Windows Analysis Report
puTBVYGxNA.exe

Overview

General Information

Sample name: puTBVYGxNA.exe
(renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name: 872f92b64df45ab6a1157ec759905c6cfbff163d8cc735f88611b48b8e10da43
Analysis ID: 1543681
MD5: 3d692648656964f0aaf396cf0c96bce2
SHA1: 91bd9c941d2417682562b4e5701afb85bf63fe7c
SHA256: 872f92b64df45ab6a1157ec759905c6cfbff163d8cc735f88611b48b8e10da43
Infos:

Detection

Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has a writeable .text section
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to search for IE or Outlook window (often done to steal information)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains more sections than normal
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: puTBVYGxNA.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Windows\SysWOW64\Akmbah32.dll Avira: detection malicious, Label: BDS/Padodor.M.1
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Cfpqocja.exe Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Dblhbnio.dll Avira: detection malicious, Label: BDS/Padodor.M.1
Source: C:\Windows\SysWOW64\Aafpfi32.exe Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Dfbmdbho.exe Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Bapbmg32.exe Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Ahbdhbbe.exe Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Bcoofjkc.exe Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Cjjpjb32.exe Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Dkbbbi32.exe Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Dobhng32.exe Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Ckklbjkl.exe Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Dkmigjhi.exe Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Acjekk32.exe Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Cdoonp32.dll Avira: detection malicious, Label: BDS/Padodor.M.1
Source: C:\Windows\SysWOW64\Balfnn32.dll Avira: detection malicious, Label: BDS/Padodor.M.1
Source: C:\Windows\SysWOW64\Aheanb32.exe Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Dkdohi32.exe Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Blefjp32.exe Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Dljmco32.dll Avira: detection malicious, Label: BDS/Padodor.M.1
Source: C:\Windows\SysWOW64\Amnpoged.dll Avira: detection malicious, Label: BDS/Padodor.M.1
Source: C:\Windows\SysWOW64\Djepfp32.exe Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Acflplcn.exe Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Chhgjp32.exe Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Bkfjpm32.exe Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Bcfegi32.exe Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Dfggpb32.exe Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Acabel32.exe Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Aakiahhf.exe Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Windows\SysWOW64\Akdfgp32.dll Avira: detection malicious, Label: BDS/Padodor.M.1
Multi AV Scanner detection for dropped file
Source: C:\Windows\SysWOW64\Akdfgp32.dll ReversingLabs: Detection: 86%
Source: C:\Windows\SysWOW64\Akmbah32.dll ReversingLabs: Detection: 87%
Source: C:\Windows\SysWOW64\Amnpoged.dll ReversingLabs: Detection: 86%
Source: C:\Windows\SysWOW64\Balfnn32.dll ReversingLabs: Detection: 88%
Source: C:\Windows\SysWOW64\Cdoonp32.dll ReversingLabs: Detection: 92%
Source: C:\Windows\SysWOW64\Dblhbnio.dll ReversingLabs: Detection: 87%
Source: C:\Windows\SysWOW64\Dljmco32.dll ReversingLabs: Detection: 83%
Source: C:\Windows\SysWOW64\Eafkpm32.dll ReversingLabs: Detection: 88%
Source: C:\Windows\SysWOW64\Ekqdmopm.dll ReversingLabs: Detection: 86%
Source: C:\Windows\SysWOW64\Eojaon32.dll ReversingLabs: Detection: 85%
Source: C:\Windows\SysWOW64\Faocenna.dll ReversingLabs: Detection: 92%
Source: C:\Windows\SysWOW64\Gdandi32.dll ReversingLabs: Detection: 88%
Source: C:\Windows\SysWOW64\Gnbckd32.dll ReversingLabs: Detection: 83%
Source: C:\Windows\SysWOW64\Goiahmld.dll ReversingLabs: Detection: 85%
Source: C:\Windows\SysWOW64\Hangmbgd.dll ReversingLabs: Detection: 83%
Source: C:\Windows\SysWOW64\Hbdjjlja.dll ReversingLabs: Detection: 92%
Source: C:\Windows\SysWOW64\Hhchjh32.dll ReversingLabs: Detection: 86%
Source: C:\Windows\SysWOW64\Idehkflp.dll ReversingLabs: Detection: 83%
Source: C:\Windows\SysWOW64\Idfghqdo.dll ReversingLabs: Detection: 95%
Source: C:\Windows\SysWOW64\Ifckbmfk.dll ReversingLabs: Detection: 95%
Source: C:\Windows\SysWOW64\Jbhdqi32.dll ReversingLabs: Detection: 86%
Source: C:\Windows\SysWOW64\Jffcjk32.dll ReversingLabs: Detection: 83%
Source: C:\Windows\SysWOW64\Jhegaapi.dll ReversingLabs: Detection: 86%
Source: C:\Windows\SysWOW64\Jlogbg32.dll ReversingLabs: Detection: 95%
Source: C:\Windows\SysWOW64\Kafafkfn.dll ReversingLabs: Detection: 86%
Source: C:\Windows\SysWOW64\Kdiaom32.dll ReversingLabs: Detection: 85%
Source: C:\Windows\SysWOW64\Kipcln32.dll ReversingLabs: Detection: 88%
Source: C:\Windows\SysWOW64\Kohghl32.dll ReversingLabs: Detection: 83%
Source: C:\Windows\SysWOW64\Libmid32.dll ReversingLabs: Detection: 87%
Source: C:\Windows\SysWOW64\Mcighdph.dll ReversingLabs: Detection: 87%
Source: C:\Windows\SysWOW64\Mfkcin32.dll ReversingLabs: Detection: 95%
Source: C:\Windows\SysWOW64\Minhdh32.dll ReversingLabs: Detection: 88%
Source: C:\Windows\SysWOW64\Mpckbo32.dll ReversingLabs: Detection: 87%
Source: C:\Windows\SysWOW64\Nlhhbhgi.dll ReversingLabs: Detection: 83%
Source: C:\Windows\SysWOW64\Nmajap32.dll ReversingLabs: Detection: 82%
Source: C:\Windows\SysWOW64\Noabbddh.dll ReversingLabs: Detection: 83%
Source: C:\Windows\SysWOW64\Oeppbb32.dll ReversingLabs: Detection: 88%
Source: C:\Windows\SysWOW64\Pabjpfjl.dll ReversingLabs: Detection: 83%
Source: C:\Windows\SysWOW64\Pjpnlq32.dll ReversingLabs: Detection: 95%
Multi AV Scanner detection for submitted file
Source: puTBVYGxNA.exe ReversingLabs: Detection: 86%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Windows\SysWOW64\Akmbah32.dll Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Cfpqocja.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Dblhbnio.dll Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Aafpfi32.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Dfbmdbho.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Bapbmg32.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Ahbdhbbe.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Bcoofjkc.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Cjjpjb32.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Dkbbbi32.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Dobhng32.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Ckklbjkl.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Dkmigjhi.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Acjekk32.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Cdoonp32.dll Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Balfnn32.dll Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Aheanb32.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Dkdohi32.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Blefjp32.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Dljmco32.dll Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Amnpoged.dll Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Djepfp32.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Acflplcn.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Chhgjp32.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Bkfjpm32.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Bcfegi32.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Dfggpb32.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Acabel32.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Aakiahhf.exe Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\Akdfgp32.dll Joe Sandbox ML: detected
Machine Learning detection for sample
Source: puTBVYGxNA.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: puTBVYGxNA.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 0_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 0_2_00408349
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 1_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 1_2_00408349
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 2_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 2_2_00408349
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 3_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 3_2_00408349
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 4_2_00408349
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 5_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 5_2_00408349
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 6_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 6_2_00408349
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 8_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 8_2_00408349
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 9_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 9_2_00408349
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 10_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 10_2_00408349
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 11_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 11_2_00408349
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 12_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 12_2_00408349
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: 13_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 13_2_00408349
Source: C:\Windows\SysWOW64\Ahbdhbbe.exe Code function: 14_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 14_2_00408349
Source: C:\Windows\SysWOW64\Aakiahhf.exe Code function: 15_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 15_2_00408349
Source: C:\Windows\SysWOW64\Aheanb32.exe Code function: 16_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 16_2_00408349
Source: C:\Windows\SysWOW64\Acjekk32.exe Code function: 17_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 17_2_00408349
Source: C:\Windows\SysWOW64\Bkfjpm32.exe Code function: 18_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 18_2_00408349
Source: C:\Windows\SysWOW64\Bapbmg32.exe Code function: 19_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 19_2_00408349
Source: C:\Windows\SysWOW64\Blefjp32.exe Code function: 20_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 20_2_00408349
Source: C:\Windows\SysWOW64\Bcoofjkc.exe Code function: 21_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 21_2_00408349
Source: C:\Windows\SysWOW64\Bcfegi32.exe Code function: 22_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 22_2_00408349
Source: C:\Windows\SysWOW64\Chhgjp32.exe Code function: 23_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 23_2_00408349
Source: C:\Windows\SysWOW64\Cjjpjb32.exe Code function: 24_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 24_2_00408349
Source: C:\Windows\SysWOW64\Ckklbjkl.exe Code function: 25_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 25_2_00408349
Source: C:\Windows\SysWOW64\Cfpqocja.exe Code function: 26_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 26_2_00408349
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then push 00000004h 0_2_00432003
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then mov ebx, 0040C7D0h 0_2_00432003
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then push eax 0_2_00432003
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then mov eax, ecx 0_2_00432003
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then pop eax 0_2_00432003
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then mov esi, 3EC93B07h 0_2_00432003
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then xchg eax, ecx 0_2_00432003
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then mov esi, 0255568Dh 0_2_00432003
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then add eax, edi 0_2_00432003
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then popad 0_2_00432003
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then je 004071F6h 0_2_004071A8
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then xor dword ptr [eax], ecx 0_2_004071A8
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then inc eax 0_2_004071A8
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then jne 004071CCh 0_2_004071A8
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then mov eax, 0042C000h 0_2_004071A8
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then je 0040722Ch 0_2_004071A8
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then xor dword ptr [eax], ecx 0_2_004071A8
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then add eax, 04h 0_2_004071A8
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then jne 00407214h 0_2_004071A8
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then popad 0_2_004071A8
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then mov ecx, dword ptr [eax+04h] 0_2_00407245
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then add ebx, 04h 0_2_00407245
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then jl 00407269h 0_2_00407245
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then add eax, 0Ch 0_2_00407245
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then popad 0_2_00407245
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then pop edi 0_2_004072A1
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then mov ebx, 0040C7D0h 0_2_004072A1
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then sub ecx, eax 0_2_004072A1
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then xor edx, edx 0_2_004072A1
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then push eax 0_2_004072A1
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then div edi 0_2_004072A1
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then xchg eax, ecx 0_2_004072A1
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then add eax, edi 0_2_004072A1
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then loop 00407318h 0_2_004072A1
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then mov eax, 0042C000h 0_2_004072A1
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then mov ebx, 0042F314h 0_2_004072A1
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then sub ecx, eax 0_2_004072A1
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then xor edx, edx 0_2_004072A1
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then push eax 0_2_004072A1
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then div edi 0_2_004072A1
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then xchg eax, ecx 0_2_004072A1
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then add eax, edi 0_2_004072A1
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then loop 00407378h 0_2_004072A1
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 4x nop then popad 0_2_004072A1
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then inc eax 1_2_00432003
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then xchg eax, ecx 1_2_0043209D
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then mov esi, 0255568Dh 1_2_0043209D
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then add eax, edi 1_2_0043209D
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then popad 1_2_0043209D
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then je 004071F6h 1_2_004071A8
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then xor dword ptr [eax], ecx 1_2_004071A8
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then inc eax 1_2_004071A8
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then jne 004071CCh 1_2_004071A8
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then mov eax, 0042C000h 1_2_004071A8
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then je 0040722Ch 1_2_004071A8
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then xor dword ptr [eax], ecx 1_2_004071A8
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then add eax, 04h 1_2_004071A8
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then jne 00407214h 1_2_004071A8
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then popad 1_2_004071A8
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then mov ecx, dword ptr [eax+04h] 1_2_00407245
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then add ebx, 04h 1_2_00407245
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then jl 00407269h 1_2_00407245
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then add eax, 0Ch 1_2_00407245
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then popad 1_2_00407245
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then pop edi 1_2_004072A1
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then mov ebx, 0040C7D0h 1_2_004072A1
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then sub ecx, eax 1_2_004072A1
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then xor edx, edx 1_2_004072A1
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then push eax 1_2_004072A1
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then div edi 1_2_004072A1
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then xchg eax, ecx 1_2_004072A1
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then add eax, edi 1_2_004072A1
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then loop 00407318h 1_2_004072A1
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then mov eax, 0042C000h 1_2_004072A1
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then mov ebx, 0042F314h 1_2_004072A1
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then sub ecx, eax 1_2_004072A1
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then xor edx, edx 1_2_004072A1
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then push eax 1_2_004072A1
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then div edi 1_2_004072A1
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then xchg eax, ecx 1_2_004072A1
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then add eax, edi 1_2_004072A1
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then loop 00407378h 1_2_004072A1
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 4x nop then popad 1_2_004072A1
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then mov eax, 00401000h 2_2_00432003
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then jne 00432024h 2_2_00432017
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then jmp 00401219h 2_2_00432017
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then xchg eax, ecx 2_2_0043209D
