_004039CE
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 4x nop then mov ecx, dword ptr [eax+04h] 6_2_00403A6B
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 4x nop then add ebx, 04h 6_2_00403A6B
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 4x nop then jl 00403A8Fh 6_2_00403A6B
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 4x nop then add eax, 0Ch 6_2_00403A6B
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 4x nop then popad 6_2_00403A6B
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 4x nop then mov ebx, 00407EF8h 6_2_0042E000
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 4x nop then sub ecx, eax 6_2_0042E000
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 4x nop then push eax 6_2_0042E000
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 4x nop then popad 6_2_0042E000
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 4x nop then pop edi 6_2_00403AC7
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 4x nop then mov ebx, 00407EF8h 6_2_00403AC7
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 4x nop then sub ecx, eax 6_2_00403AC7
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 4x nop then xor edx, edx 6_2_00403AC7
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 4x nop then push eax 6_2_00403AC7
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 4x nop then div edi 6_2_00403AC7
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 4x nop then xchg eax, ecx 6_2_00403AC7
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 4x nop then add eax, edi 6_2_00403AC7
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 4x nop then loop 00403B3Eh 6_2_00403AC7
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 4x nop then mov eax, 0042A000h 6_2_00403AC7
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 4x nop then mov ebx, 0042CD70h 6_2_00403AC7
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 4x nop then sub ecx, eax 6_2_00403AC7
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 4x nop then xor edx, edx 6_2_00403AC7
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 4x nop then push eax 6_2_00403AC7
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 4x nop then div edi 6_2_00403AC7
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 4x nop then xchg eax, ecx 6_2_00403AC7
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 4x nop then add eax, edi 6_2_00403AC7
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 4x nop then loop 00403B9Eh 6_2_00403AC7
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 4x nop then popad 6_2_00403AC7
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 4x nop then je 00403A1Ch 6_2_004039CE
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 4x nop then xor dword ptr [eax], ecx 6_2_004039CE
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 4x nop then inc eax 6_2_004039CE
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 4x nop then jne 004039F2h 6_2_004039CE
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 4x nop then mov eax, 0042A000h 6_2_004039CE
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 4x nop then je 00403A52h 6_2_004039CE
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 4x nop then xor dword ptr [eax], ecx 6_2_004039CE
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 4x nop then add eax, 04h 6_2_004039CE
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 4x nop then jne 00403A3Ah 6_2_004039CE
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 4x nop then popad 6_2_004039CE
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 4x nop then mov ecx, dword ptr [eax+04h] 7_2_00403A6B
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 4x nop then add ebx, 04h 7_2_00403A6B
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 4x nop then jl 00403A8Fh 7_2_00403A6B
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 4x nop then add eax, 0Ch 7_2_00403A6B
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 4x nop then popad 7_2_00403A6B
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 4x nop then mov ecx, dword ptr [eax+04h] 7_2_0042E00C
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 4x nop then mov edx, dword ptr [eax+08h] 7_2_0042E00C
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 4x nop then add ebx, 04h 7_2_0042E00C
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 4x nop then jne 0042E01Eh 7_2_0042E00C
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 4x nop then pop edi 7_2_00403AC7
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 4x nop then mov ebx, 00407EF8h 7_2_00403AC7
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 4x nop then sub ecx, eax 7_2_00403AC7
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 4x nop then xor edx, edx 7_2_00403AC7
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 4x nop then push eax 7_2_00403AC7
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 4x nop then div edi 7_2_00403AC7
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 4x nop then xchg eax, ecx 7_2_00403AC7
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 4x nop then add eax, edi 7_2_00403AC7
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 4x nop then loop 00403B3Eh 7_2_00403AC7
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 4x nop then mov eax, 0042A000h 7_2_00403AC7
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 4x nop then mov ebx, 0042CD70h 7_2_00403AC7
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 4x nop then sub ecx, eax 7_2_00403AC7
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 4x nop then xor edx, edx 7_2_00403AC7
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 4x nop then push eax 7_2_00403AC7
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 4x nop then div edi 7_2_00403AC7
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 4x nop then xchg eax, ecx 7_2_00403AC7
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 4x nop then add eax, edi 7_2_00403AC7
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 4x nop then loop 00403B9Eh 7_2_00403AC7
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 4x nop then popad 7_2_00403AC7
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 4x nop then je 00403A1Ch 7_2_004039CE
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 4x nop then xor dword ptr [eax], ecx 7_2_004039CE
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 4x nop then inc eax 7_2_004039CE
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 4x nop then jne 004039F2h 7_2_004039CE
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 4x nop then mov eax, 0042A000h 7_2_004039CE
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 4x nop then je 00403A52h 7_2_004039CE
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 4x nop then xor dword ptr [eax], ecx 7_2_004039CE
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 4x nop then add eax, 04h 7_2_004039CE
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 4x nop then jne 00403A3Ah 7_2_004039CE
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 4x nop then popad 7_2_004039CE
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then mov ecx, dword ptr [eax+04h] 8_2_00403A6B
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then add ebx, 04h 8_2_00403A6B
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then jl 00403A8Fh 8_2_00403A6B
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then add eax, 0Ch 8_2_00403A6B
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then popad 8_2_00403A6B
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then pushad 8_2_0042E000
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then xor dword ptr [eax], ecx 8_2_0042E000
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then jne 0042E024h 8_2_0042E000
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then test eax, eax 8_2_0042E000
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then je 0042E084h 8_2_0042E000
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then xor dword ptr [eax], ecx 8_2_0042E000
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then pop edi 8_2_00403AC7
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then mov ebx, 00407EF8h 8_2_00403AC7
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then sub ecx, eax 8_2_00403AC7
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then xor edx, edx 8_2_00403AC7
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then push eax 8_2_00403AC7
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then div edi 8_2_00403AC7
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then xchg eax, ecx 8_2_00403AC7
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then add eax, edi 8_2_00403AC7
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then loop 00403B3Eh 8_2_00403AC7
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then mov eax, 0042A000h 8_2_00403AC7
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then mov ebx, 0042CD70h 8_2_00403AC7
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then sub ecx, eax 8_2_00403AC7
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then xor edx, edx 8_2_00403AC7
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then push eax 8_2_00403AC7
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then div edi 8_2_00403AC7
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then xchg eax, ecx 8_2_00403AC7
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then add eax, edi 8_2_00403AC7
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then loop 00403B9Eh 8_2_00403AC7
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then popad 8_2_00403AC7
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then popad 8_2_0042E09D
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then je 00403A1Ch 8_2_004039CE
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then xor dword ptr [eax], ecx 8_2_004039CE
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then inc eax 8_2_004039CE
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then jne 004039F2h 8_2_004039CE
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then mov eax, 0042A000h 8_2_004039CE
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then je 00403A52h 8_2_004039CE
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then xor dword ptr [eax], ecx 8_2_004039CE
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then add eax, 04h 8_2_004039CE
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then jne 00403A3Ah 8_2_004039CE
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 4x nop then popad 8_2_004039CE
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then mov ecx, dword ptr [eax+04h] 9_2_00403A6B
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then add ebx, 04h 9_2_00403A6B
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then jl 00403A8Fh 9_2_00403A6B
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then add eax, 0Ch 9_2_00403A6B
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then popad 9_2_00403A6B
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then div edi 9_2_0042E000
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then xchg eax, ecx 9_2_0042E000
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then cmp eax, 00000000h 9_2_0042E000
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then mov ebx, 0042CD70h 9_2_0042E000
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then popad 9_2_0042E000
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then jmp 00401219h 9_2_0042E000
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then pop edi 9_2_00403AC7
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then mov ebx, 00407EF8h 9_2_00403AC7
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then sub ecx, eax 9_2_00403AC7
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then xor edx, edx 9_2_00403AC7
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then push eax 9_2_00403AC7
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then div edi 9_2_00403AC7
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then xchg eax, ecx 9_2_00403AC7
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then add eax, edi 9_2_00403AC7
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then loop 00403B3Eh 9_2_00403AC7
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then mov eax, 0042A000h 9_2_00403AC7
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then mov ebx, 0042CD70h 9_2_00403AC7
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then sub ecx, eax 9_2_00403AC7
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then xor edx, edx 9_2_00403AC7
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then push eax 9_2_00403AC7
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then div edi 9_2_00403AC7
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then xchg eax, ecx 9_2_00403AC7
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then add eax, edi 9_2_00403AC7
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then loop 00403B9Eh 9_2_00403AC7
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then popad 9_2_00403AC7
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then je 00403A1Ch 9_2_004039CE
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then xor dword ptr [eax], ecx 9_2_004039CE
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then inc eax 9_2_004039CE
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then jne 004039F2h 9_2_004039CE
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then mov eax, 0042A000h 9_2_004039CE
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then je 00403A52h 9_2_004039CE
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then xor dword ptr [eax], ecx 9_2_004039CE
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then add eax, 04h 9_2_004039CE
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then jne 00403A3Ah 9_2_004039CE
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 4x nop then popad 9_2_004039CE
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 4x nop then mov ecx, dword ptr [eax+04h] 10_2_00403A6B
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 4x nop then add ebx, 04h 10_2_00403A6B
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 4x nop then jl 00403A8Fh 10_2_00403A6B
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 4x nop then add eax, 0Ch 10_2_00403A6B
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 4x nop then popad 10_2_00403A6B
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 4x nop then add eax, 00403AC5h 10_2_0042E00C
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 4x nop then mov ebx, dword ptr [eax] 10_2_0042E00C
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 4x nop then add eax, 0Ch 10_2_0042E00C
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 4x nop then pop edi 10_2_00403AC7
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 4x nop then mov ebx, 00407EF8h 10_2_00403AC7
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 4x nop then sub ecx, eax 10_2_00403AC7
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 4x nop then xor edx, edx 10_2_00403AC7
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 4x nop then push eax 10_2_00403AC7
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 4x nop then div edi 10_2_00403AC7
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 4x nop then xchg eax, ecx 10_2_00403AC7
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 4x nop then add eax, edi 10_2_00403AC7
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 4x nop then loop 00403B3Eh 10_2_00403AC7
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 4x nop then mov eax, 0042A000h 10_2_00403AC7
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 4x nop then mov ebx, 0042CD70h 10_2_00403AC7
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 4x nop then sub ecx, eax 10_2_00403AC7
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 4x nop then xor edx, edx 10_2_00403AC7
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 4x nop then push eax 10_2_00403AC7
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 4x nop then div edi 10_2_00403AC7
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 4x nop then xchg eax, ecx 10_2_00403AC7
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 4x nop then add eax, edi 10_2_00403AC7
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 4x nop then loop 00403B9Eh 10_2_00403AC7
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 4x nop then popad 10_2_00403AC7
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 4x nop then je 00403A1Ch 10_2_004039CE
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 4x nop then xor dword ptr [eax], ecx 10_2_004039CE
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 4x nop then inc eax 10_2_004039CE
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 4x nop then jne 004039F2h 10_2_004039CE
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 4x nop then mov eax, 0042A000h 10_2_004039CE
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 4x nop then je 00403A52h 10_2_004039CE
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 4x nop then xor dword ptr [eax], ecx 10_2_004039CE
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 4x nop then add eax, 04h 10_2_004039CE
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 4x nop then jne 00403A3Ah 10_2_004039CE
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 4x nop then popad 10_2_004039CE
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then mov ecx, dword ptr [eax+04h] 11_2_00403A6B
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then add ebx, 04h 11_2_00403A6B
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then jl 00403A8Fh 11_2_00403A6B
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then add eax, 0Ch 11_2_00403A6B
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then popad 11_2_00403A6B
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then call 0042E00Ch 11_2_0042E000
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then pop eax 11_2_0042E00C
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then mov edx, dword ptr [eax+08h] 11_2_0042E00C
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then cmp dword ptr [eax], 00000000h 11_2_0042E00C
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then popad 11_2_0042E00C
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then pop edi 11_2_00403AC7
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then mov ebx, 00407EF8h 11_2_00403AC7
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then sub ecx, eax 11_2_00403AC7
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then xor edx, edx 11_2_00403AC7
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then push eax 11_2_00403AC7
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then div edi 11_2_00403AC7
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then xchg eax, ecx 11_2_00403AC7
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then add eax, edi 11_2_00403AC7
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then loop 00403B3Eh 11_2_00403AC7
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then mov eax, 0042A000h 11_2_00403AC7
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then mov ebx, 0042CD70h 11_2_00403AC7
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then sub ecx, eax 11_2_00403AC7
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then xor edx, edx 11_2_00403AC7
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then push eax 11_2_00403AC7
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then div edi 11_2_00403AC7
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then xchg eax, ecx 11_2_00403AC7
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then add eax, edi 11_2_00403AC7
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then loop 00403B9Eh 11_2_00403AC7
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then popad 11_2_00403AC7
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then je 00403A1Ch 11_2_004039CE
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then xor dword ptr [eax], ecx 11_2_004039CE
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then inc eax 11_2_004039CE
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then jne 004039F2h 11_2_004039CE
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then mov eax, 0042A000h 11_2_004039CE
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then je 00403A52h 11_2_004039CE
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then xor dword ptr [eax], ecx 11_2_004039CE
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then add eax, 04h 11_2_004039CE
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then jne 00403A3Ah 11_2_004039CE
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 4x nop then popad 11_2_004039CE
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 4x nop then mov ecx, dword ptr [eax+04h] 12_2_00403A6B
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 4x nop then add ebx, 04h 12_2_00403A6B
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 4x nop then jl 00403A8Fh 12_2_00403A6B
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 4x nop then add eax, 0Ch 12_2_00403A6B
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 4x nop then popad 12_2_00403A6B
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 4x nop then mov ecx, ebx 12_2_0042E000
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 4x nop then push eax 12_2_0042E000
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 4x nop then mov esi, 679D3F73h 12_2_0042E000
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 4x nop then push eax 12_2_0042E000
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 4x nop then div edi 12_2_0042E000
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 4x nop then add eax, edi 12_2_0042E000
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 4x nop then pop edi 12_2_00403AC7
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 4x nop then mov ebx, 00407EF8h 12_2_00403AC7
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 4x nop then sub ecx, eax 12_2_00403AC7
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 4x nop then xor edx, edx 12_2_00403AC7
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 4x nop then push eax 12_2_00403AC7
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 4x nop then div edi 12_2_00403AC7
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 4x nop then xchg eax, ecx 12_2_00403AC7
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 4x nop then add eax, edi 12_2_00403AC7
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 4x nop then loop 00403B3Eh 12_2_00403AC7
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 4x nop then mov eax, 0042A000h 12_2_00403AC7
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 4x nop then mov ebx, 0042CD70h 12_2_00403AC7
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 4x nop then sub ecx, eax 12_2_00403AC7
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 4x nop then xor edx, edx 12_2_00403AC7
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 4x nop then push eax 12_2_00403AC7
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 4x nop then div edi 12_2_00403AC7
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 4x nop then xchg eax, ecx 12_2_00403AC7
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 4x nop then add eax, edi 12_2_00403AC7
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 4x nop then loop 00403B9Eh 12_2_00403AC7
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 4x nop then popad 12_2_00403AC7
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 4x nop then je 00403A1Ch 12_2_004039CE
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 4x nop then xor dword ptr [eax], ecx 12_2_004039CE
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 4x nop then inc eax 12_2_004039CE
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 4x nop then jne 004039F2h 12_2_004039CE
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 4x nop then mov eax, 0042A000h 12_2_004039CE
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 4x nop then je 00403A52h 12_2_004039CE
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 4x nop then xor dword ptr [eax], ecx 12_2_004039CE
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 4x nop then add eax, 04h 12_2_004039CE
Source: h879iieoae.exe, Fhedeo32.exe.36.dr, Odekfoij.exe.8.dr, Efgkjnfn.exe.33.dr, Bgibkegc.exe.21.dr, Feidnc32.exe.37.dr, Bgamkfnl.exe.17.dr, Cnjaioih.exe.26.dr, Oeanchcn.exe.5.dr, Dfcboo32.exe.30.dr, Ggmnlk32.exe.39.dr, Baagdk32.exe.22.dr, Bnnampcf.exe.19.dr, Eoappk32.exe.34.dr, Olijjb32.exe.4.dr, Oceoll32.exe.6.dr, Ajkolbad.exe.15.dr, Pqeoao32.exe.13.dr, Cfnpmb32.exe.23.dr, Dnhmjm32.exe.29.dr, Foaigifk.exe.38.dr String found in binary or memory: http://oracle.com/contracts
Source: Fkogfkdj.exe.35.dr String found in binary or memory: http://oracle.com/contracts.
Source: h879iieoae.exe, h879iieoae.exe, 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmp, Nejhbi32.exe, Nejhbi32.exe, 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmp, Ogjdllpi.exe, Ogjdllpi.exe, 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmp, Opbieagi.exe, Opbieagi.exe, 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmp, Oglabl32.exe, Oglabl32.exe, 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmp, Olijjb32.exe, Olijjb32.exe, 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmp, Oeanchcn.exe, Oeanchcn.exe, 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmp, Oceoll32.exe, Oceoll32.exe, 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmp, Onkcje32.exe, Onkcje32.exe, 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmp, Odekfoij.exe, Odekfoij.exe, 00000009.00000002.1986378400.000000000042A000.00000004.00000001.01000000.0000000C.sdmp, Ojacofgb.exe String found in binary or memory: http://tat-neftbank.ru/kkq.php
Source: h879iieoae.exe, 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmp, Nejhbi32.exe, 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmp, Ogjdllpi.exe, 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmp, Opbieagi.exe, 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmp, Oglabl32.exe, 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmp, Olijjb32.exe, 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmp, Oeanchcn.exe, 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmp, Oceoll32.exe, 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmp, Onkcje32.exe, 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmp, Odekfoij.exe, 00000009.00000002.1986378400.000000000042A000.00000004.00000001.01000000.0000000C.sdmp, Ojacofgb.exe, 0000000A.00000002.1986379697.000000000042A000.00000004.00000001.01000000.0000000D.sdmp, Ppllkpoo.exe, 0000000B.00000002.1988867655.000000000042A000.00000004.00000001.01000000.0000000E.sdmp, Plbmqa32.exe, 0000000C.00000002.1990903099.000000000042A000.00000004.00000001.01000000.0000000F.sdmp, Plgflqpn.exe, 0000000D.00000002.1993494029.000000000042A000.00000004.00000001.01000000.00000010.sdmp, Pqeoao32.exe, 0000000E.00000002.1998469389.000000000042A000.00000004.00000001.01000000.00000011.sdmp, Qgcpihjl.exe, 0000000F.00000002.2000063573.000000000042A000.00000004.00000001.01000000.00000012.sdmp, Ajkolbad.exe, 00000010.00000002.2000741077.000000000042A000.00000004.00000001.01000000.00000013.sdmp, Bmlhnnne.exe, 00000011.00000002.2001790871.000000000042A000.00000004.00000001.01000000.00000014.sdmp, Bgamkfnl.exe, 00000012.00000002.2002333377.000000000042A000.00000004.00000001.01000000.00000015.sdmp, Bqjacldl.exe, 00000013.00000002.2003694218.000000000042A000.00000004.00000001.01000000.00000016.sdmp, Bnnampcf.exe, 00000014.00000002.2004277931.000000000042A000.00000004.00000001.01000000.00000017.sdmp String found in binary or memory: http://tat-neftbank.ru/kkq.phphttp://tat-neftbank.ru/wcmd.htmSoftware
Source: h879iieoae.exe, h879iieoae.exe, 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmp, Nejhbi32.exe, Nejhbi32.exe, 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmp, Ogjdllpi.exe, Ogjdllpi.exe, 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmp, Opbieagi.exe, Opbieagi.exe, 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmp, Oglabl32.exe, Oglabl32.exe, 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmp, Olijjb32.exe, Olijjb32.exe, 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmp, Oeanchcn.exe, Oeanchcn.exe, 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmp, Oceoll32.exe, Oceoll32.exe, 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmp, Onkcje32.exe, Onkcje32.exe, 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmp, Odekfoij.exe, Odekfoij.exe, 00000009.00000002.1986378400.000000000042A000.00000004.00000001.01000000.0000000C.sdmp, Ojacofgb.exe String found in binary or memory: http://tat-neftbank.ru/wcmd.htm
Source: h879iieoae.exe, Fhedeo32.exe.36.dr, Odekfoij.exe.8.dr, Efgkjnfn.exe.33.dr, Bgibkegc.exe.21.dr, Feidnc32.exe.37.dr, Bgamkfnl.exe.17.dr, Cnjaioih.exe.26.dr, Oeanchcn.exe.5.dr, Dfcboo32.exe.30.dr, Ggmnlk32.exe.39.dr, Baagdk32.exe.22.dr, Bnnampcf.exe.19.dr, Eoappk32.exe.34.dr, Olijjb32.exe.4.dr, Oceoll32.exe.6.dr, Ajkolbad.exe.15.dr, Pqeoao32.exe.13.dr, Cfnpmb32.exe.23.dr, Dnhmjm32.exe.29.dr, Foaigifk.exe.38.dr String found in binary or memory: http://www.oracle.com/education/oln.
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 0_2_0040431F GetCurrentThreadId,GetThreadDesktop,CreateDesktopA,SetThreadDesktop, 0_2_0040431F

System Summary
barindex
PE file has a writeable .text section
Source: h879iieoae.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Nejhbi32.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Ogjdllpi.exe.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Opbieagi.exe.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Oglabl32.exe.3.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Olijjb32.exe.4.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Oeanchcn.exe.5.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Oceoll32.exe.6.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Onkcje32.exe.7.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Odekfoij.exe.8.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Ojacofgb.exe.9.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Ppllkpoo.exe.10.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Plbmqa32.exe.11.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Plgflqpn.exe.12.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Pqeoao32.exe.13.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Qgcpihjl.exe.14.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Ajkolbad.exe.15.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Bmlhnnne.exe.16.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Bgamkfnl.exe.17.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Bqjacldl.exe.18.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Bnnampcf.exe.19.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Bnpnbp32.exe.20.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Bgibkegc.exe.21.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Baagdk32.exe.22.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Cfnpmb32.exe.23.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Ccapffke.exe.24.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Ceampi32.exe.25.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Cnjaioih.exe.26.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Camgpi32.exe.27.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Dmfdkj32.exe.28.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Dnhmjm32.exe.29.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Dfcboo32.exe.30.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Edgbhcim.exe.31.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Emogai32.exe.32.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Efgkjnfn.exe.33.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Eoappk32.exe.34.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Fkogfkdj.exe.35.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Fhedeo32.exe.36.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Feidnc32.exe.37.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Foaigifk.exe.38.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Ggmnlk32.exe.39.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Creates files inside the system directory
Source: C:\Users\user\Desktop\h879iieoae.exe File created: C:\Windows\SysWOW64\Nejhbi32.exe Jump to behavior
Source: C:\Users\user\Desktop\h879iieoae.exe File created: C:\Windows\SysWOW64\Nejhbi32.exe:Zone.Identifier:$DATA Jump to behavior
Source: C:\Users\user\Desktop\h879iieoae.exe File created: C:\Windows\SysWOW64\Jcofqqkm.dll Jump to behavior
Source: C:\Windows\SysWOW64\Nejhbi32.exe File created: C:\Windows\SysWOW64\Ogjdllpi.exe Jump to behavior
Source: C:\Windows\SysWOW64\Nejhbi32.exe File created: C:\Windows\SysWOW64\Bpghkh32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ogjdllpi.exe File created: C:\Windows\SysWOW64\Opbieagi.exe Jump to behavior
Source: C:\Windows\SysWOW64\Ogjdllpi.exe File created: C:\Windows\SysWOW64\Fkdfmkhi.dll Jump to behavior
Source: C:\Windows\SysWOW64\Opbieagi.exe File created: C:\Windows\SysWOW64\Oglabl32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Opbieagi.exe File created: C:\Windows\SysWOW64\Hjanmb32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Oglabl32.exe File created: C:\Windows\SysWOW64\Olijjb32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Oglabl32.exe File created: C:\Windows\SysWOW64\Jdackq32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Olijjb32.exe File created: C:\Windows\SysWOW64\Oeanchcn.exe Jump to behavior
Source: C:\Windows\SysWOW64\Olijjb32.exe File created: C:\Windows\SysWOW64\Ligdce32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Oeanchcn.exe File created: C:\Windows\SysWOW64\Oceoll32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Oeanchcn.exe File created: C:\Windows\SysWOW64\Pdkggn32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Oceoll32.exe File created: C:\Windows\SysWOW64\Onkcje32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Oceoll32.exe File created: C:\Windows\SysWOW64\Fehgpcld.dll Jump to behavior
Source: C:\Windows\SysWOW64\Onkcje32.exe File created: C:\Windows\SysWOW64\Odekfoij.exe Jump to behavior
Source: C:\Windows\SysWOW64\Onkcje32.exe File created: C:\Windows\SysWOW64\Jgemldcp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Odekfoij.exe File created: C:\Windows\SysWOW64\Ojacofgb.exe Jump to behavior
Source: C:\Windows\SysWOW64\Odekfoij.exe File created: C:\Windows\SysWOW64\Bdlhdkdf.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ojacofgb.exe File created: C:\Windows\SysWOW64\Ppllkpoo.exe Jump to behavior
Source: C:\Windows\SysWOW64\Ojacofgb.exe File created: C:\Windows\SysWOW64\Accicdme.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ppllkpoo.exe File created: C:\Windows\SysWOW64\Plbmqa32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Ppllkpoo.exe File created: C:\Windows\SysWOW64\Chfnmf32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Plbmqa32.exe File created: C:\Windows\SysWOW64\Plgflqpn.exe Jump to behavior
Source: C:\Windows\SysWOW64\Plbmqa32.exe File created: C:\Windows\SysWOW64\Lfcadoap.dll Jump to behavior
Source: C:\Windows\SysWOW64\Plgflqpn.exe File created: C:\Windows\SysWOW64\Pqeoao32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Plgflqpn.exe File created: C:\Windows\SysWOW64\Akghbg32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Pqeoao32.exe File created: C:\Windows\SysWOW64\Qgcpihjl.exe Jump to behavior
Source: C:\Windows\SysWOW64\Pqeoao32.exe File created: C:\Windows\SysWOW64\Clqdacnn.dll Jump to behavior
Source: C:\Windows\SysWOW64\Qgcpihjl.exe File created: C:\Windows\SysWOW64\Ajkolbad.exe Jump to behavior
Source: C:\Windows\SysWOW64\Qgcpihjl.exe File created: C:\Windows\SysWOW64\Khlnhl32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ajkolbad.exe File created: C:\Windows\SysWOW64\Bmlhnnne.exe Jump to behavior
Source: C:\Windows\SysWOW64\Ajkolbad.exe File created: C:\Windows\SysWOW64\Iemjhp32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bmlhnnne.exe File created: C:\Windows\SysWOW64\Bgamkfnl.exe Jump to behavior
Source: C:\Windows\SysWOW64\Bmlhnnne.exe File created: C:\Windows\SysWOW64\Mfdadc32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bgamkfnl.exe File created: C:\Windows\SysWOW64\Bqjacldl.exe Jump to behavior
Source: C:\Windows\SysWOW64\Bgamkfnl.exe File created: C:\Windows\SysWOW64\Pdmohf32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bqjacldl.exe File created: C:\Windows\SysWOW64\Bnnampcf.exe Jump to behavior
Source: C:\Windows\SysWOW64\Bqjacldl.exe File created: C:\Windows\SysWOW64\Lfjejf32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bnnampcf.exe File created: C:\Windows\SysWOW64\Bnpnbp32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Bnnampcf.exe File created: C:\Windows\SysWOW64\Ekpjke32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bnpnbp32.exe File created: C:\Windows\SysWOW64\Bgibkegc.exe Jump to behavior
Source: C:\Windows\SysWOW64\Bnpnbp32.exe File created: C:\Windows\SysWOW64\Pkjmee32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bgibkegc.exe File created: C:\Windows\SysWOW64\Baagdk32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Bgibkegc.exe File created: C:\Windows\SysWOW64\Foelkeee.dll Jump to behavior
Source: C:\Windows\SysWOW64\Baagdk32.exe File created: C:\Windows\SysWOW64\Cfnpmb32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Baagdk32.exe File created: C:\Windows\SysWOW64\Fcjdhk32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Cfnpmb32.exe File created: C:\Windows\SysWOW64\Ccapffke.exe Jump to behavior
Source: C:\Windows\SysWOW64\Cfnpmb32.exe File created: C:\Windows\SysWOW64\Ibigijoc.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ccapffke.exe File created: C:\Windows\SysWOW64\Ceampi32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Ccapffke.exe File created: C:\Windows\SysWOW64\Ipqipqal.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ceampi32.exe File created: C:\Windows\SysWOW64\Cnjaioih.exe
Source: C:\Windows\SysWOW64\Ceampi32.exe File created: C:\Windows\SysWOW64\Hjjfnehb.dll
Source: C:\Windows\SysWOW64\Cnjaioih.exe File created: C:\Windows\SysWOW64\Camgpi32.exe
Source: C:\Windows\SysWOW64\Cnjaioih.exe File created: C:\Windows\SysWOW64\Ahhhnd32.dll
Source: C:\Windows\SysWOW64\Camgpi32.exe File created: C:\Windows\SysWOW64\Dmfdkj32.exe
Source: C:\Windows\SysWOW64\Camgpi32.exe File created: C:\Windows\SysWOW64\Ibbpip32.dll
Source: C:\Windows\SysWOW64\Dmfdkj32.exe File created: C:\Windows\SysWOW64\Dnhmjm32.exe
Source: C:\Windows\SysWOW64\Dmfdkj32.exe File created: C:\Windows\SysWOW64\Hjdhea32.dll
Source: C:\Windows\SysWOW64\Dnhmjm32.exe File created: C:\Windows\SysWOW64\Dfcboo32.exe
Source: C:\Windows\SysWOW64\Dnhmjm32.exe File created: C:\Windows\SysWOW64\Ekpkmk32.dll
Source: C:\Windows\SysWOW64\Dfcboo32.exe File created: C:\Windows\SysWOW64\Edgbhcim.exe
Source: C:\Windows\SysWOW64\Dfcboo32.exe File created: C:\Windows\SysWOW64\Pfgpqb32.dll
Source: C:\Windows\SysWOW64\Edgbhcim.exe File created: C:\Windows\SysWOW64\Emogai32.exe
Source: C:\Windows\SysWOW64\Edgbhcim.exe File created: C:\Windows\SysWOW64\Kfnpbj32.dll
Source: C:\Windows\SysWOW64\Emogai32.exe File created: C:\Windows\SysWOW64\Efgkjnfn.exe
Source: C:\Windows\SysWOW64\Emogai32.exe File created: C:\Windows\SysWOW64\Flhljo32.dll
Source: C:\Windows\SysWOW64\Efgkjnfn.exe File created: C:\Windows\SysWOW64\Eoappk32.exe
Source: C:\Windows\SysWOW64\Efgkjnfn.exe File created: C:\Windows\SysWOW64\Gfdcflnh.dll
Source: C:\Windows\SysWOW64\Eoappk32.exe File created: C:\Windows\SysWOW64\Fkogfkdj.exe
Source: C:\Windows\SysWOW64\Eoappk32.exe File created: C:\Windows\SysWOW64\Lbfpda32.dll
Source: C:\Windows\SysWOW64\Fkogfkdj.exe File created: C:\Windows\SysWOW64\Fhedeo32.exe
Source: C:\Windows\SysWOW64\Fkogfkdj.exe File created: C:\Windows\SysWOW64\Ajikgq32.dll
Source: C:\Windows\SysWOW64\Fhedeo32.exe File created: C:\Windows\SysWOW64\Feidnc32.exe
Source: C:\Windows\SysWOW64\Fhedeo32.exe File created: C:\Windows\SysWOW64\Njaakj32.dll
Source: C:\Windows\SysWOW64\Feidnc32.exe File created: C:\Windows\SysWOW64\Foaigifk.exe
Source: C:\Windows\SysWOW64\Feidnc32.exe File created: C:\Windows\SysWOW64\Hdgplo32.dll
Source: C:\Windows\SysWOW64\Foaigifk.exe File created: C:\Windows\SysWOW64\Ggmnlk32.exe
Source: C:\Windows\SysWOW64\Foaigifk.exe File created: C:\Windows\SysWOW64\Ckaenpam.dll
Detected potential crypto function
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 0_2_0042B884 0_2_0042B884
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 1_2_0042B884 1_2_0042B884
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 2_2_0042B884 2_2_0042B884
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 3_2_0042B884 3_2_0042B884
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4_2_0042B884 4_2_0042B884
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 5_2_0042B884 5_2_0042B884
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 6_2_0042B884 6_2_0042B884
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 7_2_0042B884 7_2_0042B884
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 8_2_0042B884 8_2_0042B884
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 9_2_0042B884 9_2_0042B884
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 10_2_0042B884 10_2_0042B884
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 11_2_0042B884 11_2_0042B884
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 12_2_0042B884 12_2_0042B884
Source: C:\Windows\SysWOW64\Plgflqpn.exe Code function: 13_2_0042B884 13_2_0042B884
Source: C:\Windows\SysWOW64\Pqeoao32.exe Code function: 14_2_0042B884 14_2_0042B884
Source: C:\Windows\SysWOW64\Qgcpihjl.exe Code function: 15_2_0042B884 15_2_0042B884
Source: C:\Windows\SysWOW64\Ajkolbad.exe Code function: 16_2_0042B884 16_2_0042B884
Source: C:\Windows\SysWOW64\Bmlhnnne.exe Code function: 17_2_0042B884 17_2_0042B884
Source: C:\Windows\SysWOW64\Bgamkfnl.exe Code function: 18_2_0042B884 18_2_0042B884
Source: C:\Windows\SysWOW64\Bqjacldl.exe Code function: 19_2_0042B884 19_2_0042B884
Source: C:\Windows\SysWOW64\Bnnampcf.exe Code function: 20_2_0042B884 20_2_0042B884
Source: C:\Windows\SysWOW64\Bnpnbp32.exe Code function: 21_2_0042B884 21_2_0042B884
Source: C:\Windows\SysWOW64\Bgibkegc.exe Code function: 22_2_0042B884 22_2_0042B884
Source: C:\Windows\SysWOW64\Baagdk32.exe Code function: 23_2_0042B884 23_2_0042B884
Source: C:\Windows\SysWOW64\Cfnpmb32.exe Code function: 24_2_0042B884 24_2_0042B884
Source: C:\Windows\SysWOW64\Ccapffke.exe Code function: 25_2_0042B884 25_2_0042B884
Source: C:\Windows\SysWOW64\Ceampi32.exe Code function: 26_2_0042B884 26_2_0042B884
Source: C:\Windows\SysWOW64\Cnjaioih.exe Code function: 27_2_0042B884 27_2_0042B884
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: String function: 00407EA4 appears 43 times
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: String function: 00407EA4 appears 43 times
Source: C:\Windows\SysWOW64\Bnnampcf.exe Code function: String function: 00407EA4 appears 43 times
Source: C:\Windows\SysWOW64\Plgflqpn.exe Code function: String function: 00407EA4 appears 43 times
Source: C:\Windows\SysWOW64\Ajkolbad.exe Code function: String function: 00407EA4 appears 43 times
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: String function: 00407EA4 appears 43 times
Source: C:\Windows\SysWOW64\Bgibkegc.exe Code function: String function: 00407EA4 appears 43 times
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: String function: 00407EA4 appears 43 times
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: String function: 00407EA4 appears 43 times