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then mov esi, 0255568Dh 2_2_0043209D
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then add eax, edi 2_2_0043209D
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then popad 2_2_0043209D
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then je 004071F6h 2_2_004071A8
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then xor dword ptr [eax], ecx 2_2_004071A8
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then inc eax 2_2_004071A8
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then jne 004071CCh 2_2_004071A8
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then mov eax, 0042C000h 2_2_004071A8
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then je 0040722Ch 2_2_004071A8
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then xor dword ptr [eax], ecx 2_2_004071A8
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then add eax, 04h 2_2_004071A8
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then jne 00407214h 2_2_004071A8
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then popad 2_2_004071A8
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then mov ecx, dword ptr [eax+04h] 2_2_00407245
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then add ebx, 04h 2_2_00407245
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then jl 00407269h 2_2_00407245
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then add eax, 0Ch 2_2_00407245
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then popad 2_2_00407245
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then pop edi 2_2_004072A1
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then mov ebx, 0040C7D0h 2_2_004072A1
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then sub ecx, eax 2_2_004072A1
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then xor edx, edx 2_2_004072A1
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then push eax 2_2_004072A1
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then div edi 2_2_004072A1
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then xchg eax, ecx 2_2_004072A1
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then add eax, edi 2_2_004072A1
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then loop 00407318h 2_2_004072A1
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then mov eax, 0042C000h 2_2_004072A1
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then mov ebx, 0042F314h 2_2_004072A1
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then sub ecx, eax 2_2_004072A1
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then xor edx, edx 2_2_004072A1
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then push eax 2_2_004072A1
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then div edi 2_2_004072A1
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then xchg eax, ecx 2_2_004072A1
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then add eax, edi 2_2_004072A1
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then loop 00407378h 2_2_004072A1
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 4x nop then popad 2_2_004072A1
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then add eax, 0040729Fh 3_2_0043200C
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then cmp dword ptr [eax], 00000000h 3_2_0043200C
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then xchg eax, ecx 3_2_0043209D
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then mov esi, 0255568Dh 3_2_0043209D
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then add eax, edi 3_2_0043209D
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then popad 3_2_0043209D
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then je 004071F6h 3_2_004071A8
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then xor dword ptr [eax], ecx 3_2_004071A8
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then inc eax 3_2_004071A8
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then jne 004071CCh 3_2_004071A8
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then mov eax, 0042C000h 3_2_004071A8
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then je 0040722Ch 3_2_004071A8
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then xor dword ptr [eax], ecx 3_2_004071A8
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then add eax, 04h 3_2_004071A8
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then jne 00407214h 3_2_004071A8
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then popad 3_2_004071A8
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then mov ecx, dword ptr [eax+04h] 3_2_00407245
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then add ebx, 04h 3_2_00407245
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then jl 00407269h 3_2_00407245
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then add eax, 0Ch 3_2_00407245
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then popad 3_2_00407245
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then pop edi 3_2_004072A1
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then mov ebx, 0040C7D0h 3_2_004072A1
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then sub ecx, eax 3_2_004072A1
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then xor edx, edx 3_2_004072A1
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then push eax 3_2_004072A1
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then div edi 3_2_004072A1
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then xchg eax, ecx 3_2_004072A1
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then add eax, edi 3_2_004072A1
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then loop 00407318h 3_2_004072A1
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then mov eax, 0042C000h 3_2_004072A1
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then mov ebx, 0042F314h 3_2_004072A1
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then sub ecx, eax 3_2_004072A1
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then xor edx, edx 3_2_004072A1
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then push eax 3_2_004072A1
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then div edi 3_2_004072A1
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then xchg eax, ecx 3_2_004072A1
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then add eax, edi 3_2_004072A1
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then loop 00407378h 3_2_004072A1
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 4x nop then popad 3_2_004072A1
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then je 0043204Eh 4_2_00432003
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then inc eax 4_2_00432003
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then jne 00432024h 4_2_00432003
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then xchg eax, ecx 4_2_0043209D
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then mov esi, 0255568Dh 4_2_0043209D
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then add eax, edi 4_2_0043209D
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then popad 4_2_0043209D
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then je 004071F6h 4_2_004071A8
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then xor dword ptr [eax], ecx 4_2_004071A8
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then inc eax 4_2_004071A8
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then jne 004071CCh 4_2_004071A8
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then mov eax, 0042C000h 4_2_004071A8
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then je 0040722Ch 4_2_004071A8
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then xor dword ptr [eax], ecx 4_2_004071A8
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then add eax, 04h 4_2_004071A8
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then jne 00407214h 4_2_004071A8
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then popad 4_2_004071A8
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then mov ecx, dword ptr [eax+04h] 4_2_00407245
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then add ebx, 04h 4_2_00407245
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then jl 00407269h 4_2_00407245
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then add eax, 0Ch 4_2_00407245
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then popad 4_2_00407245
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then pop edi 4_2_004072A1
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then mov ebx, 0040C7D0h 4_2_004072A1
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then sub ecx, eax 4_2_004072A1
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then xor edx, edx 4_2_004072A1
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then push eax 4_2_004072A1
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then div edi 4_2_004072A1
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then xchg eax, ecx 4_2_004072A1
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then add eax, edi 4_2_004072A1
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then loop 00407318h 4_2_004072A1
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then mov eax, 0042C000h 4_2_004072A1
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then mov ebx, 0042F314h 4_2_004072A1
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then sub ecx, eax 4_2_004072A1
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then xor edx, edx 4_2_004072A1
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then push eax 4_2_004072A1
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then div edi 4_2_004072A1
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then xchg eax, ecx 4_2_004072A1
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then add eax, edi 4_2_004072A1
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then loop 00407378h 4_2_004072A1
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4x nop then popad 4_2_004072A1
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then mov eax, 00401000h 5_2_00432003
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then je 00432072h 5_2_00432003
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then je 004320D2h 5_2_00432003
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then pop eax 5_2_00432003
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then mov esi, 68F61C4Ch 5_2_00432003
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then jmp 00401219h 5_2_00432003
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then je 004071F6h 5_2_004071A8
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then xor dword ptr [eax], ecx 5_2_004071A8
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then inc eax 5_2_004071A8
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then jne 004071CCh 5_2_004071A8
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then mov eax, 0042C000h 5_2_004071A8
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then je 0040722Ch 5_2_004071A8
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then xor dword ptr [eax], ecx 5_2_004071A8
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then add eax, 04h 5_2_004071A8
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then jne 00407214h 5_2_004071A8
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then popad 5_2_004071A8
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then mov ecx, dword ptr [eax+04h] 5_2_00407245
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then add ebx, 04h 5_2_00407245
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then jl 00407269h 5_2_00407245
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then add eax, 0Ch 5_2_00407245
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then popad 5_2_00407245
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then pop edi 5_2_004072A1
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then mov ebx, 0040C7D0h 5_2_004072A1
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then sub ecx, eax 5_2_004072A1
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then xor edx, edx 5_2_004072A1
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then push eax 5_2_004072A1
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then div edi 5_2_004072A1
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then xchg eax, ecx 5_2_004072A1
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then add eax, edi 5_2_004072A1
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then loop 00407318h 5_2_004072A1
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then mov eax, 0042C000h 5_2_004072A1
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then mov ebx, 0042F314h 5_2_004072A1
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then sub ecx, eax 5_2_004072A1
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then xor edx, edx 5_2_004072A1
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then push eax 5_2_004072A1
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then div edi 5_2_004072A1
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then xchg eax, ecx 5_2_004072A1
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then add eax, edi 5_2_004072A1
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then loop 00407378h 5_2_004072A1
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 4x nop then popad 5_2_004072A1
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 4x nop then pop eax 6_2_00432068
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 4x nop then mov esi, 68F61C4Ch 6_2_00432068
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 4x nop then jmp 00401219h 6_2_00432068
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 4x nop then je 004071F6h 6_2_004071A8
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 4x nop then xor dword ptr [eax], ecx 6_2_004071A8
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 4x nop then inc eax 6_2_004071A8
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 4x nop then jne 004071CCh 6_2_004071A8
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 4x nop then mov eax, 0042C000h 6_2_004071A8
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 4x nop then je 0040722Ch 6_2_004071A8
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 4x nop then xor dword ptr [eax], ecx 6_2_004071A8
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 4x nop then add eax, 04h 6_2_004071A8
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 4x nop then jne 00407214h 6_2_004071A8
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 4x nop then popad 6_2_004071A8
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 4x nop then mov ecx, dword ptr [eax+04h] 6_2_00407245
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 4x nop then add ebx, 04h 6_2_00407245
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 4x nop then jl 00407269h 6_2_00407245
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 4x nop then add eax, 0Ch 6_2_00407245
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 4x nop then popad 6_2_00407245
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 4x nop then pop edi 6_2_004072A1
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 4x nop then mov ebx, 0040C7D0h 6_2_004072A1
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 4x nop then sub ecx, eax 6_2_004072A1
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 4x nop then xor edx, edx 6_2_004072A1
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 4x nop then push eax 6_2_004072A1
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 4x nop then div edi 6_2_004072A1
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 4x nop then xchg eax, ecx 6_2_004072A1
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 4x nop then add eax, edi 6_2_004072A1
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 4x nop then loop 00407318h 6_2_004072A1
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 4x nop then mov eax, 0042C000h 6_2_004072A1
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 4x nop then mov ebx, 0042F314h 6_2_004072A1
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 4x nop then sub ecx, eax 6_2_004072A1
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 4x nop then xor edx, edx 6_2_004072A1
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 4x nop then push eax 6_2_004072A1
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 4x nop then div edi 6_2_004072A1
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 4x nop then xchg eax, ecx 6_2_004072A1
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 4x nop then add eax, edi 6_2_004072A1
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 4x nop then loop 00407378h 6_2_004072A1
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 4x nop then popad 6_2_004072A1
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then je 0043204Eh 8_2_00432003
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then xor dword ptr [eax], ecx 8_2_00432003
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then jne 00432024h 8_2_00432003
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then pop eax 8_2_0043209D
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then mov esi, 68F61C4Ch 8_2_0043209D
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then jmp 00401219h 8_2_0043209D
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then je 004071F6h 8_2_004071A8
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then xor dword ptr [eax], ecx 8_2_004071A8
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then inc eax 8_2_004071A8
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then jne 004071CCh 8_2_004071A8
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then mov eax, 0042C000h 8_2_004071A8
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then je 0040722Ch 8_2_004071A8
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then xor dword ptr [eax], ecx 8_2_004071A8
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then add eax, 04h 8_2_004071A8
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then jne 00407214h 8_2_004071A8
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then popad 8_2_004071A8
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then mov ecx, dword ptr [eax+04h] 8_2_00407245
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then add ebx, 04h 8_2_00407245
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then jl 00407269h 8_2_00407245
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then add eax, 0Ch 8_2_00407245
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then popad 8_2_00407245
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then pop edi 8_2_004072A1
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then mov ebx, 0040C7D0h 8_2_004072A1
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then sub ecx, eax 8_2_004072A1
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then xor edx, edx 8_2_004072A1
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then push eax 8_2_004072A1
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then div edi 8_2_004072A1
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then xchg eax, ecx 8_2_004072A1
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then add eax, edi 8_2_004072A1
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then loop 00407318h 8_2_004072A1
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then mov eax, 0042C000h 8_2_004072A1
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then mov ebx, 0042F314h 8_2_004072A1
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then sub ecx, eax 8_2_004072A1
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then xor edx, edx 8_2_004072A1
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then push eax 8_2_004072A1
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then div edi 8_2_004072A1
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then xchg eax, ecx 8_2_004072A1
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then add eax, edi 8_2_004072A1
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then loop 00407378h 8_2_004072A1
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 4x nop then popad 8_2_004072A1
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then cmp eax, 00000000h 9_2_00432003
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then mov ecx, ebx 9_2_00432003
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then xor edx, edx 9_2_00432003
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then mov eax, ecx 9_2_00432003
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then pop eax 9_2_00432003
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then xor dword ptr [eax], esi 9_2_00432003
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then je 004071F6h 9_2_004071A8
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then xor dword ptr [eax], ecx 9_2_004071A8
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then inc eax 9_2_004071A8
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then jne 004071CCh 9_2_004071A8
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then mov eax, 0042C000h 9_2_004071A8
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then je 0040722Ch 9_2_004071A8
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then xor dword ptr [eax], ecx 9_2_004071A8
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then add eax, 04h 9_2_004071A8
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then jne 00407214h 9_2_004071A8
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then popad 9_2_004071A8
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then mov ecx, dword ptr [eax+04h] 9_2_00407245
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then add ebx, 04h 9_2_00407245
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then jl 00407269h 9_2_00407245
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then add eax, 0Ch 9_2_00407245
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then popad 9_2_00407245
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then pop edi 9_2_004072A1
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then mov ebx, 0040C7D0h 9_2_004072A1
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then sub ecx, eax 9_2_004072A1
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then xor edx, edx 9_2_004072A1
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then push eax 9_2_004072A1
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then div edi 9_2_004072A1
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then xchg eax, ecx 9_2_004072A1
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then add eax, edi 9_2_004072A1
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then loop 00407318h 9_2_004072A1
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then mov eax, 0042C000h 9_2_004072A1
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then mov ebx, 0042F314h 9_2_004072A1
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then sub ecx, eax 9_2_004072A1
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then xor edx, edx 9_2_004072A1
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then push eax 9_2_004072A1
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then div edi 9_2_004072A1
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then xchg eax, ecx 9_2_004072A1
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then add eax, edi 9_2_004072A1
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then loop 00407378h 9_2_004072A1
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 4x nop then popad 9_2_004072A1
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 4x nop then je 004071F6h 10_2_004071A8
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 4x nop then xor dword ptr [eax], ecx 10_2_004071A8
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 4x nop then inc eax 10_2_004071A8
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 4x nop then jne 004071CCh 10_2_004071A8
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 4x nop then mov eax, 0042C000h 10_2_004071A8
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 4x nop then je 0040722Ch 10_2_004071A8
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 4x nop then xor dword ptr [eax], ecx 10_2_004071A8
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 4x nop then add eax, 04h 10_2_004071A8
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 4x nop then jne 00407214h 10_2_004071A8
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 4x nop then popad 10_2_004071A8
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 4x nop then mov ecx, dword ptr [eax+04h] 10_2_00407245
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 4x nop then add ebx, 04h 10_2_00407245
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 4x nop then jl 00407269h 10_2_00407245
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 4x nop then add eax, 0Ch 10_2_00407245
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 4x nop then popad 10_2_00407245
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 4x nop then pop edi 10_2_004072A1
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 4x nop then mov ebx, 0040C7D0h 10_2_004072A1
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 4x nop then sub ecx, eax 10_2_004072A1
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 4x nop then xor edx, edx 10_2_004072A1
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 4x nop then push eax 10_2_004072A1
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 4x nop then div edi 10_2_004072A1
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 4x nop then xchg eax, ecx 10_2_004072A1
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 4x nop then add eax, edi 10_2_004072A1
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 4x nop then loop 00407318h 10_2_004072A1
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 4x nop then mov eax, 0042C000h 10_2_004072A1
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 4x nop then mov ebx, 0042F314h 10_2_004072A1
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 4x nop then sub ecx, eax 10_2_004072A1
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 4x nop then xor edx, edx 10_2_004072A1
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 4x nop then push eax 10_2_004072A1
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 4x nop then div edi 10_2_004072A1
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 4x nop then xchg eax, ecx 10_2_004072A1
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 4x nop then add eax, edi 10_2_004072A1
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 4x nop then loop 00407378h 10_2_004072A1
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 4x nop then popad 10_2_004072A1
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 4x nop then xor dword ptr [eax], ecx 11_2_00432003
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 4x nop then test eax, eax 11_2_00432003
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 4x nop then add eax, 04h 11_2_00432003
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 4x nop then xor dword ptr [eax], esi 11_2_0043209F
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 4x nop then je 004071F6h 11_2_004071A8
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 4x nop then xor dword ptr [eax], ecx 11_2_004071A8
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 4x nop then inc eax 11_2_004071A8
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 4x nop then jne 004071CCh 11_2_004071A8
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 4x nop then mov eax, 0042C000h 11_2_004071A8
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 4x nop then je 0040722Ch 11_2_004071A8
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 4x nop then xor dword ptr [eax], ecx 11_2_004071A8
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 4x nop then add eax, 04h 11_2_004071A8
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 4x nop then jne 00407214h 11_2_004071A8
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 4x nop then popad 11_2_004071A8
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 4x nop then mov ecx, dword ptr [eax+04h] 11_2_00407245
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 4x nop then add ebx, 04h 11_2_00407245
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 4x nop then jl 00407269h 11_2_00407245
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 4x nop then add eax, 0Ch 11_2_00407245
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 4x nop then popad 11_2_00407245
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 4x nop then pop edi 11_2_004072A1
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 4x nop then mov ebx, 0040C7D0h 11_2_004072A1
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 4x nop then sub ecx, eax 11_2_004072A1
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 4x nop then xor edx, edx 11_2_004072A1
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 4x nop then push eax 11_2_004072A1
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 4x nop then div edi 11_2_004072A1
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 4x nop then xchg eax, ecx 11_2_004072A1
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 4x nop then add eax, edi 11_2_004072A1
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 4x nop then loop 00407318h 11_2_004072A1
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 4x nop then mov eax, 0042C000h 11_2_004072A1
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 4x nop then mov ebx, 0042F314h 11_2_004072A1
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 4x nop then sub ecx, eax 11_2_004072A1
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 4x nop then xor edx, edx 11_2_004072A1
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 4x nop then push eax 11_2_004072A1
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 4x nop then div edi 11_2_004072A1
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 4x nop then xchg eax, ecx 11_2_004072A1
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 4x nop then add eax, edi 11_2_004072A1
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 4x nop then loop 00407378h 11_2_004072A1
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 4x nop then popad 11_2_004072A1
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then pop edi 12_2_00432003
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then sub ecx, eax 12_2_00432003
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then div edi 12_2_00432003
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then mov esi, 76D87171h 12_2_00432003
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then mov ebx, 0042F314h 12_2_00432003
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then xor edx, edx 12_2_00432003
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then push eax 12_2_00432003
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then loop 004320C0h 12_2_00432003
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then je 004071F6h 12_2_004071A8
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then xor dword ptr [eax], ecx 12_2_004071A8
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then inc eax 12_2_004071A8
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then jne 004071CCh 12_2_004071A8
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then mov eax, 0042C000h 12_2_004071A8
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then je 0040722Ch 12_2_004071A8
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then xor dword ptr [eax], ecx 12_2_004071A8
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then add eax, 04h 12_2_004071A8
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then jne 00407214h 12_2_004071A8
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then popad 12_2_004071A8
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then mov ecx, dword ptr [eax+04h] 12_2_00407245
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then add ebx, 04h 12_2_00407245
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then jl 00407269h 12_2_00407245
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then add eax, 0Ch 12_2_00407245
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then popad 12_2_00407245
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then pop edi 12_2_004072A1
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then mov ebx, 0040C7D0h 12_2_004072A1
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then sub ecx, eax 12_2_004072A1
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then xor edx, edx 12_2_004072A1
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then push eax 12_2_004072A1
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then div edi 12_2_004072A1
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then xchg eax, ecx 12_2_004072A1
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then add eax, edi 12_2_004072A1
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then loop 00407318h 12_2_004072A1
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then mov eax, 0042C000h 12_2_004072A1
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then mov ebx, 0042F314h 12_2_004072A1
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then sub ecx, eax 12_2_004072A1
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then xor edx, edx 12_2_004072A1
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then push eax 12_2_004072A1
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then div edi 12_2_004072A1
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then xchg eax, ecx 12_2_004072A1
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then add eax, edi 12_2_004072A1
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then loop 00407378h 12_2_004072A1
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 4x nop then popad 12_2_004072A1
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: 4x nop then test eax, eax 13_2_00432003
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: 4x nop then loop 004320C0h 13_2_0043209D
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: 4x nop then je 004071F6h 13_2_004071A8
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: 4x nop then xor dword ptr [eax], ecx 13_2_004071A8
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: 4x nop then inc eax 13_2_004071A8
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: 4x nop then jne 004071CCh 13_2_004071A8
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: 4x nop then mov eax, 0042C000h 13_2_004071A8
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: 4x nop then je 0040722Ch 13_2_004071A8
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: 4x nop then xor dword ptr [eax], ecx 13_2_004071A8
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: 4x nop then add eax, 04h 13_2_004071A8
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: 4x nop then jne 00407214h 13_2_004071A8
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: 4x nop then popad 13_2_004071A8
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: 4x nop then mov ecx, dword ptr [eax+04h] 13_2_00407245
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: 4x nop then add ebx, 04h 13_2_00407245
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: 4x nop then jl 00407269h 13_2_00407245
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: 4x nop then add eax, 0Ch 13_2_00407245
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: 4x nop then popad 13_2_00407245
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: 4x nop then pop edi 13_2_004072A1
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: 4x nop then mov ebx, 0040C7D0h 13_2_004072A1
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: 4x nop then sub ecx, eax 13_2_004072A1
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: 4x nop then xor edx, edx 13_2_004072A1
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: 4x nop then push eax 13_2_004072A1
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: 4x nop then div edi 13_2_004072A1
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: 4x nop then xchg eax, ecx 13_2_004072A1
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 0_2_00409441 recv,closesocket,WriteFile,lstrlenA,WriteFile, 0_2_00409441
Source: Piokfhim.exe.1.dr String found in binary or memory: http://oracle.com/contracts
Source: puTBVYGxNA.exe, Ahnkmc32.exe.10.dr, Cfpqocja.exe.25.dr, Aafpfi32.exe.11.dr, Dfbmdbho.exe.27.dr, Elnbng32.exe.37.dr, Bapbmg32.exe.18.dr, Ahbdhbbe.exe.13.dr, Bcoofjkc.exe.20.dr, Qiinlgab.exe.8.dr, Ecggedif.exe.39.dr, Pbjldmnk.exe.3.dr, Cjjpjb32.exe.23.dr, Dkbbbi32.exe.29.dr, Dobhng32.exe.33.dr, Ckklbjkl.exe.24.dr, Dkmigjhi.exe.26.dr, Acjekk32.exe.16.dr, Dokbmhoo.exe.28.dr, Epgaifdb.exe.36.dr, Aheanb32.exe.15.dr String found in binary or memory: http://oracle.com/contracts.