Source: C:\Windows\SysWOW64\Ccapffke.exe Code function: String function: 00407EA4 appears 43 times
Source: C:\Windows\SysWOW64\Qgcpihjl.exe Code function: String function: 00407EA4 appears 43 times
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: String function: 00407EA4 appears 43 times
Source: C:\Windows\SysWOW64\Bmlhnnne.exe Code function: String function: 00407EA4 appears 43 times
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: String function: 00407EA4 appears 43 times
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: String function: 00407EA4 appears 43 times
Source: C:\Windows\SysWOW64\Bnpnbp32.exe Code function: String function: 00407EA4 appears 43 times
Source: C:\Windows\SysWOW64\Pqeoao32.exe Code function: String function: 00407EA4 appears 43 times
Source: C:\Windows\SysWOW64\Cfnpmb32.exe Code function: String function: 00407EA4 appears 43 times
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: String function: 00407EA4 appears 43 times
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: String function: 00407EA4 appears 43 times
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: String function: 00407EA4 appears 43 times
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: String function: 00407EA4 appears 43 times
Source: C:\Windows\SysWOW64\Cnjaioih.exe Code function: String function: 00407EA4 appears 43 times
Source: C:\Windows\SysWOW64\Bqjacldl.exe Code function: String function: 00407EA4 appears 43 times
Source: C:\Windows\SysWOW64\Bgamkfnl.exe Code function: String function: 00407EA4 appears 43 times
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: String function: 00407EA4 appears 43 times
Source: C:\Windows\SysWOW64\Baagdk32.exe Code function: String function: 00407EA4 appears 43 times
Source: C:\Windows\SysWOW64\Ceampi32.exe Code function: String function: 00407EA4 appears 43 times
PE file contains more sections than normal
Source: Ojacofgb.exe.9.dr Static PE information: Number of sections : 16 > 10
Source: Onkcje32.exe.7.dr Static PE information: Number of sections : 16 > 10
Source: Dmfdkj32.exe.28.dr Static PE information: Number of sections : 16 > 10
Source: Bgamkfnl.exe.17.dr Static PE information: Number of sections : 16 > 10
Source: Camgpi32.exe.27.dr Static PE information: Number of sections : 16 > 10
Source: Nejhbi32.exe.0.dr Static PE information: Number of sections : 16 > 10
Source: Odekfoij.exe.8.dr Static PE information: Number of sections : 16 > 10
Source: Cfnpmb32.exe.23.dr Static PE information: Number of sections : 16 > 10
Source: Dnhmjm32.exe.29.dr Static PE information: Number of sections : 16 > 10
Source: Edgbhcim.exe.31.dr Static PE information: Number of sections : 16 > 10
Source: Cnjaioih.exe.26.dr Static PE information: Number of sections : 16 > 10
Source: h879iieoae.exe Static PE information: Number of sections : 16 > 10
Source: Bqjacldl.exe.18.dr Static PE information: Number of sections : 16 > 10
Source: Bnpnbp32.exe.20.dr Static PE information: Number of sections : 16 > 10
Source: Pqeoao32.exe.13.dr Static PE information: Number of sections : 16 > 10
Source: Ogjdllpi.exe.1.dr Static PE information: Number of sections : 16 > 10
Source: Ceampi32.exe.25.dr Static PE information: Number of sections : 16 > 10
Source: Qgcpihjl.exe.14.dr Static PE information: Number of sections : 16 > 10
Source: Bnnampcf.exe.19.dr Static PE information: Number of sections : 16 > 10
Source: Baagdk32.exe.22.dr Static PE information: Number of sections : 16 > 10
Source: Fhedeo32.exe.36.dr Static PE information: Number of sections : 16 > 10
Source: Olijjb32.exe.4.dr Static PE information: Number of sections : 16 > 10
Source: Bgibkegc.exe.21.dr Static PE information: Number of sections : 16 > 10
Source: Fkogfkdj.exe.35.dr Static PE information: Number of sections : 16 > 10
Source: Foaigifk.exe.38.dr Static PE information: Number of sections : 16 > 10
Source: Oceoll32.exe.6.dr Static PE information: Number of sections : 16 > 10
Source: Efgkjnfn.exe.33.dr Static PE information: Number of sections : 16 > 10
Source: Ppllkpoo.exe.10.dr Static PE information: Number of sections : 16 > 10
Source: Opbieagi.exe.2.dr Static PE information: Number of sections : 16 > 10
Source: Plbmqa32.exe.11.dr Static PE information: Number of sections : 16 > 10
Source: Eoappk32.exe.34.dr Static PE information: Number of sections : 16 > 10
Source: Oeanchcn.exe.5.dr Static PE information: Number of sections : 16 > 10
Source: Ggmnlk32.exe.39.dr Static PE information: Number of sections : 16 > 10
Source: Emogai32.exe.32.dr Static PE information: Number of sections : 16 > 10
Source: Oglabl32.exe.3.dr Static PE information: Number of sections : 16 > 10
Source: Dfcboo32.exe.30.dr Static PE information: Number of sections : 16 > 10
Source: Ccapffke.exe.24.dr Static PE information: Number of sections : 16 > 10
Source: Feidnc32.exe.37.dr Static PE information: Number of sections : 16 > 10
Source: Ajkolbad.exe.15.dr Static PE information: Number of sections : 16 > 10
Source: Bmlhnnne.exe.16.dr Static PE information: Number of sections : 16 > 10
Source: Plgflqpn.exe.12.dr Static PE information: Number of sections : 16 > 10
Uses 32bit PE files
Source: h879iieoae.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.evad.winEXE@80/81@0/0
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 0_2_004017AC CoInitialize,CLSIDFromString,VirtualAlloc,CoCreateInstance, 0_2_004017AC
Source: C:\Users\user\Desktop\h879iieoae.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: h879iieoae.exe ReversingLabs: Detection: 81%
Source: h879iieoae.exe Virustotal: Detection: 81%
Source: C:\Users\user\Desktop\h879iieoae.exe File read: C:\Users\user\Desktop\h879iieoae.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\h879iieoae.exe "C:\Users\user\Desktop\h879iieoae.exe"
Source: C:\Users\user\Desktop\h879iieoae.exe Process created: C:\Windows\SysWOW64\Nejhbi32.exe C:\Windows\system32\Nejhbi32.exe
Source: C:\Windows\SysWOW64\Nejhbi32.exe Process created: C:\Windows\SysWOW64\Ogjdllpi.exe C:\Windows\system32\Ogjdllpi.exe
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Process created: C:\Windows\SysWOW64\Opbieagi.exe C:\Windows\system32\Opbieagi.exe
Source: C:\Windows\SysWOW64\Opbieagi.exe Process created: C:\Windows\SysWOW64\Oglabl32.exe C:\Windows\system32\Oglabl32.exe
Source: C:\Windows\SysWOW64\Oglabl32.exe Process created: C:\Windows\SysWOW64\Olijjb32.exe C:\Windows\system32\Olijjb32.exe
Source: C:\Windows\SysWOW64\Olijjb32.exe Process created: C:\Windows\SysWOW64\Oeanchcn.exe C:\Windows\system32\Oeanchcn.exe
Source: C:\Windows\SysWOW64\Oeanchcn.exe Process created: C:\Windows\SysWOW64\Oceoll32.exe C:\Windows\system32\Oceoll32.exe
Source: C:\Windows\SysWOW64\Oceoll32.exe Process created: C:\Windows\SysWOW64\Onkcje32.exe C:\Windows\system32\Onkcje32.exe
Source: C:\Windows\SysWOW64\Onkcje32.exe Process created: C:\Windows\SysWOW64\Odekfoij.exe C:\Windows\system32\Odekfoij.exe
Source: C:\Windows\SysWOW64\Odekfoij.exe Process created: C:\Windows\SysWOW64\Ojacofgb.exe C:\Windows\system32\Ojacofgb.exe
Source: C:\Windows\SysWOW64\Ojacofgb.exe Process created: C:\Windows\SysWOW64\Ppllkpoo.exe C:\Windows\system32\Ppllkpoo.exe
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Process created: C:\Windows\SysWOW64\Plbmqa32.exe C:\Windows\system32\Plbmqa32.exe
Source: C:\Windows\SysWOW64\Plbmqa32.exe Process created: C:\Windows\SysWOW64\Plgflqpn.exe C:\Windows\system32\Plgflqpn.exe
Source: C:\Windows\SysWOW64\Plgflqpn.exe Process created: C:\Windows\SysWOW64\Pqeoao32.exe C:\Windows\system32\Pqeoao32.exe
Source: C:\Windows\SysWOW64\Pqeoao32.exe Process created: C:\Windows\SysWOW64\Qgcpihjl.exe C:\Windows\system32\Qgcpihjl.exe
Source: C:\Windows\SysWOW64\Qgcpihjl.exe Process created: C:\Windows\SysWOW64\Ajkolbad.exe C:\Windows\system32\Ajkolbad.exe
Source: C:\Windows\SysWOW64\Ajkolbad.exe Process created: C:\Windows\SysWOW64\Bmlhnnne.exe C:\Windows\system32\Bmlhnnne.exe
Source: C:\Windows\SysWOW64\Bmlhnnne.exe Process created: C:\Windows\SysWOW64\Bgamkfnl.exe C:\Windows\system32\Bgamkfnl.exe
Source: C:\Windows\SysWOW64\Bgamkfnl.exe Process created: C:\Windows\SysWOW64\Bqjacldl.exe C:\Windows\system32\Bqjacldl.exe
Source: C:\Windows\SysWOW64\Bqjacldl.exe Process created: C:\Windows\SysWOW64\Bnnampcf.exe C:\Windows\system32\Bnnampcf.exe
Source: C:\Windows\SysWOW64\Bnnampcf.exe Process created: C:\Windows\SysWOW64\Bnpnbp32.exe C:\Windows\system32\Bnpnbp32.exe
Source: C:\Windows\SysWOW64\Bnpnbp32.exe Process created: C:\Windows\SysWOW64\Bgibkegc.exe C:\Windows\system32\Bgibkegc.exe
Source: C:\Windows\SysWOW64\Bgibkegc.exe Process created: C:\Windows\SysWOW64\Baagdk32.exe C:\Windows\system32\Baagdk32.exe
Source: C:\Windows\SysWOW64\Baagdk32.exe Process created: C:\Windows\SysWOW64\Cfnpmb32.exe C:\Windows\system32\Cfnpmb32.exe
Source: C:\Windows\SysWOW64\Cfnpmb32.exe Process created: C:\Windows\SysWOW64\Ccapffke.exe C:\Windows\system32\Ccapffke.exe
Source: C:\Windows\SysWOW64\Ccapffke.exe Process created: C:\Windows\SysWOW64\Ceampi32.exe C:\Windows\system32\Ceampi32.exe
Source: C:\Windows\SysWOW64\Ceampi32.exe Process created: C:\Windows\SysWOW64\Cnjaioih.exe C:\Windows\system32\Cnjaioih.exe
Source: C:\Windows\SysWOW64\Cnjaioih.exe Process created: C:\Windows\SysWOW64\Camgpi32.exe C:\Windows\system32\Camgpi32.exe
Source: C:\Windows\SysWOW64\Camgpi32.exe Process created: C:\Windows\SysWOW64\Dmfdkj32.exe C:\Windows\system32\Dmfdkj32.exe
Source: C:\Windows\SysWOW64\Dmfdkj32.exe Process created: C:\Windows\SysWOW64\Dnhmjm32.exe C:\Windows\system32\Dnhmjm32.exe
Source: C:\Windows\SysWOW64\Dnhmjm32.exe Process created: C:\Windows\SysWOW64\Dfcboo32.exe C:\Windows\system32\Dfcboo32.exe
Source: C:\Windows\SysWOW64\Dfcboo32.exe Process created: C:\Windows\SysWOW64\Edgbhcim.exe C:\Windows\system32\Edgbhcim.exe
Source: C:\Windows\SysWOW64\Edgbhcim.exe Process created: C:\Windows\SysWOW64\Emogai32.exe C:\Windows\system32\Emogai32.exe
Source: C:\Windows\SysWOW64\Emogai32.exe Process created: C:\Windows\SysWOW64\Efgkjnfn.exe C:\Windows\system32\Efgkjnfn.exe
Source: C:\Windows\SysWOW64\Efgkjnfn.exe Process created: C:\Windows\SysWOW64\Eoappk32.exe C:\Windows\system32\Eoappk32.exe
Source: C:\Windows\SysWOW64\Eoappk32.exe Process created: C:\Windows\SysWOW64\Fkogfkdj.exe C:\Windows\system32\Fkogfkdj.exe
Source: C:\Windows\SysWOW64\Fkogfkdj.exe Process created: C:\Windows\SysWOW64\Fhedeo32.exe C:\Windows\system32\Fhedeo32.exe
Source: C:\Windows\SysWOW64\Fhedeo32.exe Process created: C:\Windows\SysWOW64\Feidnc32.exe C:\Windows\system32\Feidnc32.exe
Source: C:\Windows\SysWOW64\Feidnc32.exe Process created: C:\Windows\SysWOW64\Foaigifk.exe C:\Windows\system32\Foaigifk.exe
Source: C:\Users\user\Desktop\h879iieoae.exe Process created: C:\Windows\SysWOW64\Nejhbi32.exe C:\Windows\system32\Nejhbi32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Nejhbi32.exe Process created: C:\Windows\SysWOW64\Ogjdllpi.exe C:\Windows\system32\Ogjdllpi.exe Jump to behavior
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Process created: C:\Windows\SysWOW64\Opbieagi.exe C:\Windows\system32\Opbieagi.exe Jump to behavior
Source: C:\Windows\SysWOW64\Opbieagi.exe Process created: C:\Windows\SysWOW64\Oglabl32.exe C:\Windows\system32\Oglabl32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Oglabl32.exe Process created: C:\Windows\SysWOW64\Olijjb32.exe C:\Windows\system32\Olijjb32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Olijjb32.exe Process created: C:\Windows\SysWOW64\Oeanchcn.exe C:\Windows\system32\Oeanchcn.exe Jump to behavior
Source: C:\Windows\SysWOW64\Oeanchcn.exe Process created: C:\Windows\SysWOW64\Oceoll32.exe C:\Windows\system32\Oceoll32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Oceoll32.exe Process created: C:\Windows\SysWOW64\Onkcje32.exe C:\Windows\system32\Onkcje32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Onkcje32.exe Process created: C:\Windows\SysWOW64\Odekfoij.exe C:\Windows\system32\Odekfoij.exe Jump to behavior
Source: C:\Windows\SysWOW64\Odekfoij.exe Process created: C:\Windows\SysWOW64\Ojacofgb.exe C:\Windows\system32\Ojacofgb.exe Jump to behavior
Source: C:\Windows\SysWOW64\Ojacofgb.exe Process created: C:\Windows\SysWOW64\Ppllkpoo.exe C:\Windows\system32\Ppllkpoo.exe Jump to behavior
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Process created: C:\Windows\SysWOW64\Plbmqa32.exe C:\Windows\system32\Plbmqa32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Plbmqa32.exe Process created: C:\Windows\SysWOW64\Plgflqpn.exe C:\Windows\system32\Plgflqpn.exe Jump to behavior
Source: C:\Windows\SysWOW64\Plgflqpn.exe Process created: C:\Windows\SysWOW64\Pqeoao32.exe C:\Windows\system32\Pqeoao32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Pqeoao32.exe Process created: C:\Windows\SysWOW64\Qgcpihjl.exe C:\Windows\system32\Qgcpihjl.exe Jump to behavior
Source: C:\Windows\SysWOW64\Qgcpihjl.exe Process created: C:\Windows\SysWOW64\Ajkolbad.exe C:\Windows\system32\Ajkolbad.exe Jump to behavior
Source: C:\Windows\SysWOW64\Ajkolbad.exe Process created: C:\Windows\SysWOW64\Bmlhnnne.exe C:\Windows\system32\Bmlhnnne.exe Jump to behavior
Source: C:\Windows\SysWOW64\Bmlhnnne.exe Process created: C:\Windows\SysWOW64\Bgamkfnl.exe C:\Windows\system32\Bgamkfnl.exe Jump to behavior
Source: C:\Windows\SysWOW64\Bgamkfnl.exe Process created: C:\Windows\SysWOW64\Bqjacldl.exe C:\Windows\system32\Bqjacldl.exe Jump to behavior
Source: C:\Windows\SysWOW64\Bqjacldl.exe Process created: C:\Windows\SysWOW64\Bnnampcf.exe C:\Windows\system32\Bnnampcf.exe Jump to behavior
Source: C:\Windows\SysWOW64\Bnnampcf.exe Process created: C:\Windows\SysWOW64\Bnpnbp32.exe C:\Windows\system32\Bnpnbp32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Bnpnbp32.exe Process created: C:\Windows\SysWOW64\Bgibkegc.exe C:\Windows\system32\Bgibkegc.exe Jump to behavior
Source: C:\Windows\SysWOW64\Bgibkegc.exe Process created: C:\Windows\SysWOW64\Baagdk32.exe C:\Windows\system32\Baagdk32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Baagdk32.exe Process created: C:\Windows\SysWOW64\Cfnpmb32.exe C:\Windows\system32\Cfnpmb32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Cfnpmb32.exe Process created: C:\Windows\SysWOW64\Ccapffke.exe C:\Windows\system32\Ccapffke.exe Jump to behavior
Source: C:\Windows\SysWOW64\Ccapffke.exe Process created: C:\Windows\SysWOW64\Ceampi32.exe C:\Windows\system32\Ceampi32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Ceampi32.exe Process created: C:\Windows\SysWOW64\Cnjaioih.exe C:\Windows\system32\Cnjaioih.exe
Source: C:\Windows\SysWOW64\Cnjaioih.exe Process created: C:\Windows\SysWOW64\Camgpi32.exe C:\Windows\system32\Camgpi32.exe
Source: C:\Windows\SysWOW64\Camgpi32.exe Process created: C:\Windows\SysWOW64\Dmfdkj32.exe C:\Windows\system32\Dmfdkj32.exe
Source: C:\Windows\SysWOW64\Dmfdkj32.exe Process created: C:\Windows\SysWOW64\Dnhmjm32.exe C:\Windows\system32\Dnhmjm32.exe
Source: C:\Windows\SysWOW64\Dnhmjm32.exe Process created: C:\Windows\SysWOW64\Dfcboo32.exe C:\Windows\system32\Dfcboo32.exe
Source: C:\Windows\SysWOW64\Dfcboo32.exe Process created: C:\Windows\SysWOW64\Edgbhcim.exe C:\Windows\system32\Edgbhcim.exe
Source: C:\Windows\SysWOW64\Edgbhcim.exe Process created: C:\Windows\SysWOW64\Emogai32.exe C:\Windows\system32\Emogai32.exe
Source: C:\Windows\SysWOW64\Emogai32.exe Process created: C:\Windows\SysWOW64\Efgkjnfn.exe C:\Windows\system32\Efgkjnfn.exe
Source: C:\Windows\SysWOW64\Efgkjnfn.exe Process created: C:\Windows\SysWOW64\Eoappk32.exe C:\Windows\system32\Eoappk32.exe
Source: C:\Windows\SysWOW64\Eoappk32.exe Process created: C:\Windows\SysWOW64\Fkogfkdj.exe C:\Windows\system32\Fkogfkdj.exe
Source: C:\Windows\SysWOW64\Fkogfkdj.exe Process created: C:\Windows\SysWOW64\Fhedeo32.exe C:\Windows\system32\Fhedeo32.exe
Source: C:\Windows\SysWOW64\Fhedeo32.exe Process created: C:\Windows\SysWOW64\Feidnc32.exe C:\Windows\system32\Feidnc32.exe
Source: C:\Windows\SysWOW64\Feidnc32.exe Process created: C:\Windows\SysWOW64\Foaigifk.exe C:\Windows\system32\Foaigifk.exe
Source: C:\Windows\SysWOW64\Foaigifk.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\h879iieoae.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\h879iieoae.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\h879iieoae.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Users\user\Desktop\h879iieoae.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Nejhbi32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Nejhbi32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Nejhbi32.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Nejhbi32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Opbieagi.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Opbieagi.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Opbieagi.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Opbieagi.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Oglabl32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Oglabl32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Oglabl32.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Oglabl32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Olijjb32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Olijjb32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Olijjb32.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Olijjb32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Oeanchcn.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Oeanchcn.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Oeanchcn.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Oeanchcn.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Oceoll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Oceoll32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Oceoll32.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Oceoll32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Onkcje32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Onkcje32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Onkcje32.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Onkcje32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Odekfoij.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Odekfoij.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Odekfoij.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Odekfoij.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ojacofgb.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ojacofgb.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ojacofgb.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ojacofgb.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Plbmqa32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Plbmqa32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Plbmqa32.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Plbmqa32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Plgflqpn.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Plgflqpn.