Source: puTBVYGxNA.exe, puTBVYGxNA.exe, 00000000.00000002.2296261670.000000000042C000.00000004.00000001.01000000.00000003.sdmp, Pojgioig.exe, Pojgioig.exe, 00000001.00000002.2296066191.000000000042C000.00000004.00000001.01000000.00000004.sdmp, Piokfhim.exe, Piokfhim.exe, 00000002.00000002.2295938101.000000000042C000.00000004.00000001.01000000.00000005.sdmp, Peflki32.exe, Peflki32.exe, 00000003.00000002.2295696708.000000000042C000.00000004.00000001.01000000.00000006.sdmp, Pbjldmnk.exe, Pbjldmnk.exe, 00000004.00000002.2295467096.000000000042C000.00000004.00000001.01000000.00000007.sdmp, Phgemdlb.exe, Phgemdlb.exe, 00000005.00000002.2295322571.000000000042C000.00000004.00000001.01000000.00000008.sdmp, Qclijmlh.exe, Qclijmlh.exe, 00000006.00000002.2295707681.000000000042C000.00000004.00000001.01000000.00000009.sdmp, Qlencbbi.exe, Qlencbbi.exe, 00000008.00000002.2294967349.000000000042C000.00000004.00000001.01000000.0000000A.sdmp, Qiinlgab.exe, Qiinlgab.exe, 00000009.00000002.2294559304.000000000042C000.00000004.00000001.01000000.0000000B.sdmp, Acabel32.exe, Acabel32.exe, 0000000A.00000002.2294333350.000000000042C000.00000004.00000001.01000000.0000000C.sdmp, Ahnkmc32.exe String found in binary or memory: http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Source: puTBVYGxNA.exe, puTBVYGxNA.exe, 00000000.00000002.2296261670.000000000042C000.00000004.00000001.01000000.00000003.sdmp, Pojgioig.exe, Pojgioig.exe, 00000001.00000002.2296066191.000000000042C000.00000004.00000001.01000000.00000004.sdmp, Piokfhim.exe, Piokfhim.exe, 00000002.00000002.2295938101.000000000042C000.00000004.00000001.01000000.00000005.sdmp, Peflki32.exe, Peflki32.exe, 00000003.00000002.2295696708.000000000042C000.00000004.00000001.01000000.00000006.sdmp, Pbjldmnk.exe, Pbjldmnk.exe, 00000004.00000002.2295467096.000000000042C000.00000004.00000001.01000000.00000007.sdmp, Phgemdlb.exe, Phgemdlb.exe, 00000005.00000002.2295322571.000000000042C000.00000004.00000001.01000000.00000008.sdmp, Qclijmlh.exe, Qclijmlh.exe, 00000006.00000002.2295707681.000000000042C000.00000004.00000001.01000000.00000009.sdmp, Qlencbbi.exe, Qlencbbi.exe, 00000008.00000002.2294967349.000000000042C000.00000004.00000001.01000000.0000000A.sdmp, Qiinlgab.exe, Qiinlgab.exe, 00000009.00000002.2294559304.000000000042C000.00000004.00000001.01000000.0000000B.sdmp, Acabel32.exe, Acabel32.exe, 0000000A.00000002.2294333350.000000000042C000.00000004.00000001.01000000.0000000C.sdmp, Ahnkmc32.exe String found in binary or memory: http://viruslist.com/ppslog.php
Source: puTBVYGxNA.exe, puTBVYGxNA.exe, 00000000.00000002.2296261670.000000000042C000.00000004.00000001.01000000.00000003.sdmp, Pojgioig.exe, Pojgioig.exe, 00000001.00000002.2296066191.000000000042C000.00000004.00000001.01000000.00000004.sdmp, Piokfhim.exe, Piokfhim.exe, 00000002.00000002.2295938101.000000000042C000.00000004.00000001.01000000.00000005.sdmp, Peflki32.exe, Peflki32.exe, 00000003.00000002.2295696708.000000000042C000.00000004.00000001.01000000.00000006.sdmp, Pbjldmnk.exe, Pbjldmnk.exe, 00000004.00000002.2295467096.000000000042C000.00000004.00000001.01000000.00000007.sdmp, Phgemdlb.exe, Phgemdlb.exe, 00000005.00000002.2295322571.000000000042C000.00000004.00000001.01000000.00000008.sdmp, Qclijmlh.exe, Qclijmlh.exe, 00000006.00000002.2295707681.000000000042C000.00000004.00000001.01000000.00000009.sdmp, Qlencbbi.exe, Qlencbbi.exe, 00000008.00000002.2294967349.000000000042C000.00000004.00000001.01000000.0000000A.sdmp, Qiinlgab.exe, Qiinlgab.exe, 00000009.00000002.2294559304.000000000042C000.00000004.00000001.01000000.0000000B.sdmp, Acabel32.exe, Acabel32.exe, 0000000A.00000002.2294333350.000000000042C000.00000004.00000001.01000000.0000000C.sdmp, Ahnkmc32.exe String found in binary or memory: http://viruslist.com/wcmd.txt
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 0_2_00409952 CreateDesktopA, 0_2_00409952

System Summary
barindex
PE file has a writeable .text section
Source: puTBVYGxNA.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Pojgioig.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Piokfhim.exe.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Peflki32.exe.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Pbjldmnk.exe.3.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Phgemdlb.exe.4.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Qclijmlh.exe.5.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Qlencbbi.exe.6.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Qiinlgab.exe.8.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Acabel32.exe.9.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Ahnkmc32.exe.10.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Aafpfi32.exe.11.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Acflplcn.exe.12.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Ahbdhbbe.exe.13.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Aakiahhf.exe.14.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Aheanb32.exe.15.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Acjekk32.exe.16.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Bkfjpm32.exe.17.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Bapbmg32.exe.18.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Blefjp32.exe.19.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Bcoofjkc.exe.20.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Bcfegi32.exe.21.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Chhgjp32.exe.22.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Cjjpjb32.exe.23.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Ckklbjkl.exe.24.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Cfpqocja.exe.25.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Dkmigjhi.exe.26.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Dfbmdbho.exe.27.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Dokbmhoo.exe.28.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Dkbbbi32.exe.29.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Dfggpb32.exe.30.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Dkdohi32.exe.31.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Djepfp32.exe.32.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Dobhng32.exe.33.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Ejhlkp32.exe.34.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Ebcapbfh.exe.35.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Epgaifdb.exe.36.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Elnbng32.exe.37.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Ejoblo32.exe.38.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Ecggedif.exe.39.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Creates files inside the system directory
Source: C:\Users\user\Desktop\puTBVYGxNA.exe File created: C:\Windows\SysWOW64\Pojgioig.exe Jump to behavior
Source: C:\Users\user\Desktop\puTBVYGxNA.exe File created: C:\Windows\SysWOW64\Pojgioig.exe:Zone.Identifier:$DATA Jump to behavior
Source: C:\Users\user\Desktop\puTBVYGxNA.exe File created: C:\Windows\SysWOW64\Dblhbnio.dll Jump to behavior
Source: C:\Windows\SysWOW64\Pojgioig.exe File created: C:\Windows\SysWOW64\Piokfhim.exe Jump to behavior
Source: C:\Windows\SysWOW64\Pojgioig.exe File created: C:\Windows\SysWOW64\Jhegaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\Piokfhim.exe File created: C:\Windows\SysWOW64\Peflki32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Piokfhim.exe File created: C:\Windows\SysWOW64\Eojaon32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Peflki32.exe File created: C:\Windows\SysWOW64\Pbjldmnk.exe Jump to behavior
Source: C:\Windows\SysWOW64\Peflki32.exe File created: C:\Windows\SysWOW64\Ifckbmfk.dll Jump to behavior
Source: C:\Windows\SysWOW64\Pbjldmnk.exe File created: C:\Windows\SysWOW64\Phgemdlb.exe Jump to behavior
Source: C:\Windows\SysWOW64\Pbjldmnk.exe File created: C:\Windows\SysWOW64\Hhchjh32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Phgemdlb.exe File created: C:\Windows\SysWOW64\Qclijmlh.exe Jump to behavior
Source: C:\Windows\SysWOW64\Phgemdlb.exe File created: C:\Windows\SysWOW64\Gnbckd32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Qclijmlh.exe File created: C:\Windows\SysWOW64\Qlencbbi.exe Jump to behavior
Source: C:\Windows\SysWOW64\Qclijmlh.exe File created: C:\Windows\SysWOW64\Gdandi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Qlencbbi.exe File created: C:\Windows\SysWOW64\Qiinlgab.exe Jump to behavior
Source: C:\Windows\SysWOW64\Qlencbbi.exe File created: C:\Windows\SysWOW64\Kipcln32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Qiinlgab.exe File created: C:\Windows\SysWOW64\Acabel32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Qiinlgab.exe File created: C:\Windows\SysWOW64\Kafafkfn.dll Jump to behavior
Source: C:\Windows\SysWOW64\Acabel32.exe File created: C:\Windows\SysWOW64\Ahnkmc32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Acabel32.exe File created: C:\Windows\SysWOW64\Oeppbb32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ahnkmc32.exe File created: C:\Windows\SysWOW64\Aafpfi32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Ahnkmc32.exe File created: C:\Windows\SysWOW64\Ekqdmopm.dll Jump to behavior
Source: C:\Windows\SysWOW64\Aafpfi32.exe File created: C:\Windows\SysWOW64\Acflplcn.exe Jump to behavior
Source: C:\Windows\SysWOW64\Aafpfi32.exe File created: C:\Windows\SysWOW64\Libmid32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Acflplcn.exe File created: C:\Windows\SysWOW64\Ahbdhbbe.exe Jump to behavior
Source: C:\Windows\SysWOW64\Acflplcn.exe File created: C:\Windows\SysWOW64\Mpckbo32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ahbdhbbe.exe File created: C:\Windows\SysWOW64\Aakiahhf.exe Jump to behavior
Source: C:\Windows\SysWOW64\Ahbdhbbe.exe File created: C:\Windows\SysWOW64\Minhdh32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Aakiahhf.exe File created: C:\Windows\SysWOW64\Aheanb32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Aakiahhf.exe File created: C:\Windows\SysWOW64\Hangmbgd.dll Jump to behavior
Source: C:\Windows\SysWOW64\Aheanb32.exe File created: C:\Windows\SysWOW64\Acjekk32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Aheanb32.exe File created: C:\Windows\SysWOW64\Idfghqdo.dll Jump to behavior
Source: C:\Windows\SysWOW64\Acjekk32.exe File created: C:\Windows\SysWOW64\Bkfjpm32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Acjekk32.exe File created: C:\Windows\SysWOW64\Amnpoged.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bkfjpm32.exe File created: C:\Windows\SysWOW64\Bapbmg32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Bkfjpm32.exe File created: C:\Windows\SysWOW64\Mfkcin32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bapbmg32.exe File created: C:\Windows\SysWOW64\Blefjp32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Bapbmg32.exe File created: C:\Windows\SysWOW64\Hbdjjlja.dll Jump to behavior
Source: C:\Windows\SysWOW64\Blefjp32.exe File created: C:\Windows\SysWOW64\Bcoofjkc.exe Jump to behavior
Source: C:\Windows\SysWOW64\Blefjp32.exe File created: C:\Windows\SysWOW64\Goiahmld.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bcoofjkc.exe File created: C:\Windows\SysWOW64\Bcfegi32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Bcoofjkc.exe File created: C:\Windows\SysWOW64\Pabjpfjl.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bcfegi32.exe File created: C:\Windows\SysWOW64\Chhgjp32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Bcfegi32.exe File created: C:\Windows\SysWOW64\Akmbah32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Chhgjp32.exe File created: C:\Windows\SysWOW64\Cjjpjb32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Chhgjp32.exe File created: C:\Windows\SysWOW64\Dljmco32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Cjjpjb32.exe File created: C:\Windows\SysWOW64\Ckklbjkl.exe Jump to behavior
Source: C:\Windows\SysWOW64\Cjjpjb32.exe File created: C:\Windows\SysWOW64\Nlhhbhgi.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ckklbjkl.exe File created: C:\Windows\SysWOW64\Cfpqocja.exe Jump to behavior
Source: C:\Windows\SysWOW64\Ckklbjkl.exe File created: C:\Windows\SysWOW64\Noabbddh.dll Jump to behavior
Source: C:\Windows\SysWOW64\Cfpqocja.exe File created: C:\Windows\SysWOW64\Dkmigjhi.exe Jump to behavior
Source: C:\Windows\SysWOW64\Cfpqocja.exe File created: C:\Windows\SysWOW64\Idehkflp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Dkmigjhi.exe File created: C:\Windows\SysWOW64\Dfbmdbho.exe
Source: C:\Windows\SysWOW64\Dkmigjhi.exe File created: C:\Windows\SysWOW64\Mcighdph.dll
Source: C:\Windows\SysWOW64\Dfbmdbho.exe File created: C:\Windows\SysWOW64\Dokbmhoo.exe
Source: C:\Windows\SysWOW64\Dfbmdbho.exe File created: C:\Windows\SysWOW64\Cdoonp32.dll
Source: C:\Windows\SysWOW64\Dokbmhoo.exe File created: C:\Windows\SysWOW64\Dkbbbi32.exe
Source: C:\Windows\SysWOW64\Dokbmhoo.exe File created: C:\Windows\SysWOW64\Balfnn32.dll
Source: C:\Windows\SysWOW64\Dkbbbi32.exe File created: C:\Windows\SysWOW64\Dfggpb32.exe
Source: C:\Windows\SysWOW64\Dkbbbi32.exe File created: C:\Windows\SysWOW64\Eafkpm32.dll
Source: C:\Windows\SysWOW64\Dfggpb32.exe File created: C:\Windows\SysWOW64\Dkdohi32.exe
Source: C:\Windows\SysWOW64\Dfggpb32.exe File created: C:\Windows\SysWOW64\Kohghl32.dll
Source: C:\Windows\SysWOW64\Dkdohi32.exe File created: C:\Windows\SysWOW64\Djepfp32.exe
Source: C:\Windows\SysWOW64\Dkdohi32.exe File created: C:\Windows\SysWOW64\Jlogbg32.dll
Source: C:\Windows\SysWOW64\Djepfp32.exe File created: C:\Windows\SysWOW64\Dobhng32.exe
Source: C:\Windows\SysWOW64\Djepfp32.exe File created: C:\Windows\SysWOW64\Jffcjk32.dll
Source: C:\Windows\SysWOW64\Dobhng32.exe File created: C:\Windows\SysWOW64\Ejhlkp32.exe
Source: C:\Windows\SysWOW64\Dobhng32.exe File created: C:\Windows\SysWOW64\Faocenna.dll
Source: C:\Windows\SysWOW64\Ejhlkp32.exe File created: C:\Windows\SysWOW64\Ebcapbfh.exe
Source: C:\Windows\SysWOW64\Ejhlkp32.exe File created: C:\Windows\SysWOW64\Kdiaom32.dll
Source: C:\Windows\SysWOW64\Ebcapbfh.exe File created: C:\Windows\SysWOW64\Epgaifdb.exe
Source: C:\Windows\SysWOW64\Ebcapbfh.exe File created: C:\Windows\SysWOW64\Nmajap32.dll
Source: C:\Windows\SysWOW64\Epgaifdb.exe File created: C:\Windows\SysWOW64\Elnbng32.exe
Source: C:\Windows\SysWOW64\Epgaifdb.exe File created: C:\Windows\SysWOW64\Jbhdqi32.dll
Source: C:\Windows\SysWOW64\Elnbng32.exe File created: C:\Windows\SysWOW64\Ejoblo32.exe
Source: C:\Windows\SysWOW64\Elnbng32.exe File created: C:\Windows\SysWOW64\Akdfgp32.dll
Source: C:\Windows\SysWOW64\Ejoblo32.exe File created: C:\Windows\SysWOW64\Ecggedif.exe
Source: C:\Windows\SysWOW64\Ejoblo32.exe File created: C:\Windows\SysWOW64\Pjpnlq32.dll
Detected potential crypto function
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 0_2_0042D178 0_2_0042D178
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 0_2_0042D179 0_2_0042D179
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 0_2_0042D37E 0_2_0042D37E
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 1_2_0042D178 1_2_0042D178
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 1_2_0042D179 1_2_0042D179
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 1_2_0042D37E 1_2_0042D37E
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 2_2_0042D178 2_2_0042D178
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 2_2_0042D179 2_2_0042D179
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 2_2_0042D37E 2_2_0042D37E
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 3_2_0042D178 3_2_0042D178
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 3_2_0042D179 3_2_0042D179
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 3_2_0042D37E 3_2_0042D37E
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4_2_0042D178 4_2_0042D178
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4_2_0042D179 4_2_0042D179
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4_2_0042D37E 4_2_0042D37E
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 5_2_0042D178 5_2_0042D178
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 5_2_0042D179 5_2_0042D179
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 5_2_0042D37E 5_2_0042D37E
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 6_2_0042D178 6_2_0042D178
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 6_2_0042D179 6_2_0042D179
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 6_2_0042D37E 6_2_0042D37E
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 8_2_0042D178 8_2_0042D178
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 8_2_0042D179 8_2_0042D179
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 8_2_0042D37E 8_2_0042D37E
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 9_2_0042D178 9_2_0042D178
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 9_2_0042D179 9_2_0042D179
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 9_2_0042D37E 9_2_0042D37E
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 10_2_0042D178 10_2_0042D178
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 10_2_0042D179 10_2_0042D179
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 10_2_0042D37E 10_2_0042D37E
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 11_2_0042D178 11_2_0042D178
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 11_2_0042D179 11_2_0042D179
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 11_2_0042D37E 11_2_0042D37E
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 12_2_0042D178 12_2_0042D178
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 12_2_0042D179 12_2_0042D179
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 12_2_0042D37E 12_2_0042D37E
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: 13_2_0042D178 13_2_0042D178
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: 13_2_0042D179 13_2_0042D179
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: 13_2_0042D37E 13_2_0042D37E
Source: C:\Windows\SysWOW64\Ahbdhbbe.exe Code function: 14_2_0042D178 14_2_0042D178
Source: C:\Windows\SysWOW64\Ahbdhbbe.exe Code function: 14_2_0042D179 14_2_0042D179
Source: C:\Windows\SysWOW64\Ahbdhbbe.exe Code function: 14_2_0042D37E 14_2_0042D37E
Source: C:\Windows\SysWOW64\Aakiahhf.exe Code function: 15_2_0042D178 15_2_0042D178
Source: C:\Windows\SysWOW64\Aakiahhf.exe Code function: 15_2_0042D179 15_2_0042D179
Source: C:\Windows\SysWOW64\Aakiahhf.exe Code function: 15_2_0042D37E 15_2_0042D37E
Source: C:\Windows\SysWOW64\Aheanb32.exe Code function: 16_2_0042D178 16_2_0042D178
Source: C:\Windows\SysWOW64\Aheanb32.exe Code function: 16_2_0042D179 16_2_0042D179
Source: C:\Windows\SysWOW64\Aheanb32.exe Code function: 16_2_0042D37E 16_2_0042D37E
Source: C:\Windows\SysWOW64\Acjekk32.exe Code function: 17_2_0042D178 17_2_0042D178
Source: C:\Windows\SysWOW64\Acjekk32.exe Code function: 17_2_0042D179 17_2_0042D179
Source: C:\Windows\SysWOW64\Acjekk32.exe Code function: 17_2_0042D37E 17_2_0042D37E
Source: C:\Windows\SysWOW64\Bkfjpm32.exe Code function: 18_2_0042D178 18_2_0042D178
Source: C:\Windows\SysWOW64\Bkfjpm32.exe Code function: 18_2_0042D179 18_2_0042D179
Source: C:\Windows\SysWOW64\Bkfjpm32.exe Code function: 18_2_0042D37E 18_2_0042D37E
Source: C:\Windows\SysWOW64\Bapbmg32.exe Code function: 19_2_0042D178 19_2_0042D178
Source: C:\Windows\SysWOW64\Bapbmg32.exe Code function: 19_2_0042D179 19_2_0042D179
Source: C:\Windows\SysWOW64\Bapbmg32.exe Code function: 19_2_0042D37E 19_2_0042D37E
Source: C:\Windows\SysWOW64\Blefjp32.exe Code function: 20_2_0042D178 20_2_0042D178
Source: C:\Windows\SysWOW64\Blefjp32.exe Code function: 20_2_0042D179 20_2_0042D179
Source: C:\Windows\SysWOW64\Blefjp32.exe Code function: 20_2_0042D37E 20_2_0042D37E
Source: C:\Windows\SysWOW64\Bcoofjkc.exe Code function: 21_2_0042D178 21_2_0042D178
Source: C:\Windows\SysWOW64\Bcoofjkc.exe Code function: 21_2_0042D179 21_2_0042D179
Source: C:\Windows\SysWOW64\Bcoofjkc.exe Code function: 21_2_0042D37E 21_2_0042D37E
Source: C:\Windows\SysWOW64\Bcfegi32.exe Code function: 22_2_0042D178 22_2_0042D178
Source: C:\Windows\SysWOW64\Bcfegi32.exe Code function: 22_2_0042D179 22_2_0042D179
Source: C:\Windows\SysWOW64\Bcfegi32.exe Code function: 22_2_0042D37E 22_2_0042D37E
Source: C:\Windows\SysWOW64\Chhgjp32.exe Code function: 23_2_0042D178 23_2_0042D178
Source: C:\Windows\SysWOW64\Chhgjp32.exe Code function: 23_2_0042D179 23_2_0042D179
Source: C:\Windows\SysWOW64\Chhgjp32.exe Code function: 23_2_0042D37E 23_2_0042D37E
Source: C:\Windows\SysWOW64\Cjjpjb32.exe Code function: 24_2_0042D178 24_2_0042D178
Source: C:\Windows\SysWOW64\Cjjpjb32.exe Code function: 24_2_0042D179 24_2_0042D179
Source: C:\Windows\SysWOW64\Cjjpjb32.exe Code function: 24_2_0042D37E 24_2_0042D37E
Source: C:\Windows\SysWOW64\Ckklbjkl.exe Code function: 25_2_0042D178 25_2_0042D178
Source: C:\Windows\SysWOW64\Ckklbjkl.exe Code function: 25_2_0042D179 25_2_0042D179
Source: C:\Windows\SysWOW64\Ckklbjkl.exe Code function: 25_2_0042D37E 25_2_0042D37E
Source: C:\Windows\SysWOW64\Cfpqocja.exe Code function: 26_2_0042D178 26_2_0042D178
Source: C:\Windows\SysWOW64\Cfpqocja.exe Code function: 26_2_0042D179 26_2_0042D179
Source: C:\Windows\SysWOW64\Cfpqocja.exe Code function: 26_2_0042D37E 26_2_0042D37E
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: String function: 0040C788 appears 36 times
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: String function: 0040C524 appears 36 times
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: String function: 0040C12C appears 34 times
Source: C:\Windows\SysWOW64\Blefjp32.exe Code function: String function: 0040C788 appears 36 times
Source: C:\Windows\SysWOW64\Blefjp32.exe Code function: String function: 0040C524 appears 36 times
Source: C:\Windows\SysWOW64\Blefjp32.exe Code function: String function: 0040C12C appears 34 times
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: String function: 0040C788 appears 36 times
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: String function: 0040C524 appears 36 times
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: String function: 0040C12C appears 34 times
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: String function: 0040C788 appears 36 times
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: String function: 0040C524 appears 36 times
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: String function: 0040C12C appears 34 times
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: String function: 0040C788 appears 36 times
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: String function: 0040C524 appears 36 times
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: String function: 0040C12C appears 34 times
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: String function: 0040C788 appears 36 times
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: String function: 0040C524 appears 36 times
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: String function: 0040C12C appears 34 times
Source: C:\Windows\SysWOW64\Bapbmg32.exe Code function: String function: 0040C788 appears 36 times
Source: C:\Windows\SysWOW64\Bapbmg32.exe Code function: String function: 0040C524 appears 36 times
Source: C:\Windows\SysWOW64\Bapbmg32.exe Code function: String function: 0040C12C appears 34 times
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: String function: 0040C788 appears 36 times
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: String function: 0040C524 appears 36 times
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: String function: 0040C12C appears 34 times
Source: C:\Windows\SysWOW64\Bkfjpm32.exe Code function: String function: 0040C788 appears 36 times
Source: C:\Windows\SysWOW64\Bkfjpm32.exe Code function: String function: 0040C524 appears 36 times
Source: C:\Windows\SysWOW64\Bkfjpm32.exe Code function: String function: 0040C12C appears 34 times
Source: C:\Windows\SysWOW64\Ckklbjkl.exe Code function: String function: 0040C788 appears 36 times
Source: C:\Windows\SysWOW64\Ckklbjkl.exe Code function: String function: 0040C524 appears 36 times
Source: C:\Windows\SysWOW64\Ckklbjkl.exe Code function: String function: 0040C12C appears 34 times
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: String function: 0040C788 appears 36 times
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: String function: 0040C524 appears 36 times
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: String function: 0040C12C appears 34 times
Source: C:\Windows\SysWOW64\Ahbdhbbe.exe Code function: String function: 0040C788 appears 36 times
Source: C:\Windows\SysWOW64\Ahbdhbbe.exe Code function: String function: 0040C524 appears 36 times
Source: C:\Windows\SysWOW64\Ahbdhbbe.exe Code function: String function: 0040C12C appears 34 times
Source: C:\Windows\SysWOW64\Cjjpjb32.exe Code function: String function: 0040C788 appears 36 times
Source: C:\Windows\SysWOW64\Cjjpjb32.exe Code function: String function: 0040C524 appears 36 times
Source: C:\Windows\SysWOW64\Cjjpjb32.exe Code function: String function: 0040C12C appears 34 times
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: String function: 0040C788 appears 36 times
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: String function: 0040C524 appears 36 times
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: String function: 0040C12C appears 34 times
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: String function: 0040C788 appears 36 times
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: String function: 0040C524 appears 36 times
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: String function: 0040C12C appears 34 times
Source: C:\Windows\SysWOW64\Aheanb32.exe Code function: String function: 0040C788 appears 36 times
Source: C:\Windows\SysWOW64\Aheanb32.exe Code function: String function: 0040C524 appears 36 times
Source: C:\Windows\SysWOW64\Aheanb32.exe Code function: String function: 0040C12C appears 34 times
Source: C:\Windows\SysWOW64\Acjekk32.exe Code function: String function: 0040C788 appears 36 times
Source: C:\Windows\SysWOW64\Acjekk32.exe Code function: String function: 0040C524 appears 36 times