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Plgflqpn.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Plgflqpn.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Pqeoao32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Pqeoao32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Pqeoao32.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Pqeoao32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Qgcpihjl.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Qgcpihjl.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Qgcpihjl.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Qgcpihjl.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ajkolbad.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ajkolbad.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ajkolbad.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ajkolbad.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bmlhnnne.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bmlhnnne.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bmlhnnne.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bmlhnnne.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bgamkfnl.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bgamkfnl.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bgamkfnl.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bgamkfnl.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bqjacldl.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bqjacldl.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bqjacldl.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bqjacldl.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bnnampcf.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bnnampcf.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bnnampcf.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bnnampcf.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bnpnbp32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bnpnbp32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bnpnbp32.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bnpnbp32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bgibkegc.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bgibkegc.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bgibkegc.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bgibkegc.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Baagdk32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Baagdk32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Baagdk32.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Baagdk32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Cfnpmb32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Cfnpmb32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Cfnpmb32.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Cfnpmb32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ccapffke.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ccapffke.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ccapffke.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ccapffke.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ceampi32.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Ceampi32.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Ceampi32.exe Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Ceampi32.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Cnjaioih.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Cnjaioih.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Cnjaioih.exe Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Cnjaioih.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Camgpi32.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Camgpi32.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Camgpi32.exe Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Camgpi32.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Dmfdkj32.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Dmfdkj32.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Dmfdkj32.exe Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Dmfdkj32.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Dnhmjm32.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Dnhmjm32.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Dnhmjm32.exe Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Dnhmjm32.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Dfcboo32.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Dfcboo32.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Dfcboo32.exe Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Dfcboo32.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Edgbhcim.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Edgbhcim.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Edgbhcim.exe Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Edgbhcim.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Emogai32.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Emogai32.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Emogai32.exe Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Emogai32.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Efgkjnfn.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Efgkjnfn.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Efgkjnfn.exe Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Efgkjnfn.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Eoappk32.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Eoappk32.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Eoappk32.exe Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Eoappk32.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Fkogfkdj.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Fkogfkdj.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Fkogfkdj.exe Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Fkogfkdj.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Fhedeo32.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Fhedeo32.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Fhedeo32.exe Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Fhedeo32.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Feidnc32.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Feidnc32.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Feidnc32.exe Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Feidnc32.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Foaigifk.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Foaigifk.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Foaigifk.exe Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Foaigifk.exe Section loaded: ntmarta.dll
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 0_2_00402E06 GetVersion,LoadLibraryA,GetProcAddress,IsBadReadPtr,GlobalMemoryStatus,GetEnvironmentStringsW,CloseHandle,GetModuleHandleA,VirtualQuery,IsBadWritePtr, 0_2_00402E06
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .embm
PE file contains sections with non-standard names
Source: h879iieoae.exe Static PE information: section name: .embm
Source: Nejhbi32.exe.0.dr Static PE information: section name: .embm
Source: Ogjdllpi.exe.1.dr Static PE information: section name: .embm
Source: Opbieagi.exe.2.dr Static PE information: section name: .embm
Source: Oglabl32.exe.3.dr Static PE information: section name: .embm
Source: Olijjb32.exe.4.dr Static PE information: section name: .embm
Source: Oeanchcn.exe.5.dr Static PE information: section name: .embm
Source: Oceoll32.exe.6.dr Static PE information: section name: .embm
Source: Onkcje32.exe.7.dr Static PE information: section name: .embm
Source: Odekfoij.exe.8.dr Static PE information: section name: .embm
Source: Ojacofgb.exe.9.dr Static PE information: section name: .embm
Source: Ppllkpoo.exe.10.dr Static PE information: section name: .embm
Source: Plbmqa32.exe.11.dr Static PE information: section name: .embm
Source: Plgflqpn.exe.12.dr Static PE information: section name: .embm
Source: Pqeoao32.exe.13.dr Static PE information: section name: .embm
Source: Qgcpihjl.exe.14.dr Static PE information: section name: .embm
Source: Ajkolbad.exe.15.dr Static PE information: section name: .embm
Source: Bmlhnnne.exe.16.dr Static PE information: section name: .embm
Source: Bgamkfnl.exe.17.dr Static PE information: section name: .embm
Source: Bqjacldl.exe.18.dr Static PE information: section name: .embm
Source: Bnnampcf.exe.19.dr Static PE information: section name: .embm
Source: Bnpnbp32.exe.20.dr Static PE information: section name: .embm
Source: Bgibkegc.exe.21.dr Static PE information: section name: .embm
Source: Baagdk32.exe.22.dr Static PE information: section name: .embm
Source: Cfnpmb32.exe.23.dr Static PE information: section name: .embm
Source: Ccapffke.exe.24.dr Static PE information: section name: .embm
Source: Ceampi32.exe.25.dr Static PE information: section name: .embm
Source: Cnjaioih.exe.26.dr Static PE information: section name: .embm
Source: Camgpi32.exe.27.dr Static PE information: section name: .embm
Source: Dmfdkj32.exe.28.dr Static PE information: section name: .embm
Source: Dnhmjm32.exe.29.dr Static PE information: section name: .embm
Source: Dfcboo32.exe.30.dr Static PE information: section name: .embm
Source: Edgbhcim.exe.31.dr Static PE information: section name: .embm
Source: Emogai32.exe.32.dr Static PE information: section name: .embm
Source: Efgkjnfn.exe.33.dr Static PE information: section name: .embm
Source: Eoappk32.exe.34.dr Static PE information: section name: .embm
Source: Fkogfkdj.exe.35.dr Static PE information: section name: .embm
Source: Fhedeo32.exe.36.dr Static PE information: section name: .embm
Source: Feidnc32.exe.37.dr Static PE information: section name: .embm
Source: Foaigifk.exe.38.dr Static PE information: section name: .embm
Source: Ggmnlk32.exe.39.dr Static PE information: section name: .embm
Source: h879iieoae.exe Static PE information: section name: .text entropy: 7.190507132248476
Source: Nejhbi32.exe.0.dr Static PE information: section name: .text entropy: 7.183772002837302
Source: Ogjdllpi.exe.1.dr Static PE information: section name: .text entropy: 7.147443164942795
Source: Opbieagi.exe.2.dr Static PE information: section name: .text entropy: 7.178518855910967
Source: Oglabl32.exe.3.dr Static PE information: section name: .text entropy: 7.185742599580611
Source: Olijjb32.exe.4.dr Static PE information: section name: .text entropy: 7.110531950014891
Source: Oeanchcn.exe.5.dr Static PE information: section name: .text entropy: 7.185357437360054
Source: Oceoll32.exe.6.dr Static PE information: section name: .text entropy: 7.168480651808014
Source: Onkcje32.exe.7.dr Static PE information: section name: .text entropy: 7.130939198292088
Source: Odekfoij.exe.8.dr Static PE information: section name: .text entropy: 7.174220243060091
Source: Ojacofgb.exe.9.dr Static PE information: section name: .text entropy: 7.131994312266599
Source: Ppllkpoo.exe.10.dr Static PE information: section name: .text entropy: 7.197605282946569
Source: Plbmqa32.exe.11.dr Static PE information: section name: .text entropy: 7.212747053446963
Source: Plgflqpn.exe.12.dr Static PE information: section name: .text entropy: 7.1777361111263085
Source: Pqeoao32.exe.13.dr Static PE information: section name: .text entropy: 7.177836248776215
Source: Qgcpihjl.exe.14.dr Static PE information: section name: .text entropy: 7.134079001018797
Source: Ajkolbad.exe.15.dr Static PE information: section name: .text entropy: 7.150402572619783
Source: Bmlhnnne.exe.16.dr Static PE information: section name: .text entropy: 7.194431112405807
Source: Bgamkfnl.exe.17.dr Static PE information: section name: .text entropy: 7.0988104927922295
Source: Bqjacldl.exe.18.dr Static PE information: section name: .text entropy: 7.091013664503109
Source: Bnnampcf.exe.19.dr Static PE information: section name: .text entropy: 7.20252439678255
Source: Bnpnbp32.exe.20.dr Static PE information: section name: .text entropy: 7.1751185880285115
Source: Bgibkegc.exe.21.dr Static PE information: section name: .text entropy: 7.158359166193943
Source: Baagdk32.exe.22.dr Static PE information: section name: .text entropy: 7.113332370732262
Source: Cfnpmb32.exe.23.dr Static PE information: section name: .text entropy: 7.113109514581295
Source: Ccapffke.exe.24.dr Static PE information: section name: .text entropy: 7.164772969477855
Source: Ceampi32.exe.25.dr Static PE information: section name: .text entropy: 7.179274547360003
Source: Cnjaioih.exe.26.dr Static PE information: section name: .text entropy: 7.167456147293733
Source: Camgpi32.exe.27.dr Static PE information: section name: .text entropy: 7.196413393675492
Source: Dmfdkj32.exe.28.dr Static PE information: section name: .text entropy: 7.086782180666274
Source: Dnhmjm32.exe.29.dr Static PE information: section name: .text entropy: 7.1935468123219515
Source: Dfcboo32.exe.30.dr Static PE information: section name: .text entropy: 7.176616641968521
Source: Edgbhcim.exe.31.dr Static PE information: section name: .text entropy: 7.1259826879390165
Source: Emogai32.exe.32.dr Static PE information: section name: .text entropy: 7.151027716339847
Source: Efgkjnfn.exe.33.dr Static PE information: section name: .text entropy: 7.165314105248902
Source: Eoappk32.exe.34.dr Static PE information: section name: .text entropy: 7.116004280215482
Source: Fkogfkdj.exe.35.dr Static PE information: section name: .text entropy: 7.127555706075136
Source: Fhedeo32.exe.36.dr Static PE information: section name: .text entropy: 7.18609657669522
Source: Feidnc32.exe.37.dr Static PE information: section name: .text entropy: 7.156173388913616
Source: Foaigifk.exe.38.dr Static PE information: section name: .text entropy: 7.1848996080474326
Source: Ggmnlk32.exe.39.dr Static PE information: section name: .text entropy: 7.179269799391079

Persistence and Installation Behavior
barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\SysWOW64\Oeanchcn.exe Executable created and started: C:\Windows\SysWOW64\Oceoll32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Nejhbi32.exe Executable created and started: C:\Windows\SysWOW64\Ogjdllpi.exe Jump to behavior
Source: C:\Windows\SysWOW64\Bqjacldl.exe Executable created and started: C:\Windows\SysWOW64\Bnnampcf.exe Jump to behavior
Source: C:\Windows\SysWOW64\Plbmqa32.exe Executable created and started: C:\Windows\SysWOW64\Plgflqpn.exe Jump to behavior
Source: C:\Windows\SysWOW64\Qgcpihjl.exe Executable created and started: C:\Windows\SysWOW64\Ajkolbad.exe Jump to behavior
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Executable created and started: C:\Windows\SysWOW64\Plbmqa32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Bnpnbp32.exe Executable created and started: C:\Windows\SysWOW64\Bgibkegc.exe Jump to behavior
Source: C:\Windows\SysWOW64\Onkcje32.exe Executable created and started: C:\Windows\SysWOW64\Odekfoij.exe Jump to behavior
Source: C:\Windows\SysWOW64\Dmfdkj32.exe Executable created and started: C:\Windows\SysWOW64\Dnhmjm32.exe
Source: C:\Windows\SysWOW64\Ajkolbad.exe Executable created and started: C:\Windows\SysWOW64\Bmlhnnne.exe Jump to behavior
Source: C:\Windows\SysWOW64\Oglabl32.exe Executable created and started: C:\Windows\SysWOW64\Olijjb32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Bnnampcf.exe Executable created and started: C:\Windows\SysWOW64\Bnpnbp32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Dfcboo32.exe Executable created and started: C:\Windows\SysWOW64\Edgbhcim.exe
Source: C:\Windows\SysWOW64\Emogai32.exe Executable created and started: C:\Windows\SysWOW64\Efgkjnfn.exe
Source: C:\Windows\SysWOW64\Cnjaioih.exe Executable created and started: C:\Windows\SysWOW64\Camgpi32.exe
Source: C:\Windows\SysWOW64\Eoappk32.exe Executable created and started: C:\Windows\SysWOW64\Fkogfkdj.exe
Source: C:\Windows\SysWOW64\Ojacofgb.exe Executable created and started: C:\Windows\SysWOW64\Ppllkpoo.exe Jump to behavior
Source: C:\Windows\SysWOW64\Opbieagi.exe Executable created and started: C:\Windows\SysWOW64\Oglabl32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Camgpi32.exe Executable created and started: C:\Windows\SysWOW64\Dmfdkj32.exe
Source: C:\Windows\SysWOW64\Dnhmjm32.exe Executable created and started: C:\Windows\SysWOW64\Dfcboo32.exe
Source: C:\Windows\SysWOW64\Ceampi32.exe Executable created and started: C:\Windows\SysWOW64\Cnjaioih.exe
Source: C:\Windows\SysWOW64\Bgamkfnl.exe Executable created and started: C:\Windows\SysWOW64\Bqjacldl.exe Jump to behavior
Source: C:\Windows\SysWOW64\Efgkjnfn.exe Executable created and started: C:\Windows\SysWOW64\Eoappk32.exe
Source: C:\Windows\SysWOW64\Bmlhnnne.exe Executable created and started: C:\Windows\SysWOW64\Bgamkfnl.exe Jump to behavior
Source: C:\Windows\SysWOW64\Cfnpmb32.exe Executable created and started: C:\Windows\SysWOW64\Ccapffke.exe Jump to behavior
Source: C:\Windows\SysWOW64\Edgbhcim.exe Executable created and started: C:\Windows\SysWOW64\Emogai32.exe
Source: C:\Windows\SysWOW64\Pqeoao32.exe Executable created and started: C:\Windows\SysWOW64\Qgcpihjl.exe Jump to behavior
Source: C:\Windows\SysWOW64\Feidnc32.exe Executable created and started: C:\Windows\SysWOW64\Foaigifk.exe
Source: C:\Windows\SysWOW64\Oceoll32.exe Executable created and started: C:\Windows\SysWOW64\Onkcje32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Fhedeo32.exe Executable created and started: C:\Windows\SysWOW64\Feidnc32.exe
Source: C:\Windows\SysWOW64\Olijjb32.exe Executable created and started: C:\Windows\SysWOW64\Oeanchcn.exe Jump to behavior
Source: C:\Windows\SysWOW64\Plgflqpn.exe Executable created and started: C:\Windows\SysWOW64\Pqeoao32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Baagdk32.exe Executable created and started: C:\Windows\SysWOW64\Cfnpmb32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Executable created and started: C:\Windows\SysWOW64\Opbieagi.exe Jump to behavior
Source: C:\Windows\SysWOW64\Odekfoij.exe Executable created and started: C:\Windows\SysWOW64\Ojacofgb.exe Jump to behavior
Source: C:\Users\user\Desktop\h879iieoae.exe Executable created and started: C:\Windows\SysWOW64\Nejhbi32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Bgibkegc.exe Executable created and started: C:\Windows\SysWOW64\Baagdk32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Fkogfkdj.exe Executable created and started: C:\Windows\SysWOW64\Fhedeo32.exe
Source: C:\Windows\SysWOW64\Ccapffke.exe Executable created and started: C:\Windows\SysWOW64\Ceampi32.exe Jump to behavior
Drops PE files