Source: C:\Windows\SysWOW64\Acjekk32.exe Code function: String function: 0040C12C appears 34 times
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: String function: 0040C788 appears 36 times
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: String function: 0040C524 appears 36 times
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: String function: 0040C12C appears 34 times
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: String function: 0040C788 appears 36 times
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: String function: 0040C524 appears 36 times
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: String function: 0040C12C appears 34 times
Source: C:\Windows\SysWOW64\Aakiahhf.exe Code function: String function: 0040C788 appears 36 times
Source: C:\Windows\SysWOW64\Aakiahhf.exe Code function: String function: 0040C524 appears 36 times
Source: C:\Windows\SysWOW64\Aakiahhf.exe Code function: String function: 0040C12C appears 34 times
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: String function: 0040C788 appears 36 times
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: String function: 0040C524 appears 36 times
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: String function: 0040C12C appears 34 times
Source: C:\Windows\SysWOW64\Cfpqocja.exe Code function: String function: 0040C788 appears 36 times
Source: C:\Windows\SysWOW64\Cfpqocja.exe Code function: String function: 0040C524 appears 36 times
Source: C:\Windows\SysWOW64\Cfpqocja.exe Code function: String function: 0040C12C appears 34 times
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: String function: 0040C788 appears 36 times
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: String function: 0040C524 appears 36 times
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: String function: 0040C12C appears 34 times
Source: C:\Windows\SysWOW64\Bcoofjkc.exe Code function: String function: 0040C788 appears 36 times
Source: C:\Windows\SysWOW64\Bcoofjkc.exe Code function: String function: 0040C524 appears 36 times
Source: C:\Windows\SysWOW64\Bcoofjkc.exe Code function: String function: 0040C12C appears 34 times
Source: C:\Windows\SysWOW64\Chhgjp32.exe Code function: String function: 0040C788 appears 36 times
Source: C:\Windows\SysWOW64\Chhgjp32.exe Code function: String function: 0040C524 appears 36 times
Source: C:\Windows\SysWOW64\Chhgjp32.exe Code function: String function: 0040C12C appears 34 times
Source: C:\Windows\SysWOW64\Bcfegi32.exe Code function: String function: 0040C788 appears 36 times
Source: C:\Windows\SysWOW64\Bcfegi32.exe Code function: String function: 0040C524 appears 36 times
Source: C:\Windows\SysWOW64\Bcfegi32.exe Code function: String function: 0040C12C appears 34 times
PE file contains more sections than normal
Source: Bkfjpm32.exe.17.dr Static PE information: Number of sections : 12 > 10
Source: Piokfhim.exe.1.dr Static PE information: Number of sections : 12 > 10
Source: Ckklbjkl.exe.24.dr Static PE information: Number of sections : 12 > 10
Source: Chhgjp32.exe.22.dr Static PE information: Number of sections : 12 > 10
Source: Dokbmhoo.exe.28.dr Static PE information: Number of sections : 12 > 10
Source: Qlencbbi.exe.6.dr Static PE information: Number of sections : 12 > 10
Source: Dfggpb32.exe.30.dr Static PE information: Number of sections : 12 > 10
Source: Ahnkmc32.exe.10.dr Static PE information: Number of sections : 12 > 10
Source: puTBVYGxNA.exe Static PE information: Number of sections : 12 > 10
Source: Qiinlgab.exe.8.dr Static PE information: Number of sections : 12 > 10
Source: Aheanb32.exe.15.dr Static PE information: Number of sections : 12 > 10
Source: Dkmigjhi.exe.26.dr Static PE information: Number of sections : 12 > 10
Source: Bapbmg32.exe.18.dr Static PE information: Number of sections : 12 > 10
Source: Blefjp32.exe.19.dr Static PE information: Number of sections : 12 > 10
Source: Dkbbbi32.exe.29.dr Static PE information: Number of sections : 12 > 10
Source: Pbjldmnk.exe.3.dr Static PE information: Number of sections : 12 > 10
Source: Aafpfi32.exe.11.dr Static PE information: Number of sections : 12 > 10
Source: Ejhlkp32.exe.34.dr Static PE information: Number of sections : 12 > 10
Source: Dobhng32.exe.33.dr Static PE information: Number of sections : 12 > 10
Source: Ejoblo32.exe.38.dr Static PE information: Number of sections : 12 > 10
Source: Pojgioig.exe.0.dr Static PE information: Number of sections : 12 > 10
Source: Bcoofjkc.exe.20.dr Static PE information: Number of sections : 12 > 10
Source: Phgemdlb.exe.4.dr Static PE information: Number of sections : 12 > 10
Source: Dfbmdbho.exe.27.dr Static PE information: Number of sections : 12 > 10
Source: Bcfegi32.exe.21.dr Static PE information: Number of sections : 12 > 10
Source: Ecggedif.exe.39.dr Static PE information: Number of sections : 12 > 10
Source: Acabel32.exe.9.dr Static PE information: Number of sections : 12 > 10
Source: Peflki32.exe.2.dr Static PE information: Number of sections : 12 > 10
Source: Cjjpjb32.exe.23.dr Static PE information: Number of sections : 12 > 10
Source: Elnbng32.exe.37.dr Static PE information: Number of sections : 12 > 10
Source: Dkdohi32.exe.31.dr Static PE information: Number of sections : 12 > 10
Source: Cfpqocja.exe.25.dr Static PE information: Number of sections : 12 > 10
Source: Ebcapbfh.exe.35.dr Static PE information: Number of sections : 12 > 10
Source: Epgaifdb.exe.36.dr Static PE information: Number of sections : 12 > 10
Source: Ahbdhbbe.exe.13.dr Static PE information: Number of sections : 12 > 10
Source: Qclijmlh.exe.5.dr Static PE information: Number of sections : 12 > 10
Source: Acflplcn.exe.12.dr Static PE information: Number of sections : 12 > 10
Source: Djepfp32.exe.32.dr Static PE information: Number of sections : 12 > 10
Source: Aakiahhf.exe.14.dr Static PE information: Number of sections : 12 > 10
Source: Acjekk32.exe.16.dr Static PE information: Number of sections : 12 > 10
Uses 32bit PE files
Source: puTBVYGxNA.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: puTBVYGxNA.exe Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Pojgioig.exe.0.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Piokfhim.exe.1.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Peflki32.exe.2.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Pbjldmnk.exe.3.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Phgemdlb.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Qclijmlh.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Qlencbbi.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Qiinlgab.exe.8.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Acabel32.exe.9.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Ahnkmc32.exe.10.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Aafpfi32.exe.11.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Acflplcn.exe.12.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Ahbdhbbe.exe.13.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Aakiahhf.exe.14.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Aheanb32.exe.15.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Acjekk32.exe.16.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Bkfjpm32.exe.17.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Bapbmg32.exe.18.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Blefjp32.exe.19.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Bcoofjkc.exe.20.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Bcfegi32.exe.21.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Chhgjp32.exe.22.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Cjjpjb32.exe.23.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Ckklbjkl.exe.24.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Cfpqocja.exe.25.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Dkmigjhi.exe.26.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Dfbmdbho.exe.27.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Dokbmhoo.exe.28.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Dkbbbi32.exe.29.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Dfggpb32.exe.30.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Dkdohi32.exe.31.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Djepfp32.exe.32.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Dobhng32.exe.33.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Ejhlkp32.exe.34.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Ebcapbfh.exe.35.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Epgaifdb.exe.36.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Elnbng32.exe.37.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Ejoblo32.exe.38.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Ecggedif.exe.39.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: classification engine Classification label: mal96.evad.winEXE@78/79@0/0
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 0_2_00401625 CoInitialize,CLSIDFromString,CoTaskMemAlloc,CoCreateInstance, 0_2_00401625
Source: puTBVYGxNA.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: puTBVYGxNA.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: puTBVYGxNA.exe ReversingLabs: Detection: 86%
Source: C:\Users\user\Desktop\puTBVYGxNA.exe File read: C:\Users\user\Desktop\puTBVYGxNA.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\puTBVYGxNA.exe "C:\Users\user\Desktop\puTBVYGxNA.exe"
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Process created: C:\Windows\SysWOW64\Pojgioig.exe C:\Windows\system32\Pojgioig.exe
Source: C:\Windows\SysWOW64\Pojgioig.exe Process created: C:\Windows\SysWOW64\Piokfhim.exe C:\Windows\system32\Piokfhim.exe
Source: C:\Windows\SysWOW64\Piokfhim.exe Process created: C:\Windows\SysWOW64\Peflki32.exe C:\Windows\system32\Peflki32.exe
Source: C:\Windows\SysWOW64\Peflki32.exe Process created: C:\Windows\SysWOW64\Pbjldmnk.exe C:\Windows\system32\Pbjldmnk.exe
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Process created: C:\Windows\SysWOW64\Phgemdlb.exe C:\Windows\system32\Phgemdlb.exe
Source: C:\Windows\SysWOW64\Phgemdlb.exe Process created: C:\Windows\SysWOW64\Qclijmlh.exe C:\Windows\system32\Qclijmlh.exe
Source: C:\Windows\SysWOW64\Qclijmlh.exe Process created: C:\Windows\SysWOW64\Qlencbbi.exe C:\Windows\system32\Qlencbbi.exe
Source: C:\Windows\SysWOW64\Qlencbbi.exe Process created: C:\Windows\SysWOW64\Qiinlgab.exe C:\Windows\system32\Qiinlgab.exe
Source: C:\Windows\SysWOW64\Qiinlgab.exe Process created: C:\Windows\SysWOW64\Acabel32.exe C:\Windows\system32\Acabel32.exe
Source: C:\Windows\SysWOW64\Acabel32.exe Process created: C:\Windows\SysWOW64\Ahnkmc32.exe C:\Windows\system32\Ahnkmc32.exe
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Process created: C:\Windows\SysWOW64\Aafpfi32.exe C:\Windows\system32\Aafpfi32.exe
Source: C:\Windows\SysWOW64\Aafpfi32.exe Process created: C:\Windows\SysWOW64\Acflplcn.exe C:\Windows\system32\Acflplcn.exe
Source: C:\Windows\SysWOW64\Acflplcn.exe Process created: C:\Windows\SysWOW64\Ahbdhbbe.exe C:\Windows\system32\Ahbdhbbe.exe
Source: C:\Windows\SysWOW64\Ahbdhbbe.exe Process created: C:\Windows\SysWOW64\Aakiahhf.exe C:\Windows\system32\Aakiahhf.exe
Source: C:\Windows\SysWOW64\Aakiahhf.exe Process created: C:\Windows\SysWOW64\Aheanb32.exe C:\Windows\system32\Aheanb32.exe
Source: C:\Windows\SysWOW64\Aheanb32.exe Process created: C:\Windows\SysWOW64\Acjekk32.exe C:\Windows\system32\Acjekk32.exe
Source: C:\Windows\SysWOW64\Acjekk32.exe Process created: C:\Windows\SysWOW64\Bkfjpm32.exe C:\Windows\system32\Bkfjpm32.exe
Source: C:\Windows\SysWOW64\Bkfjpm32.exe Process created: C:\Windows\SysWOW64\Bapbmg32.exe C:\Windows\system32\Bapbmg32.exe
Source: C:\Windows\SysWOW64\Bapbmg32.exe Process created: C:\Windows\SysWOW64\Blefjp32.exe C:\Windows\system32\Blefjp32.exe
Source: C:\Windows\SysWOW64\Blefjp32.exe Process created: C:\Windows\SysWOW64\Bcoofjkc.exe C:\Windows\system32\Bcoofjkc.exe
Source: C:\Windows\SysWOW64\Bcoofjkc.exe Process created: C:\Windows\SysWOW64\Bcfegi32.exe C:\Windows\system32\Bcfegi32.exe
Source: C:\Windows\SysWOW64\Bcfegi32.exe Process created: C:\Windows\SysWOW64\Chhgjp32.exe C:\Windows\system32\Chhgjp32.exe
Source: C:\Windows\SysWOW64\Chhgjp32.exe Process created: C:\Windows\SysWOW64\Cjjpjb32.exe C:\Windows\system32\Cjjpjb32.exe
Source: C:\Windows\SysWOW64\Cjjpjb32.exe Process created: C:\Windows\SysWOW64\Ckklbjkl.exe C:\Windows\system32\Ckklbjkl.exe
Source: C:\Windows\SysWOW64\Ckklbjkl.exe Process created: C:\Windows\SysWOW64\Cfpqocja.exe C:\Windows\system32\Cfpqocja.exe
Source: C:\Windows\SysWOW64\Cfpqocja.exe Process created: C:\Windows\SysWOW64\Dkmigjhi.exe C:\Windows\system32\Dkmigjhi.exe
Source: C:\Windows\SysWOW64\Dkmigjhi.exe Process created: C:\Windows\SysWOW64\Dfbmdbho.exe C:\Windows\system32\Dfbmdbho.exe
Source: C:\Windows\SysWOW64\Dfbmdbho.exe Process created: C:\Windows\SysWOW64\Dokbmhoo.exe C:\Windows\system32\Dokbmhoo.exe
Source: C:\Windows\SysWOW64\Dokbmhoo.exe Process created: C:\Windows\SysWOW64\Dkbbbi32.exe C:\Windows\system32\Dkbbbi32.exe
Source: C:\Windows\SysWOW64\Dkbbbi32.exe Process created: C:\Windows\SysWOW64\Dfggpb32.exe C:\Windows\system32\Dfggpb32.exe
Source: C:\Windows\SysWOW64\Dfggpb32.exe Process created: C:\Windows\SysWOW64\Dkdohi32.exe C:\Windows\system32\Dkdohi32.exe
Source: C:\Windows\SysWOW64\Dkdohi32.exe Process created: C:\Windows\SysWOW64\Djepfp32.exe C:\Windows\system32\Djepfp32.exe
Source: C:\Windows\SysWOW64\Djepfp32.exe Process created: C:\Windows\SysWOW64\Dobhng32.exe C:\Windows\system32\Dobhng32.exe
Source: C:\Windows\SysWOW64\Dobhng32.exe Process created: C:\Windows\SysWOW64\Ejhlkp32.exe C:\Windows\system32\Ejhlkp32.exe
Source: C:\Windows\SysWOW64\Ejhlkp32.exe Process created: C:\Windows\SysWOW64\Ebcapbfh.exe C:\Windows\system32\Ebcapbfh.exe
Source: C:\Windows\SysWOW64\Ebcapbfh.exe Process created: C:\Windows\SysWOW64\Epgaifdb.exe C:\Windows\system32\Epgaifdb.exe
Source: C:\Windows\SysWOW64\Epgaifdb.exe Process created: C:\Windows\SysWOW64\Elnbng32.exe C:\Windows\system32\Elnbng32.exe
Source: C:\Windows\SysWOW64\Elnbng32.exe Process created: C:\Windows\SysWOW64\Ejoblo32.exe C:\Windows\system32\Ejoblo32.exe
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Process created: C:\Windows\SysWOW64\Pojgioig.exe C:\Windows\system32\Pojgioig.exe Jump to behavior
Source: C:\Windows\SysWOW64\Pojgioig.exe Process created: C:\Windows\SysWOW64\Piokfhim.exe C:\Windows\system32\Piokfhim.exe Jump to behavior
Source: C:\Windows\SysWOW64\Piokfhim.exe Process created: C:\Windows\SysWOW64\Peflki32.exe C:\Windows\system32\Peflki32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Peflki32.exe Process created: C:\Windows\SysWOW64\Pbjldmnk.exe C:\Windows\system32\Pbjldmnk.exe Jump to behavior
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Process created: C:\Windows\SysWOW64\Phgemdlb.exe C:\Windows\system32\Phgemdlb.exe Jump to behavior
Source: C:\Windows\SysWOW64\Phgemdlb.exe Process created: C:\Windows\SysWOW64\Qclijmlh.exe C:\Windows\system32\Qclijmlh.exe Jump to behavior
Source: C:\Windows\SysWOW64\Qclijmlh.exe Process created: C:\Windows\SysWOW64\Qlencbbi.exe C:\Windows\system32\Qlencbbi.exe Jump to behavior
Source: C:\Windows\SysWOW64\Qlencbbi.exe Process created: C:\Windows\SysWOW64\Qiinlgab.exe C:\Windows\system32\Qiinlgab.exe Jump to behavior
Source: C:\Windows\SysWOW64\Qiinlgab.exe Process created: C:\Windows\SysWOW64\Acabel32.exe C:\Windows\system32\Acabel32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Acabel32.exe Process created: C:\Windows\SysWOW64\Ahnkmc32.exe C:\Windows\system32\Ahnkmc32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Process created: C:\Windows\SysWOW64\Aafpfi32.exe C:\Windows\system32\Aafpfi32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Aafpfi32.exe Process created: C:\Windows\SysWOW64\Acflplcn.exe C:\Windows\system32\Acflplcn.exe Jump to behavior
Source: C:\Windows\SysWOW64\Acflplcn.exe Process created: C:\Windows\SysWOW64\Ahbdhbbe.exe C:\Windows\system32\Ahbdhbbe.exe Jump to behavior
Source: C:\Windows\SysWOW64\Ahbdhbbe.exe Process created: C:\Windows\SysWOW64\Aakiahhf.exe C:\Windows\system32\Aakiahhf.exe Jump to behavior
Source: C:\Windows\SysWOW64\Aakiahhf.exe Process created: C:\Windows\SysWOW64\Aheanb32.exe C:\Windows\system32\Aheanb32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Aheanb32.exe Process created: C:\Windows\SysWOW64\Acjekk32.exe C:\Windows\system32\Acjekk32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Acjekk32.exe Process created: C:\Windows\SysWOW64\Bkfjpm32.exe C:\Windows\system32\Bkfjpm32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Bkfjpm32.exe Process created: C:\Windows\SysWOW64\Bapbmg32.exe C:\Windows\system32\Bapbmg32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Bapbmg32.exe Process created: C:\Windows\SysWOW64\Blefjp32.exe C:\Windows\system32\Blefjp32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Blefjp32.exe Process created: C:\Windows\SysWOW64\Bcoofjkc.exe C:\Windows\system32\Bcoofjkc.exe Jump to behavior
Source: C:\Windows\SysWOW64\Bcoofjkc.exe Process created: C:\Windows\SysWOW64\Bcfegi32.exe C:\Windows\system32\Bcfegi32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Bcfegi32.exe Process created: C:\Windows\SysWOW64\Chhgjp32.exe C:\Windows\system32\Chhgjp32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Chhgjp32.exe Process created: C:\Windows\SysWOW64\Cjjpjb32.exe C:\Windows\system32\Cjjpjb32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Cjjpjb32.exe Process created: C:\Windows\SysWOW64\Ckklbjkl.exe C:\Windows\system32\Ckklbjkl.exe Jump to behavior
Source: C:\Windows\SysWOW64\Ckklbjkl.exe Process created: C:\Windows\SysWOW64\Cfpqocja.exe C:\Windows\system32\Cfpqocja.exe Jump to behavior
Source: C:\Windows\SysWOW64\Cfpqocja.exe Process created: C:\Windows\SysWOW64\Dkmigjhi.exe C:\Windows\system32\Dkmigjhi.exe Jump to behavior
Source: C:\Windows\SysWOW64\Dkmigjhi.exe Process created: C:\Windows\SysWOW64\Dfbmdbho.exe C:\Windows\system32\Dfbmdbho.exe
Source: C:\Windows\SysWOW64\Dfbmdbho.exe Process created: C:\Windows\SysWOW64\Dokbmhoo.exe C:\Windows\system32\Dokbmhoo.exe
Source: C:\Windows\SysWOW64\Dokbmhoo.exe Process created: C:\Windows\SysWOW64\Dkbbbi32.exe C:\Windows\system32\Dkbbbi32.exe
Source: C:\Windows\SysWOW64\Dkbbbi32.exe Process created: C:\Windows\SysWOW64\Dfggpb32.exe C:\Windows\system32\Dfggpb32.exe
Source: C:\Windows\SysWOW64\Dfggpb32.exe Process created: C:\Windows\SysWOW64\Dkdohi32.exe C:\Windows\system32\Dkdohi32.exe
Source: C:\Windows\SysWOW64\Dkdohi32.exe Process created: C:\Windows\SysWOW64\Djepfp32.exe C:\Windows\system32\Djepfp32.exe
Source: C:\Windows\SysWOW64\Djepfp32.exe Process created: C:\Windows\SysWOW64\Dobhng32.exe C:\Windows\system32\Dobhng32.exe
Source: C:\Windows\SysWOW64\Dobhng32.exe Process created: C:\Windows\SysWOW64\Ejhlkp32.exe C:\Windows\system32\Ejhlkp32.exe
Source: C:\Windows\SysWOW64\Ejhlkp32.exe Process created: C:\Windows\SysWOW64\Ebcapbfh.exe C:\Windows\system32\Ebcapbfh.exe
Source: C:\Windows\SysWOW64\Ebcapbfh.exe Process created: C:\Windows\SysWOW64\Epgaifdb.exe C:\Windows\system32\Epgaifdb.exe
Source: C:\Windows\SysWOW64\Epgaifdb.exe Process created: C:\Windows\SysWOW64\Elnbng32.exe C:\Windows\system32\Elnbng32.exe
Source: C:\Windows\SysWOW64\Elnbng32.exe Process created: C:\Windows\SysWOW64\Ejoblo32.exe C:\Windows\system32\Ejoblo32.exe
Source: C:\Windows\SysWOW64\Ejoblo32.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Pojgioig.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Pojgioig.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Pojgioig.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Pojgioig.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Pojgioig.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Piokfhim.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Piokfhim.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Piokfhim.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Piokfhim.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Piokfhim.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Peflki32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Peflki32.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Peflki32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Peflki32.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Peflki32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Phgemdlb.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Phgemdlb.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Phgemdlb.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Phgemdlb.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Phgemdlb.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Qclijmlh.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Qclijmlh.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Qclijmlh.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Qclijmlh.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Qclijmlh.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Qlencbbi.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Qlencbbi.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Qlencbbi.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Qlencbbi.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Qlencbbi.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Qiinlgab.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Qiinlgab.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Qiinlgab.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Qiinlgab.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Qiinlgab.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Acabel32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Acabel32.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Acabel32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Acabel32.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Acabel32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Aafpfi32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Aafpfi32.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Aafpfi32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Aafpfi32.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Aafpfi32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Acflplcn.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Acflplcn.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Acflplcn.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Acflplcn.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Acflplcn.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ahbdhbbe.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ahbdhbbe.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ahbdhbbe.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ahbdhbbe.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ahbdhbbe.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Aakiahhf.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Aakiahhf.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Aakiahhf.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Aakiahhf.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Aakiahhf.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Aheanb32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Aheanb32.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Aheanb32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Aheanb32.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Aheanb32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Acjekk32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Acjekk32.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Acjekk32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Acjekk32.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Acjekk32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bkfjpm32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bkfjpm32.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bkfjpm32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bkfjpm32.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bkfjpm32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bapbmg32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bapbmg32.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bapbmg32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bapbmg32.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bapbmg32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Blefjp32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Blefjp32.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Blefjp32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Blefjp32.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Blefjp32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bcoofjkc.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bcoofjkc.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bcoofjkc.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bcoofjkc.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bcoofjkc.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bcfegi32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bcfegi32.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bcfegi32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bcfegi32.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Bcfegi32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Chhgjp32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Chhgjp32.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Chhgjp32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Chhgjp32.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Chhgjp32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Cjjpjb32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Cjjpjb32.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Cjjpjb32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Cjjpjb32.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Cjjpjb32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ckklbjkl.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ckklbjkl.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ckklbjkl.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ckklbjkl.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Ckklbjkl.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Cfpqocja.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\Cfpqocja.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\SysWOW64\Cfpqocja.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\Cfpqocja.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\Cfpqocja.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\Dkmigjhi.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Dkmigjhi.exe Section loaded: wsock32.dll