Source: C:\Windows\SysWOW64\Bgibkegc.exe File created: C:\Windows\SysWOW64\Foelkeee.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Oeanchcn.exe File created: C:\Windows\SysWOW64\Oceoll32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Nejhbi32.exe File created: C:\Windows\SysWOW64\Ogjdllpi.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Bqjacldl.exe File created: C:\Windows\SysWOW64\Bnnampcf.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Plbmqa32.exe File created: C:\Windows\SysWOW64\Plgflqpn.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Qgcpihjl.exe File created: C:\Windows\SysWOW64\Ajkolbad.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Opbieagi.exe File created: C:\Windows\SysWOW64\Hjanmb32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ppllkpoo.exe File created: C:\Windows\SysWOW64\Plbmqa32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Bnpnbp32.exe File created: C:\Windows\SysWOW64\Bgibkegc.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Odekfoij.exe File created: C:\Windows\SysWOW64\Bdlhdkdf.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Onkcje32.exe File created: C:\Windows\SysWOW64\Odekfoij.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Ojacofgb.exe File created: C:\Windows\SysWOW64\Accicdme.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ajkolbad.exe File created: C:\Windows\SysWOW64\Iemjhp32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Dmfdkj32.exe File created: C:\Windows\SysWOW64\Dnhmjm32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Bqjacldl.exe File created: C:\Windows\SysWOW64\Lfjejf32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ajkolbad.exe File created: C:\Windows\SysWOW64\Bmlhnnne.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Plgflqpn.exe File created: C:\Windows\SysWOW64\Akghbg32.dll Jump to dropped file
Source: C:\Users\user\Desktop\h879iieoae.exe File created: C:\Windows\SysWOW64\Jcofqqkm.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Cfnpmb32.exe File created: C:\Windows\SysWOW64\Ibigijoc.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Oglabl32.exe File created: C:\Windows\SysWOW64\Jdackq32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ppllkpoo.exe File created: C:\Windows\SysWOW64\Chfnmf32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ogjdllpi.exe File created: C:\Windows\SysWOW64\Fkdfmkhi.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Fkogfkdj.exe File created: C:\Windows\SysWOW64\Ajikgq32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Olijjb32.exe File created: C:\Windows\SysWOW64\Ligdce32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Oglabl32.exe File created: C:\Windows\SysWOW64\Olijjb32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Bnnampcf.exe File created: C:\Windows\SysWOW64\Bnpnbp32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Dfcboo32.exe File created: C:\Windows\SysWOW64\Edgbhcim.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Emogai32.exe File created: C:\Windows\SysWOW64\Efgkjnfn.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Cnjaioih.exe File created: C:\Windows\SysWOW64\Camgpi32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Feidnc32.exe File created: C:\Windows\SysWOW64\Hdgplo32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Camgpi32.exe File created: C:\Windows\SysWOW64\Ibbpip32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Eoappk32.exe File created: C:\Windows\SysWOW64\Fkogfkdj.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Ojacofgb.exe File created: C:\Windows\SysWOW64\Ppllkpoo.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Opbieagi.exe File created: C:\Windows\SysWOW64\Oglabl32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Camgpi32.exe File created: C:\Windows\SysWOW64\Dmfdkj32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Dnhmjm32.exe File created: C:\Windows\SysWOW64\Dfcboo32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Efgkjnfn.exe File created: C:\Windows\SysWOW64\Gfdcflnh.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ceampi32.exe File created: C:\Windows\SysWOW64\Cnjaioih.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Bnnampcf.exe File created: C:\Windows\SysWOW64\Ekpjke32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ceampi32.exe File created: C:\Windows\SysWOW64\Hjjfnehb.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Bgamkfnl.exe File created: C:\Windows\SysWOW64\Bqjacldl.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Efgkjnfn.exe File created: C:\Windows\SysWOW64\Eoappk32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Bmlhnnne.exe File created: C:\Windows\SysWOW64\Bgamkfnl.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Dmfdkj32.exe File created: C:\Windows\SysWOW64\Hjdhea32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Plbmqa32.exe File created: C:\Windows\SysWOW64\Lfcadoap.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Edgbhcim.exe File created: C:\Windows\SysWOW64\Kfnpbj32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Baagdk32.exe File created: C:\Windows\SysWOW64\Fcjdhk32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Dfcboo32.exe File created: C:\Windows\SysWOW64\Pfgpqb32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Onkcje32.exe File created: C:\Windows\SysWOW64\Jgemldcp.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Cfnpmb32.exe File created: C:\Windows\SysWOW64\Ccapffke.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Edgbhcim.exe File created: C:\Windows\SysWOW64\Emogai32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Pqeoao32.exe File created: C:\Windows\SysWOW64\Qgcpihjl.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Feidnc32.exe File created: C:\Windows\SysWOW64\Foaigifk.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Oceoll32.exe File created: C:\Windows\SysWOW64\Onkcje32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Eoappk32.exe File created: C:\Windows\SysWOW64\Lbfpda32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Fhedeo32.exe File created: C:\Windows\SysWOW64\Njaakj32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Bnpnbp32.exe File created: C:\Windows\SysWOW64\Pkjmee32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Bmlhnnne.exe File created: C:\Windows\SysWOW64\Mfdadc32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Fhedeo32.exe File created: C:\Windows\SysWOW64\Feidnc32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Pqeoao32.exe File created: C:\Windows\SysWOW64\Clqdacnn.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Foaigifk.exe File created: C:\Windows\SysWOW64\Ckaenpam.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Olijjb32.exe File created: C:\Windows\SysWOW64\Oeanchcn.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Cnjaioih.exe File created: C:\Windows\SysWOW64\Ahhhnd32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ccapffke.exe File created: C:\Windows\SysWOW64\Ipqipqal.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Foaigifk.exe File created: C:\Windows\SysWOW64\Ggmnlk32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Emogai32.exe File created: C:\Windows\SysWOW64\Flhljo32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Plgflqpn.exe File created: C:\Windows\SysWOW64\Pqeoao32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Oceoll32.exe File created: C:\Windows\SysWOW64\Fehgpcld.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Baagdk32.exe File created: C:\Windows\SysWOW64\Cfnpmb32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Nejhbi32.exe File created: C:\Windows\SysWOW64\Bpghkh32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ogjdllpi.exe File created: C:\Windows\SysWOW64\Opbieagi.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Bgamkfnl.exe File created: C:\Windows\SysWOW64\Pdmohf32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Odekfoij.exe File created: C:\Windows\SysWOW64\Ojacofgb.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Dnhmjm32.exe File created: C:\Windows\SysWOW64\Ekpkmk32.dll Jump to dropped file
Source: C:\Users\user\Desktop\h879iieoae.exe File created: C:\Windows\SysWOW64\Nejhbi32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Oeanchcn.exe File created: C:\Windows\SysWOW64\Pdkggn32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Bgibkegc.exe File created: C:\Windows\SysWOW64\Baagdk32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Fkogfkdj.exe File created: C:\Windows\SysWOW64\Fhedeo32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Qgcpihjl.exe File created: C:\Windows\SysWOW64\Khlnhl32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ccapffke.exe File created: C:\Windows\SysWOW64\Ceampi32.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\Bgibkegc.exe File created: C:\Windows\SysWOW64\Foelkeee.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Oeanchcn.exe File created: C:\Windows\SysWOW64\Oceoll32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Nejhbi32.exe File created: C:\Windows\SysWOW64\Ogjdllpi.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Bqjacldl.exe File created: C:\Windows\SysWOW64\Bnnampcf.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Plbmqa32.exe File created: C:\Windows\SysWOW64\Plgflqpn.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Qgcpihjl.exe File created: C:\Windows\SysWOW64\Ajkolbad.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Opbieagi.exe File created: C:\Windows\SysWOW64\Hjanmb32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ppllkpoo.exe File created: C:\Windows\SysWOW64\Plbmqa32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Bnpnbp32.exe File created: C:\Windows\SysWOW64\Bgibkegc.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Odekfoij.exe File created: C:\Windows\SysWOW64\Bdlhdkdf.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Onkcje32.exe File created: C:\Windows\SysWOW64\Odekfoij.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Ojacofgb.exe File created: C:\Windows\SysWOW64\Accicdme.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ajkolbad.exe File created: C:\Windows\SysWOW64\Iemjhp32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Dmfdkj32.exe File created: C:\Windows\SysWOW64\Dnhmjm32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Bqjacldl.exe File created: C:\Windows\SysWOW64\Lfjejf32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ajkolbad.exe File created: C:\Windows\SysWOW64\Bmlhnnne.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Plgflqpn.exe File created: C:\Windows\SysWOW64\Akghbg32.dll Jump to dropped file
Source: C:\Users\user\Desktop\h879iieoae.exe File created: C:\Windows\SysWOW64\Jcofqqkm.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Cfnpmb32.exe File created: C:\Windows\SysWOW64\Ibigijoc.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Oglabl32.exe File created: C:\Windows\SysWOW64\Jdackq32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ppllkpoo.exe File created: C:\Windows\SysWOW64\Chfnmf32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ogjdllpi.exe File created: C:\Windows\SysWOW64\Fkdfmkhi.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Fkogfkdj.exe File created: C:\Windows\SysWOW64\Ajikgq32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Olijjb32.exe File created: C:\Windows\SysWOW64\Ligdce32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Oglabl32.exe File created: C:\Windows\SysWOW64\Olijjb32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Bnnampcf.exe File created: C:\Windows\SysWOW64\Bnpnbp32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Dfcboo32.exe File created: C:\Windows\SysWOW64\Edgbhcim.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Emogai32.exe File created: C:\Windows\SysWOW64\Efgkjnfn.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Cnjaioih.exe File created: C:\Windows\SysWOW64\Camgpi32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Feidnc32.exe File created: C:\Windows\SysWOW64\Hdgplo32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Camgpi32.exe File created: C:\Windows\SysWOW64\Ibbpip32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Eoappk32.exe File created: C:\Windows\SysWOW64\Fkogfkdj.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Ojacofgb.exe File created: C:\Windows\SysWOW64\Ppllkpoo.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Opbieagi.exe File created: C:\Windows\SysWOW64\Oglabl32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Camgpi32.exe File created: C:\Windows\SysWOW64\Dmfdkj32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Dnhmjm32.exe File created: C:\Windows\SysWOW64\Dfcboo32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Efgkjnfn.exe File created: C:\Windows\SysWOW64\Gfdcflnh.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ceampi32.exe File created: C:\Windows\SysWOW64\Cnjaioih.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Bnnampcf.exe File created: C:\Windows\SysWOW64\Ekpjke32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ceampi32.exe File created: C:\Windows\SysWOW64\Hjjfnehb.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Bgamkfnl.exe File created: C:\Windows\SysWOW64\Bqjacldl.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Efgkjnfn.exe File created: C:\Windows\SysWOW64\Eoappk32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Bmlhnnne.exe File created: C:\Windows\SysWOW64\Bgamkfnl.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Dmfdkj32.exe File created: C:\Windows\SysWOW64\Hjdhea32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Plbmqa32.exe File created: C:\Windows\SysWOW64\Lfcadoap.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Edgbhcim.exe File created: C:\Windows\SysWOW64\Kfnpbj32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Baagdk32.exe File created: C:\Windows\SysWOW64\Fcjdhk32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Dfcboo32.exe File created: C:\Windows\SysWOW64\Pfgpqb32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Onkcje32.exe File created: C:\Windows\SysWOW64\Jgemldcp.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Cfnpmb32.exe File created: C:\Windows\SysWOW64\Ccapffke.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Edgbhcim.exe File created: C:\Windows\SysWOW64\Emogai32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Pqeoao32.exe File created: C:\Windows\SysWOW64\Qgcpihjl.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Feidnc32.exe File created: C:\Windows\SysWOW64\Foaigifk.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Oceoll32.exe File created: C:\Windows\SysWOW64\Onkcje32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Eoappk32.exe File created: C:\Windows\SysWOW64\Lbfpda32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Fhedeo32.exe File created: C:\Windows\SysWOW64\Njaakj32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Bnpnbp32.exe File created: C:\Windows\SysWOW64\Pkjmee32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Bmlhnnne.exe File created: C:\Windows\SysWOW64\Mfdadc32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Fhedeo32.exe File created: C:\Windows\SysWOW64\Feidnc32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Pqeoao32.exe File created: C:\Windows\SysWOW64\Clqdacnn.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Foaigifk.exe File created: C:\Windows\SysWOW64\Ckaenpam.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Olijjb32.exe File created: C:\Windows\SysWOW64\Oeanchcn.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Cnjaioih.exe File created: C:\Windows\SysWOW64\Ahhhnd32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ccapffke.exe File created: C:\Windows\SysWOW64\Ipqipqal.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Foaigifk.exe File created: C:\Windows\SysWOW64\Ggmnlk32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Emogai32.exe File created: C:\Windows\SysWOW64\Flhljo32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Plgflqpn.exe File created: C:\Windows\SysWOW64\Pqeoao32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Oceoll32.exe File created: C:\Windows\SysWOW64\Fehgpcld.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Baagdk32.exe File created: C:\Windows\SysWOW64\Cfnpmb32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Nejhbi32.exe File created: C:\Windows\SysWOW64\Bpghkh32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ogjdllpi.exe File created: C:\Windows\SysWOW64\Opbieagi.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Bgamkfnl.exe File created: C:\Windows\SysWOW64\Pdmohf32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Odekfoij.exe File created: C:\Windows\SysWOW64\Ojacofgb.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Dnhmjm32.exe File created: C:\Windows\SysWOW64\Ekpkmk32.dll Jump to dropped file
Source: C:\Users\user\Desktop\h879iieoae.exe File created: C:\Windows\SysWOW64\Nejhbi32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Oeanchcn.exe File created: C:\Windows\SysWOW64\Pdkggn32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Bgibkegc.exe File created: C:\Windows\SysWOW64\Baagdk32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Fkogfkdj.exe File created: C:\Windows\SysWOW64\Fhedeo32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Qgcpihjl.exe File created: C:\Windows\SysWOW64\Khlnhl32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ccapffke.exe File created: C:\Windows\SysWOW64\Ceampi32.exe Jump to dropped file

Boot Survival
barindex
Creates an undocumented autostart registry key
Source: C:\Users\user\Desktop\h879iieoae.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Web Event Logger Jump to behavior
Source: C:\Users\user\Desktop\h879iieoae.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Web Event Logger Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\Bgibkegc.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Foelkeee.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Opbieagi.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Hjanmb32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Onkcje32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Jgemldcp.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Odekfoij.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Bdlhdkdf.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ojacofgb.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Accicdme.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ajkolbad.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Iemjhp32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Eoappk32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Lbfpda32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Fhedeo32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Njaakj32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Bnpnbp32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Pkjmee32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Plgflqpn.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Akghbg32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Bqjacldl.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Lfjejf32.dll Jump to dropped file
Source: C:\Users\user\Desktop\h879iieoae.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Jcofqqkm.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Cfnpmb32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Ibigijoc.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Bmlhnnne.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Mfdadc32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Oglabl32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Jdackq32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Pqeoao32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Clqdacnn.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Foaigifk.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Ckaenpam.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Chfnmf32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Cnjaioih.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Ahhhnd32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Fkdfmkhi.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Fkogfkdj.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Ajikgq32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Olijjb32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Ligdce32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ccapffke.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Ipqipqal.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Foaigifk.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Ggmnlk32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Feidnc32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Hdgplo32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Emogai32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Flhljo32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Camgpi32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Ibbpip32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Oceoll32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Fehgpcld.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Nejhbi32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Bpghkh32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Efgkjnfn.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Gfdcflnh.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Bgamkfnl.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Pdmohf32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ceampi32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Hjjfnehb.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Bnnampcf.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Ekpjke32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Dnhmjm32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Ekpkmk32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Oeanchcn.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Pdkggn32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Dmfdkj32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Hjdhea32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Edgbhcim.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Kfnpbj32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Plbmqa32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Lfcadoap.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Qgcpihjl.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Khlnhl32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Dfcboo32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Pfgpqb32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Baagdk32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Fcjdhk32.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\h879iieoae.exe API coverage: 8.3 %
Source: C:\Windows\SysWOW64\Nejhbi32.exe API coverage: 8.3 %
Source: C:\Windows\SysWOW64\Ogjdllpi.exe API coverage: 8.3 %
Source: C:\Windows\SysWOW64\Opbieagi.exe API coverage: 8.3 %
Source: C:\Windows\SysWOW64\Oglabl32.exe API coverage: 8.3 %
Source: C:\Windows\SysWOW64\Olijjb32.exe API coverage: 8.3 %
Source: C:\Windows\SysWOW64\Oeanchcn.exe API coverage: 8.3 %
Source: C:\Windows\SysWOW64\Oceoll32.exe API coverage: 8.3 %
Source: C:\Windows\SysWOW64\Onkcje32.exe API coverage: 8.3 %
Source: C:\Windows\SysWOW64\Odekfoij.exe API coverage: 8.3 %
Source: C:\Windows\SysWOW64\Ojacofgb.exe API coverage: 8.3 %
Source: C:\Windows\SysWOW64\Ppllkpoo.exe API coverage: 8.3 %
Source: C:\Windows\SysWOW64\Plbmqa32.exe API coverage: 8.3 %
Source: C:\Windows\SysWOW64\Plgflqpn.exe API coverage: 8.3 %
Source: C:\Windows\SysWOW64\Pqeoao32.exe API coverage: 8.3 %
Source: C:\Windows\SysWOW64\Qgcpihjl.exe API coverage: 8.3 %
Source: C:\Windows\SysWOW64\Ajkolbad.exe API coverage: 8.3 %
Source: C:\Windows\SysWOW64\Bmlhnnne.exe API coverage: 8.3 %
Source: C:\Windows\SysWOW64\Bgamkfnl.exe API coverage: 8.3 %
Source: C:\Windows\SysWOW64\Bqjacldl.exe API coverage: 8.3 %
Source: C:\Windows\SysWOW64\Bnnampcf.exe API coverage: 8.3 %
Source: C:\Windows\SysWOW64\Bnpnbp32.exe API coverage: 8.3 %
Source: C:\Windows\SysWOW64\Bgibkegc.exe API coverage: 8.3 %
Source: C:\Windows\SysWOW64\Baagdk32.exe API coverage: 8.3 %
Source: C:\Windows\SysWOW64\Cfnpmb32.exe API coverage: 8.3 %
Source: C:\Windows\SysWOW64\Ccapffke.exe API coverage: 8.3 %
Source: C:\Windows\SysWOW64\Ceampi32.exe API coverage: 8.3 %
Source: C:\Windows\SysWOW64\Cnjaioih.exe API coverage: 8.3 %
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 0_2_00402E06 GetVersion,LoadLibraryA,GetProcAddress,IsBadReadPtr,GlobalMemoryStatus,GetEnvironmentStringsW,CloseHandle,GetModuleHandleA,VirtualQuery,IsBadWritePtr, 0_2_00402E06
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 0_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA, 0_2_00406C29

Stealing of Sensitive Information
barindex
Yara detected Berbew
Source: Yara match File source: 24.2.Cfnpmb32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Opbieagi.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.Ccapffke.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.Cnjaioih.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.Bqjacldl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Oceoll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.Dmfdkj32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Nejhbi32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Qgcpihjl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Bmlhnnne.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Pqeoao32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.Feidnc32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.Efgkjnfn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Oglabl32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Ojacofgb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.Bqjacldl.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Olijjb32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Plgflqpn.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.Cnjaioih.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.Cfnpmb32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Olijjb32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.Efgkjnfn.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Bnnampcf.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Onkcje32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.h879iieoae.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.Dnhmjm32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Ogjdllpi.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.Emogai32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Ojacofgb.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Oglabl32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Opbieagi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Pqeoao32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.Bgamkfnl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.2.Fkogfkdj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.Camgpi32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Baagdk32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Ppllkpoo.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Bnpnbp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.Ajkolbad.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.Emogai32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Ogjdllpi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.Fhedeo32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.Dfcboo32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Plbmqa32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.Dfcboo32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.2.Eoappk32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Bnpnbp32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Oceoll32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.Ajkolbad.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.Feidnc32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Bmlhnnne.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.Camgpi32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Plbmqa32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.Edgbhcim.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.2.Fkogfkdj.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.Ccapffke.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.Ceampi32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Odekfoij.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.Bgibkegc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Onkcje32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.Edgbhcim.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Nejhbi32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.Bgibkegc.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.Ceampi32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Qgcpihjl.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 39.2.Foaigifk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.Bgamkfnl.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.Fhedeo32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.Oeanchcn.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 39.2.Foaigifk.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.2.Eoappk32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Ppllkpoo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.Oeanchcn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Bnnampcf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.h879iieoae.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.Dnhmjm32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Baagdk32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Odekfoij.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Plgflqpn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.Dmfdkj32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.1998469389.000000000042A000.00000004.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2006552400.000000000042A000.00000004.00000001.01000000.0000001A.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.2029721811.000000000042A000.00000004.00000001.01000000.00000028.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.2021263243.000000000042A000.00000004.00000001.01000000.00000024.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2005214969.000000000042A000.00000004.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.2027822384.000000000042A000.00000004.00000001.01000000.00000026.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2000741077.000000000042A000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1986379697.000000000042A000.00000004.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1990903099.000000000042A000.00000004.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2017016443.000000000042A000.00000004.00000001.01000000.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2011076811.000000000042A000.00000004.00000001.01000000.0000001D.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.2029071325.000000000042A000.00000004.00000001.01000000.00000027.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2005778309.000000000042A000.00000004.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2016533194.000000000042A000.00000004.00000001.01000000.0000001F.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2007866947.000000000042A000.00000004.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2004277931.000000000042A000.00000004.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.2031051927.000000000042A000.00000004.00000001.01000000.0000002A.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2008521888.000000000042A000.00000004.00000001.01000000.0000001C.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2001790871.000000000042A000.00000004.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.2018453034.000000000042A000.00000004.00000001.01000000.00000021.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2019406612.000000000042A000.00000004.00000001.01000000.00000022.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.2019682823.000000000042A000.00000004.00000001.01000000.00000023.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2003694218.000000000042A000.00000004.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.2022377114.000000000042A000.00000004.00000001.01000000.00000025.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1993494029.000000000042A000.00000004.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.2013905191.000000000042A000.00000004.00000001.01000000.0000001E.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2002333377.000000000042A000.00000004.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.2030625851.000000000042A000.00000004.00000001.01000000.00000029.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1986378400.000000000042A000.00000004.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1988867655.000000000042A000.00000004.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2000063573.000000000042A000.00000004.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: h879iieoae.exe PID: 6496, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Nejhbi32.exe PID: 6544, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ogjdllpi.exe PID: 6604, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Opbieagi.exe PID: 6648, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Oglabl32.exe PID: 6692, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Olijjb32.exe PID: 6744, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Oeanchcn.exe PID: 6768, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Oceoll32.exe PID: 6824, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Onkcje32.exe PID: 6860, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Odekfoij.exe PID: 6928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ojacofgb.exe PID: 6992, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ppllkpoo.exe PID: 7064, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Plbmqa32.exe PID: 7092, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Plgflqpn.exe PID: 7084, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Pqeoao32.exe PID: 3808, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Qgcpihjl.exe PID: 2896, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ajkolbad.exe PID: 4956, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Bmlhnnne.exe PID: 2056, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Bgamkfnl.exe PID: 2924, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Bqjacldl.exe PID: 2256, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Bnnampcf.exe PID: 5640, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Bnpnbp32.exe PID: 6188, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Bgibkegc.exe PID: 1740, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Baagdk32.exe PID: 916, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Cfnpmb32.exe PID: 1188, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ccapffke.exe PID: 7104, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ceampi32.exe PID: 6460, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Cnjaioih.exe PID: 4284, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Camgpi32.exe PID: 7180, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Dmfdkj32.exe PID: 7196, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Dnhmjm32.exe PID: 7212, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Dfcboo32.exe PID: 7228, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Edgbhcim.exe PID: 7244, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Emogai32.exe PID: 7260, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Efgkjnfn.exe PID: 7276, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Eoappk32.exe PID: 7292, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Fkogfkdj.exe PID: 7312, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Fhedeo32.exe PID: 7328, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Feidnc32.exe PID: 7344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Foaigifk.exe PID: 7368, type: MEMORYSTR
Contains functionality to search for IE or Outlook window (often done to steal information)
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 0_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 0_2_00405C09
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 0_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 0_2_00405133
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 1_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 1_2_00405C09
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 1_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 1_2_00405133
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 2_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 2_2_00405C09
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 2_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 2_2_00405133
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 3_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 3_2_00405C09
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 3_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 3_2_00405133
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 4_2_00405C09
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 4_2_00405133
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 5_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 5_2_00405C09
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 5_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 5_2_00405133
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 6_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 6_2_00405C09
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 6_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 6_2_00405133
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 7_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 7_2_00405C09
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 7_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 7_2_00405133
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 8_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 8_2_00405C09
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 8_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 8_2_00405133
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 9_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 9_2_00405C09
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 9_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 9_2_00405133
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 10_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 10_2_00405C09
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 10_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 10_2_00405133
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 11_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 11_2_00405C09
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 11_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 11_2_00405133
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 12_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 12_2_00405C09
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 12_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 12_2_00405133
Source: C:\Windows\SysWOW64\Plgflqpn.exe Code function: 13_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 13_2_00405C09
Source: C:\Windows\SysWOW64\Plgflqpn.exe Code function: 13_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 13_2_00405133
Source: C:\Windows\SysWOW64\Pqeoao32.exe Code function: 14_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 14_2_00405C09
Source: C:\Windows\SysWOW64\Pqeoao32.exe Code function: 14_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 14_2_00405133
Source: C:\Windows\SysWOW64\Qgcpihjl.exe Code function: 15_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 15_2_00405C09
Source: C:\Windows\SysWOW64\Qgcpihjl.exe Code function: 15_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 15_2_00405133
Source: C:\Windows\SysWOW64\Ajkolbad.exe Code function: 16_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 16_2_00405C09
Source: C:\Windows\SysWOW64\Ajkolbad.exe Code function: 16_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 16_2_00405133
Source: C:\Windows\SysWOW64\Bmlhnnne.exe Code function: 17_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 17_2_00405C09
Source: C:\Windows\SysWOW64\Bmlhnnne.exe Code function: 17_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 17_2_00405133
Source: C:\Windows\SysWOW64\Bgamkfnl.exe Code function: 18_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 18_2_00405C09
Source: C:\Windows\SysWOW64\Bgamkfnl.exe Code function: 18_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 18_2_00405133
Source: C:\Windows\SysWOW64\Bqjacldl.exe Code function: 19_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 19_2_00405C09
Source: C:\Windows\SysWOW64\Bqjacldl.exe Code function: 19_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 19_2_00405133
Source: C:\Windows\SysWOW64\Bnnampcf.exe Code function: 20_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 20_2_00405C09
Source: C:\Windows\SysWOW64\Bnnampcf.exe Code function: 20_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 20_2_00405133
Source: C:\Windows\SysWOW64\Bnpnbp32.exe Code function: 21_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 21_2_00405C09
Source: C:\Windows\SysWOW64\Bnpnbp32.exe Code function: 21_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 21_2_00405133
Source: C:\Windows\SysWOW64\Bgibkegc.exe Code function: 22_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 22_2_00405C09
Source: C:\Windows\SysWOW64\Bgibkegc.exe Code function: 22_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 22_2_00405133
Source: C:\Windows\SysWOW64\Baagdk32.exe Code function: 23_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 23_2_00405C09
Source: C:\Windows\SysWOW64\Baagdk32.exe Code function: 23_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 23_2_00405133
Source: C:\Windows\SysWOW64\Cfnpmb32.exe Code function: 24_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 24_2_00405C09
Source: C:\Windows\SysWOW64\Cfnpmb32.exe Code function: 24_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 24_2_00405133
Source: C:\Windows\SysWOW64\Ccapffke.exe Code function: 25_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 25_2_00405C09
Source: C:\Windows\SysWOW64\Ccapffke.exe Code function: 25_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 25_2_00405133
Source: C:\Windows\SysWOW64\Ceampi32.exe Code function: 26_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 26_2_00405C09
Source: C:\Windows\SysWOW64\Ceampi32.exe Code function: 26_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 26_2_00405133
Source: C:\Windows\SysWOW64\Cnjaioih.exe Code function: 27_2_00405C09 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 27_2_00405C09
Source: C:\Windows\SysWOW64\Cnjaioih.exe Code function: 27_2_00405133 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 27_2_00405133

Remote Access Functionality
barindex
Yara detected Berbew
Source: Yara match File source: 24.2.Cfnpmb32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Opbieagi.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.Ccapffke.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.Cnjaioih.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.Bqjacldl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Oceoll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.Dmfdkj32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Nejhbi32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Qgcpihjl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Bmlhnnne.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Pqeoao32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.Feidnc32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.Efgkjnfn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Oglabl32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Ojacofgb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.Bqjacldl.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Olijjb32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Plgflqpn.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.Cnjaioih.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.Cfnpmb32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Olijjb32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.Efgkjnfn.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Bnnampcf.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Onkcje32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.h879iieoae.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.Dnhmjm32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Ogjdllpi.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.Emogai32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Ojacofgb.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Oglabl32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Opbieagi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Pqeoao32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.Bgamkfnl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.2.Fkogfkdj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.Camgpi32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Baagdk32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Ppllkpoo.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Bnpnbp32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.Ajkolbad.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.Emogai32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Ogjdllpi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.Fhedeo32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.Dfcboo32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Plbmqa32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.Dfcboo32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.2.Eoappk32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Bnpnbp32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Oceoll32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.Ajkolbad.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.Feidnc32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Bmlhnnne.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.Camgpi32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Plbmqa32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.Edgbhcim.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.2.Fkogfkdj.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.Ccapffke.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.Ceampi32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Odekfoij.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.Bgibkegc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Onkcje32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.Edgbhcim.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Nejhbi32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.Bgibkegc.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.Ceampi32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Qgcpihjl.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 39.2.Foaigifk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.Bgamkfnl.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.Fhedeo32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.Oeanchcn.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 39.2.Foaigifk.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.2.Eoappk32.exe.42aa84.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Ppllkpoo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.Oeanchcn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Bnnampcf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.h879iieoae.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.Dnhmjm32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Baagdk32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Odekfoij.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Plgflqpn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.Dmfdkj32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.1998469389.000000000042A000.00000004.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1982959568.000000000042A000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2006552400.000000000042A000.00000004.00000001.01000000.0000001A.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.2029721811.000000000042A000.00000004.00000001.01000000.00000028.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.2021263243.000000000042A000.00000004.00000001.01000000.00000024.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1984697052.000000000042A000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2005214969.000000000042A000.00000004.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.2027822384.000000000042A000.00000004.00000001.01000000.00000026.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2000741077.000000000042A000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1986379697.000000000042A000.00000004.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1990903099.000000000042A000.00000004.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2017016443.000000000042A000.00000004.00000001.01000000.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1984946818.000000000042A000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1982382134.000000000042A000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2011076811.000000000042A000.00000004.00000001.01000000.0000001D.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.2029071325.000000000042A000.00000004.00000001.01000000.00000027.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2005778309.000000000042A000.00000004.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2016533194.000000000042A000.00000004.00000001.01000000.0000001F.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2007866947.000000000042A000.00000004.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1986218308.000000000042A000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2004277931.000000000042A000.00000004.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.2031051927.000000000042A000.00000004.00000001.01000000.0000002A.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2008521888.000000000042A000.00000004.00000001.01000000.0000001C.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2001790871.000000000042A000.00000004.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.2018453034.000000000042A000.00000004.00000001.01000000.00000021.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1985391617.000000000042A000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1981341185.000000000042A000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2019406612.000000000042A000.00000004.00000001.01000000.00000022.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.2019682823.000000000042A000.00000004.00000001.01000000.00000023.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1982006776.000000000042A000.00000004.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2003694218.000000000042A000.00000004.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.2022377114.000000000042A000.00000004.00000001.01000000.00000025.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1993494029.000000000042A000.00000004.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.2013905191.000000000042A000.00000004.00000001.01000000.0000001E.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2002333377.000000000042A000.00000004.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.2030625851.000000000042A000.00000004.00000001.01000000.00000029.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1986378400.000000000042A000.00000004.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1981272347.000000000042A000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1988867655.000000000042A000.00000004.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2000063573.000000000042A000.00000004.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: h879iieoae.exe PID: 6496, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Nejhbi32.exe PID: 6544, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ogjdllpi.exe PID: 6604, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Opbieagi.exe PID: 6648, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Oglabl32.exe PID: 6692, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Olijjb32.exe PID: 6744, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Oeanchcn.exe PID: 6768, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Oceoll32.exe PID: 6824, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Onkcje32.exe PID: 6860, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Odekfoij.exe PID: 6928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ojacofgb.exe PID: 6992, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ppllkpoo.exe PID: 7064, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Plbmqa32.exe PID: 7092, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Plgflqpn.exe PID: 7084, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Pqeoao32.exe PID: 3808, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Qgcpihjl.exe PID: 2896, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ajkolbad.exe PID: 4956, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Bmlhnnne.exe PID: 2056, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Bgamkfnl.exe PID: 2924, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Bqjacldl.exe PID: 2256, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Bnnampcf.exe PID: 5640, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Bnpnbp32.exe PID: 6188, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Bgibkegc.exe PID: 1740, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Baagdk32.exe PID: 916, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Cfnpmb32.exe PID: 1188, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ccapffke.exe PID: 7104, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ceampi32.exe PID: 6460, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Cnjaioih.exe PID: 4284, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Camgpi32.exe PID: 7180, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Dmfdkj32.exe PID: 7196, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Dnhmjm32.exe PID: 7212, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Dfcboo32.exe PID: 7228, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Edgbhcim.exe PID: 7244, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Emogai32.exe PID: 7260, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Efgkjnfn.exe PID: 7276, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Eoappk32.exe PID: 7292, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Fkogfkdj.exe PID: 7312, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Fhedeo32.exe PID: 7328, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Feidnc32.exe PID: 7344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Foaigifk.exe PID: 7368, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 0_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle, 0_2_00403619
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 0_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA, 0_2_00406C29
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 0_2_0040129B DsBindWithCredA,CreateFileA, 0_2_0040129B
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 0_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle, 0_2_0040129C
Source: C:\Users\user\Desktop\h879iieoae.exe Code function: 0_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc, 0_2_00406753
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 1_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle, 1_2_00403619
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 1_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA, 1_2_00406C29
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 1_2_0040129B DsBindWithCredA,CreateFileA, 1_2_0040129B
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 1_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle, 1_2_0040129C
Source: C:\Windows\SysWOW64\Nejhbi32.exe Code function: 1_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc, 1_2_00406753
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 2_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle, 2_2_00403619
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 2_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA, 2_2_00406C29
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 2_2_0040129B DsBindWithCredA,CreateFileA, 2_2_0040129B
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 2_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle, 2_2_0040129C
Source: C:\Windows\SysWOW64\Ogjdllpi.exe Code function: 2_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc, 2_2_00406753
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 3_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle, 3_2_00403619
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 3_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA, 3_2_00406C29
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 3_2_0040129B DsBindWithCredA,CreateFileA, 3_2_0040129B
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 3_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle, 3_2_0040129C
Source: C:\Windows\SysWOW64\Opbieagi.exe Code function: 3_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc, 3_2_00406753
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle, 4_2_00403619
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA, 4_2_00406C29
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4_2_0040129B DsBindWithCredA,CreateFileA, 4_2_0040129B
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle, 4_2_0040129C
Source: C:\Windows\SysWOW64\Oglabl32.exe Code function: 4_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc, 4_2_00406753
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 5_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle, 5_2_00403619
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 5_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA, 5_2_00406C29
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 5_2_0040129B DsBindWithCredA,CreateFileA, 5_2_0040129B
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 5_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle, 5_2_0040129C
Source: C:\Windows\SysWOW64\Olijjb32.exe Code function: 5_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc, 5_2_00406753
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 6_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle, 6_2_00403619
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 6_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA, 6_2_00406C29
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 6_2_0040129B DsBindWithCredA,CreateFileA, 6_2_0040129B
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 6_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle, 6_2_0040129C
Source: C:\Windows\SysWOW64\Oeanchcn.exe Code function: 6_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc, 6_2_00406753
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 7_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle, 7_2_00403619
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 7_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA, 7_2_00406C29
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 7_2_0040129B DsBindWithCredA,CreateFileA, 7_2_0040129B
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 7_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle, 7_2_0040129C
Source: C:\Windows\SysWOW64\Oceoll32.exe Code function: 7_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc, 7_2_00406753
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 8_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle, 8_2_00403619
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 8_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA, 8_2_00406C29
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 8_2_0040129B DsBindWithCredA,CreateFileA, 8_2_0040129B
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 8_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle, 8_2_0040129C
Source: C:\Windows\SysWOW64\Onkcje32.exe Code function: 8_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc, 8_2_00406753
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 9_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle, 9_2_00403619
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 9_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA, 9_2_00406C29
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 9_2_0040129B DsBindWithCredA,CreateFileA, 9_2_0040129B
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 9_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle, 9_2_0040129C
Source: C:\Windows\SysWOW64\Odekfoij.exe Code function: 9_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc, 9_2_00406753
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 10_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle, 10_2_00403619
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 10_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA, 10_2_00406C29
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 10_2_0040129B DsBindWithCredA,CreateFileA, 10_2_0040129B
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 10_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle, 10_2_0040129C
Source: C:\Windows\SysWOW64\Ojacofgb.exe Code function: 10_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc, 10_2_00406753
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 11_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle, 11_2_00403619
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 11_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA, 11_2_00406C29
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 11_2_0040129B DsBindWithCredA,CreateFileA, 11_2_0040129B
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 11_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle, 11_2_0040129C
Source: C:\Windows\SysWOW64\Ppllkpoo.exe Code function: 11_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc, 11_2_00406753
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 12_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle, 12_2_00403619
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 12_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA, 12_2_00406C29
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 12_2_0040129B DsBindWithCredA,CreateFileA, 12_2_0040129B
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 12_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle, 12_2_0040129C
Source: C:\Windows\SysWOW64\Plbmqa32.exe Code function: 12_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc, 12_2_00406753
Source: C:\Windows\SysWOW64\Plgflqpn.exe Code function: 13_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle, 13_2_00403619
Source: C:\Windows\SysWOW64\Plgflqpn.exe Code function: 13_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA, 13_2_00406C29
Source: C:\Windows\SysWOW64\Plgflqpn.exe Code function: 13_2_0040129B DsBindWithCredA,CreateFileA, 13_2_0040129B
Source: C:\Windows\SysWOW64\Plgflqpn.exe Code function: 13_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle, 13_2_0040129C
Source: C:\Windows\SysWOW64\Plgflqpn.exe Code function: 13_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc, 13_2_00406753
Source: C:\Windows\SysWOW64\Pqeoao32.exe Code function: 14_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle, 14_2_00403619
Source: C:\Windows\SysWOW64\Pqeoao32.exe Code function: 14_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA, 14_2_00406C29
Source: C:\Windows\SysWOW64\Pqeoao32.exe Code function: 14_2_0040129B DsBindWithCredA,CreateFileA, 14_2_0040129B
Source: C:\Windows\SysWOW64\Pqeoao32.exe Code function: 14_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle, 14_2_0040129C
Source: C:\Windows\SysWOW64\Pqeoao32.exe Code function: 14_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc, 14_2_00406753
Source: C:\Windows\SysWOW64\Qgcpihjl.exe Code function: 15_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle, 15_2_00403619
Source: C:\Windows\SysWOW64\Qgcpihjl.exe Code function: 15_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA, 15_2_00406C29
Source: C:\Windows\SysWOW64\Qgcpihjl.exe Code function: 15_2_0040129B DsBindWithCredA,CreateFileA, 15_2_0040129B
Source: C:\Windows\SysWOW64\Qgcpihjl.exe Code function: 15_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle, 15_2_0040129C
Source: C:\Windows\SysWOW64\Qgcpihjl.exe Code function: 15_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc, 15_2_00406753
Source: C:\Windows\SysWOW64\Ajkolbad.exe Code function: 16_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle, 16_2_00403619
Source: C:\Windows\SysWOW64\Ajkolbad.exe Code function: 16_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA, 16_2_00406C29
Source: C:\Windows\SysWOW64\Ajkolbad.exe Code function: 16_2_0040129B DsBindWithCredA,CreateFileA, 16_2_0040129B
Source: C:\Windows\SysWOW64\Ajkolbad.exe Code function: 16_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle, 16_2_0040129C
Source: C:\Windows\SysWOW64\Ajkolbad.exe Code function: 16_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc, 16_2_00406753
Source: C:\Windows\SysWOW64\Bmlhnnne.exe Code function: 17_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle, 17_2_00403619
Source: C:\Windows\SysWOW64\Bmlhnnne.exe Code function: 17_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA, 17_2_00406C29
Source: C:\Windows\SysWOW64\Bmlhnnne.exe Code function: 17_2_0040129B DsBindWithCredA,CreateFileA, 17_2_0040129B
Source: C:\Windows\SysWOW64\Bmlhnnne.exe Code function: 17_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle, 17_2_0040129C
Source: C:\Windows\SysWOW64\Bmlhnnne.exe Code function: 17_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc, 17_2_00406753
Source: C:\Windows\SysWOW64\Bgamkfnl.exe Code function: 18_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle, 18_2_00403619
Source: C:\Windows\SysWOW64\Bgamkfnl.exe Code function: 18_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA, 18_2_00406C29
Source: C:\Windows\SysWOW64\Bgamkfnl.exe Code function: 18_2_0040129B DsBindWithCredA,CreateFileA, 18_2_0040129B
Source: C:\Windows\SysWOW64\Bgamkfnl.exe Code function: 18_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle, 18_2_0040129C
Source: C:\Windows\SysWOW64\Bgamkfnl.exe Code function: 18_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc, 18_2_00406753
Source: C:\Windows\SysWOW64\Bqjacldl.exe Code function: 19_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle, 19_2_00403619
Source: C:\Windows\SysWOW64\Bqjacldl.exe Code function: 19_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA, 19_2_00406C29
Source: C:\Windows\SysWOW64\Bqjacldl.exe Code function: 19_2_0040129B DsBindWithCredA,CreateFileA, 19_2_0040129B
Source: C:\Windows\SysWOW64\Bqjacldl.exe Code function: 19_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle, 19_2_0040129C
Source: C:\Windows\SysWOW64\Bqjacldl.exe Code function: 19_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc, 19_2_00406753
Source: C:\Windows\SysWOW64\Bnnampcf.exe Code function: 20_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle, 20_2_00403619
Source: C:\Windows\SysWOW64\Bnnampcf.exe Code function: 20_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA, 20_2_00406C29
Source: C:\Windows\SysWOW64\Bnnampcf.exe Code function: 20_2_0040129B DsBindWithCredA,CreateFileA, 20_2_0040129B
Source: C:\Windows\SysWOW64\Bnnampcf.exe Code function: 20_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle, 20_2_0040129C
Source: C:\Windows\SysWOW64\Bnnampcf.exe Code function: 20_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc, 20_2_00406753
Source: C:\Windows\SysWOW64\Bnpnbp32.exe Code function: 21_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle, 21_2_00403619
Source: C:\Windows\SysWOW64\Bnpnbp32.exe Code function: 21_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA, 21_2_00406C29
Source: C:\Windows\SysWOW64\Bnpnbp32.exe Code function: 21_2_0040129B DsBindWithCredA,CreateFileA, 21_2_0040129B
Source: C:\Windows\SysWOW64\Bnpnbp32.exe Code function: 21_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle, 21_2_0040129C
Source: C:\Windows\SysWOW64\Bnpnbp32.exe Code function: 21_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc, 21_2_00406753
Source: C:\Windows\SysWOW64\Bgibkegc.exe Code function: 22_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle, 22_2_00403619
Source: C:\Windows\SysWOW64\Bgibkegc.exe Code function: 22_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA, 22_2_00406C29
Source: C:\Windows\SysWOW64\Bgibkegc.exe Code function: 22_2_0040129B DsBindWithCredA,CreateFileA, 22_2_0040129B
Source: C:\Windows\SysWOW64\Bgibkegc.exe Code function: 22_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle, 22_2_0040129C
Source: C:\Windows\SysWOW64\Bgibkegc.exe Code function: 22_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc, 22_2_00406753
Source: C:\Windows\SysWOW64\Baagdk32.exe Code function: 23_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle, 23_2_00403619
Source: C:\Windows\SysWOW64\Baagdk32.exe Code function: 23_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA, 23_2_00406C29
Source: C:\Windows\SysWOW64\Baagdk32.exe Code function: 23_2_0040129B DsBindWithCredA,CreateFileA, 23_2_0040129B
Source: C:\Windows\SysWOW64\Baagdk32.exe Code function: 23_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle, 23_2_0040129C
Source: C:\Windows\SysWOW64\Baagdk32.exe Code function: 23_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc, 23_2_00406753
Source: C:\Windows\SysWOW64\Cfnpmb32.exe Code function: 24_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle, 24_2_00403619
Source: C:\Windows\SysWOW64\Cfnpmb32.exe Code function: 24_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA, 24_2_00406C29
Source: C:\Windows\SysWOW64\Cfnpmb32.exe Code function: 24_2_0040129B DsBindWithCredA,CreateFileA, 24_2_0040129B
Source: C:\Windows\SysWOW64\Cfnpmb32.exe Code function: 24_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle, 24_2_0040129C
Source: C:\Windows\SysWOW64\Cfnpmb32.exe Code function: 24_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc, 24_2_00406753
Source: C:\Windows\SysWOW64\Ccapffke.exe Code function: 25_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle, 25_2_00403619
Source: C:\Windows\SysWOW64\Ccapffke.exe Code function: 25_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA, 25_2_00406C29
Source: C:\Windows\SysWOW64\Ccapffke.exe Code function: 25_2_0040129B DsBindWithCredA,CreateFileA, 25_2_0040129B
Source: C:\Windows\SysWOW64\Ccapffke.exe Code function: 25_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle, 25_2_0040129C
Source: C:\Windows\SysWOW64\Ccapffke.exe Code function: 25_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc, 25_2_00406753
Source: C:\Windows\SysWOW64\Ceampi32.exe Code function: 26_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle, 26_2_00403619
Source: C:\Windows\SysWOW64\Ceampi32.exe Code function: 26_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA, 26_2_00406C29
Source: C:\Windows\SysWOW64\Ceampi32.exe Code function: 26_2_0040129B DsBindWithCredA,CreateFileA, 26_2_0040129B
Source: C:\Windows\SysWOW64\Ceampi32.exe Code function: 26_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle, 26_2_0040129C
Source: C:\Windows\SysWOW64\Ceampi32.exe Code function: 26_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc, 26_2_00406753
Source: C:\Windows\SysWOW64\Cnjaioih.exe Code function: 27_2_00403619 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle, 27_2_00403619
Source: C:\Windows\SysWOW64\Cnjaioih.exe Code function: 27_2_00406C29 OpenMutexA,CloseHandle,exit,GetVersionExA,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,sprintf,sprintf,LoadCursorA,LoadIconA,GetStockObject,DsBindWithCredA,RegisterClassA,CreateWindowExA,CreateMutexA,GetVersion,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,CreateThread,CloseHandle,CreateThread,CloseHandle,SetTimer,TranslateMessage,DispatchMessageA,GetMessageA, 27_2_00406C29
Source: C:\Windows\SysWOW64\Cnjaioih.exe Code function: 27_2_0040129B DsBindWithCredA,CreateFileA, 27_2_0040129B
Source: C:\Windows\SysWOW64\Cnjaioih.exe Code function: 27_2_0040129C DsBindWithCredA,CreateFileA,ReadFile,CloseHandle, 27_2_0040129C
Source: C:\Windows\SysWOW64\Cnjaioih.exe Code function: 27_2_00406753 DsBindWithCredA,DsBindWithCredA,CreateFileA,GetFileSize,CloseHandle,VirtualAlloc,VirtualAlloc,VirtualAlloc, 27_2_00406753
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1545775 Sample: h879iieoae.exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 100 96 Multi AV Scanner detection for domain / URL 2->96 98 Antivirus detection for dropped file 2->98 100 Antivirus / Scanner detection for submitted sample 2->100 102 7 other signatures 2->102 14 h879iieoae.exe 3 3 2->14         started        process3 file4 82 C:\Windows\SysWOW6482ejhbi32.exe, PE32 14->82 dropped 84 C:\Windows\SysWOW64\Jcofqqkm.dll, PE32 14->84 dropped 86 C:\Windows\...86ejhbi32.exe:Zone.Identifier, ASCII 14->86 dropped 118 Creates an undocumented autostart registry key 14->118 120 Drops executables to the windows directory (C:\Windows) and starts them 14->120 18 Nejhbi32.exe 2 14->18         started        signatures5 process6 file7 54 C:\Windows\SysWOW64\Ogjdllpi.exe, PE32 18->54 dropped 56 C:\Windows\SysWOW64\Bpghkh32.dll, PE32 18->56 dropped 104 Drops executables to the windows directory (C:\Windows) and starts them 18->104 22 Ogjdllpi.exe 2 18->22         started        signatures8 process9 file10 66 C:\Windows\SysWOW64\Opbieagi.exe, PE32 22->66 dropped 68 C:\Windows\SysWOW64\Fkdfmkhi.dll, PE32 22->68 dropped 110 Drops executables to the windows directory (C:\Windows) and starts them 22->110 26 Opbieagi.exe 2 22->26         started        signatures11 process12 file13 74 C:\Windows\SysWOW64\Oglabl32.exe, PE32 26->74 dropped 76 C:\Windows\SysWOW64\Hjanmb32.dll, PE32 26->76 dropped 114 Drops executables to the windows directory (C:\Windows) and starts them 26->114 30 Oglabl32.exe 2 26->30         started        signatures14 process15 file16 88 C:\Windows\SysWOW64\Olijjb32.exe, PE32 30->88 dropped 90 C:\Windows\SysWOW64\Jdackq32.dll, PE32 30->90 dropped 122 Drops executables to the windows directory (C:\Windows) and starts them 30->122 34 Olijjb32.exe 2 30->34         started        signatures17 process18 file19 58 C:\Windows\SysWOW64\Oeanchcn.exe, PE32 34->58 dropped 60 C:\Windows\SysWOW64\Ligdce32.dll, PE32 34->60 dropped 106 Drops executables to the windows directory (C:\Windows) and starts them 34->106 38 Oeanchcn.exe 2 34->38         started        signatures20 process21 file22 70 C:\Windows\SysWOW64\Pdkggn32.dll, PE32 38->70 dropped 72 C:\Windows\SysWOW64\Oceoll32.exe, PE32 38->72 dropped 112 Drops executables to the windows directory (C:\Windows) and starts them 38->112 42 Oceoll32.exe 2 38->42         started        signatures23 process24 file25 78 C:\Windows\SysWOW64\Onkcje32.exe, PE32 42->78 dropped 80 C:\Windows\SysWOW64\Fehgpcld.dll, PE32 42->80 dropped 116 Drops executables to the windows directory (C:\Windows) and starts them 42->116 46 Onkcje32.exe 2 42->46         started        signatures26 process27 file28 92 C:\Windows\SysWOW64\Odekfoij.exe, PE32 46->92 dropped 94 C:\Windows\SysWOW64\Jgemldcp.dll, PE32 46->94 dropped 124 Drops executables to the windows directory (C:\Windows) and starts them 46->124 50 Odekfoij.exe 2 46->50         started        signatures29 process30 file31 62 C:\Windows\SysWOW64\Ojacofgb.exe, PE32 50->62 dropped 64 C:\Windows\SysWOW64\Bdlhdkdf.dll, PE32 50->64 dropped 108 Drops executables to the windows directory (C:\Windows) and starts them 50->108 signatures32
No contacted IP infos