Source: C:\Windows\SysWOW64\Dkmigjhi.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Dkmigjhi.exe Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Dkmigjhi.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Dfbmdbho.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Dfbmdbho.exe Section loaded: wsock32.dll
Source: C:\Windows\SysWOW64\Dfbmdbho.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Dfbmdbho.exe Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Dfbmdbho.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Dokbmhoo.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Dokbmhoo.exe Section loaded: wsock32.dll
Source: C:\Windows\SysWOW64\Dokbmhoo.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Dokbmhoo.exe Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Dokbmhoo.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Dkbbbi32.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Dkbbbi32.exe Section loaded: wsock32.dll
Source: C:\Windows\SysWOW64\Dkbbbi32.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Dkbbbi32.exe Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Dkbbbi32.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Dfggpb32.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Dfggpb32.exe Section loaded: wsock32.dll
Source: C:\Windows\SysWOW64\Dfggpb32.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Dfggpb32.exe Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Dfggpb32.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Dkdohi32.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Dkdohi32.exe Section loaded: wsock32.dll
Source: C:\Windows\SysWOW64\Dkdohi32.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Dkdohi32.exe Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Dkdohi32.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Djepfp32.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Djepfp32.exe Section loaded: wsock32.dll
Source: C:\Windows\SysWOW64\Djepfp32.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Djepfp32.exe Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Djepfp32.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Dobhng32.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Dobhng32.exe Section loaded: wsock32.dll
Source: C:\Windows\SysWOW64\Dobhng32.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Dobhng32.exe Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Dobhng32.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Ejhlkp32.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Ejhlkp32.exe Section loaded: wsock32.dll
Source: C:\Windows\SysWOW64\Ejhlkp32.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Ejhlkp32.exe Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Ejhlkp32.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Ebcapbfh.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Ebcapbfh.exe Section loaded: wsock32.dll
Source: C:\Windows\SysWOW64\Ebcapbfh.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Ebcapbfh.exe Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Ebcapbfh.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Epgaifdb.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Epgaifdb.exe Section loaded: wsock32.dll
Source: C:\Windows\SysWOW64\Epgaifdb.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Epgaifdb.exe Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Epgaifdb.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Elnbng32.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Elnbng32.exe Section loaded: wsock32.dll
Source: C:\Windows\SysWOW64\Elnbng32.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Elnbng32.exe Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Elnbng32.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\Ejoblo32.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\Ejoblo32.exe Section loaded: wsock32.dll
Source: C:\Windows\SysWOW64\Ejoblo32.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\Ejoblo32.exe Section loaded: crtdll.dll
Source: C:\Windows\SysWOW64\Ejoblo32.exe Section loaded: ntmarta.dll
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 0_2_00402C54 LocalAlloc,LoadLibraryA,GetProcAddress,FreeLibrary,LocalFree, 0_2_00402C54
Source: puTBVYGxNA.exe Static PE information: section name: .text entropy: 7.1548005199947085
Source: Pojgioig.exe.0.dr Static PE information: section name: .text entropy: 7.192668739143715
Source: Piokfhim.exe.1.dr Static PE information: section name: .text entropy: 7.193979978202133
Source: Peflki32.exe.2.dr Static PE information: section name: .text entropy: 7.1690382014922305
Source: Pbjldmnk.exe.3.dr Static PE information: section name: .text entropy: 7.213170730335581
Source: Phgemdlb.exe.4.dr Static PE information: section name: .text entropy: 7.212513982595105
Source: Qclijmlh.exe.5.dr Static PE information: section name: .text entropy: 7.107875198376302
Source: Qlencbbi.exe.6.dr Static PE information: section name: .text entropy: 7.182061204407341
Source: Qiinlgab.exe.8.dr Static PE information: section name: .text entropy: 7.1829658247947945
Source: Acabel32.exe.9.dr Static PE information: section name: .text entropy: 7.016806357908303
Source: Ahnkmc32.exe.10.dr Static PE information: section name: .text entropy: 7.169364503356537
Source: Aafpfi32.exe.11.dr Static PE information: section name: .text entropy: 6.9331223034789335
Source: Acflplcn.exe.12.dr Static PE information: section name: .text entropy: 7.216514289742526
Source: Ahbdhbbe.exe.13.dr Static PE information: section name: .text entropy: 7.153774402197733
Source: Aakiahhf.exe.14.dr Static PE information: section name: .text entropy: 7.172756290905324
Source: Aheanb32.exe.15.dr Static PE information: section name: .text entropy: 7.160370867636804
Source: Acjekk32.exe.16.dr Static PE information: section name: .text entropy: 7.135886634604364
Source: Bkfjpm32.exe.17.dr Static PE information: section name: .text entropy: 7.217118429434387
Source: Bapbmg32.exe.18.dr Static PE information: section name: .text entropy: 7.2107905554225535
Source: Blefjp32.exe.19.dr Static PE information: section name: .text entropy: 7.167753610660732
Source: Bcoofjkc.exe.20.dr Static PE information: section name: .text entropy: 7.220386827688889
Source: Bcfegi32.exe.21.dr Static PE information: section name: .text entropy: 7.210378256156283
Source: Chhgjp32.exe.22.dr Static PE information: section name: .text entropy: 7.163283820263094
Source: Cjjpjb32.exe.23.dr Static PE information: section name: .text entropy: 7.155634786011917
Source: Ckklbjkl.exe.24.dr Static PE information: section name: .text entropy: 7.139679060017429
Source: Cfpqocja.exe.25.dr Static PE information: section name: .text entropy: 7.2018100187651255
Source: Dkmigjhi.exe.26.dr Static PE information: section name: .text entropy: 7.029542467720144
Source: Dfbmdbho.exe.27.dr Static PE information: section name: .text entropy: 7.222917226478193
Source: Dokbmhoo.exe.28.dr Static PE information: section name: .text entropy: 7.21303617173496
Source: Dkbbbi32.exe.29.dr Static PE information: section name: .text entropy: 6.990426030622729
Source: Dfggpb32.exe.30.dr Static PE information: section name: .text entropy: 7.00518266970525
Source: Dkdohi32.exe.31.dr Static PE information: section name: .text entropy: 7.179336927279181
Source: Djepfp32.exe.32.dr Static PE information: section name: .text entropy: 7.2036512120412866
Source: Dobhng32.exe.33.dr Static PE information: section name: .text entropy: 7.0894012708109955
Source: Ejhlkp32.exe.34.dr Static PE information: section name: .text entropy: 7.224669262635724
Source: Ebcapbfh.exe.35.dr Static PE information: section name: .text entropy: 7.208177559941241
Source: Epgaifdb.exe.36.dr Static PE information: section name: .text entropy: 7.1803129718369
Source: Elnbng32.exe.37.dr Static PE information: section name: .text entropy: 7.19179573555547
Source: Ejoblo32.exe.38.dr Static PE information: section name: .text entropy: 7.291961736305299
Source: Ecggedif.exe.39.dr Static PE information: section name: .text entropy: 7.207196817512479

Persistence and Installation Behavior
barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\SysWOW64\Aafpfi32.exe Executable created and started: C:\Windows\SysWOW64\Acflplcn.exe Jump to behavior
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Executable created and started: C:\Windows\SysWOW64\Pojgioig.exe Jump to behavior
Source: C:\Windows\SysWOW64\Qclijmlh.exe Executable created and started: C:\Windows\SysWOW64\Qlencbbi.exe Jump to behavior
Source: C:\Windows\SysWOW64\Acjekk32.exe Executable created and started: C:\Windows\SysWOW64\Bkfjpm32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Acflplcn.exe Executable created and started: C:\Windows\SysWOW64\Ahbdhbbe.exe Jump to behavior
Source: C:\Windows\SysWOW64\Qlencbbi.exe Executable created and started: C:\Windows\SysWOW64\Qiinlgab.exe Jump to behavior
Source: C:\Windows\SysWOW64\Ebcapbfh.exe Executable created and started: C:\Windows\SysWOW64\Epgaifdb.exe
Source: C:\Windows\SysWOW64\Piokfhim.exe Executable created and started: C:\Windows\SysWOW64\Peflki32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Aakiahhf.exe Executable created and started: C:\Windows\SysWOW64\Aheanb32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Aheanb32.exe Executable created and started: C:\Windows\SysWOW64\Acjekk32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Dokbmhoo.exe Executable created and started: C:\Windows\SysWOW64\Dkbbbi32.exe
Source: C:\Windows\SysWOW64\Epgaifdb.exe Executable created and started: C:\Windows\SysWOW64\Elnbng32.exe
Source: C:\Windows\SysWOW64\Ahbdhbbe.exe Executable created and started: C:\Windows\SysWOW64\Aakiahhf.exe Jump to behavior
Source: C:\Windows\SysWOW64\Cfpqocja.exe Executable created and started: C:\Windows\SysWOW64\Dkmigjhi.exe Jump to behavior
Source: C:\Windows\SysWOW64\Qiinlgab.exe Executable created and started: C:\Windows\SysWOW64\Acabel32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Dfggpb32.exe Executable created and started: C:\Windows\SysWOW64\Dkdohi32.exe
Source: C:\Windows\SysWOW64\Djepfp32.exe Executable created and started: C:\Windows\SysWOW64\Dobhng32.exe
Source: C:\Windows\SysWOW64\Blefjp32.exe Executable created and started: C:\Windows\SysWOW64\Bcoofjkc.exe Jump to behavior
Source: C:\Windows\SysWOW64\Bcfegi32.exe Executable created and started: C:\Windows\SysWOW64\Chhgjp32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Dobhng32.exe Executable created and started: C:\Windows\SysWOW64\Ejhlkp32.exe
Source: C:\Windows\SysWOW64\Bcoofjkc.exe Executable created and started: C:\Windows\SysWOW64\Bcfegi32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Pojgioig.exe Executable created and started: C:\Windows\SysWOW64\Piokfhim.exe Jump to behavior
Source: C:\Windows\SysWOW64\Bapbmg32.exe Executable created and started: C:\Windows\SysWOW64\Blefjp32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Peflki32.exe Executable created and started: C:\Windows\SysWOW64\Pbjldmnk.exe Jump to behavior
Source: C:\Windows\SysWOW64\Dkdohi32.exe Executable created and started: C:\Windows\SysWOW64\Djepfp32.exe
Source: C:\Windows\SysWOW64\Ejhlkp32.exe Executable created and started: C:\Windows\SysWOW64\Ebcapbfh.exe
Source: C:\Windows\SysWOW64\Acabel32.exe Executable created and started: C:\Windows\SysWOW64\Ahnkmc32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Bkfjpm32.exe Executable created and started: C:\Windows\SysWOW64\Bapbmg32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Cjjpjb32.exe Executable created and started: C:\Windows\SysWOW64\Ckklbjkl.exe Jump to behavior
Source: C:\Windows\SysWOW64\Chhgjp32.exe Executable created and started: C:\Windows\SysWOW64\Cjjpjb32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Executable created and started: C:\Windows\SysWOW64\Aafpfi32.exe Jump to behavior
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Executable created and started: C:\Windows\SysWOW64\Phgemdlb.exe Jump to behavior
Source: C:\Windows\SysWOW64\Dfbmdbho.exe Executable created and started: C:\Windows\SysWOW64\Dokbmhoo.exe
Source: C:\Windows\SysWOW64\Dkbbbi32.exe Executable created and started: C:\Windows\SysWOW64\Dfggpb32.exe
Source: C:\Windows\SysWOW64\Ckklbjkl.exe Executable created and started: C:\Windows\SysWOW64\Cfpqocja.exe Jump to behavior
Source: C:\Windows\SysWOW64\Phgemdlb.exe Executable created and started: C:\Windows\SysWOW64\Qclijmlh.exe Jump to behavior
Source: C:\Windows\SysWOW64\Elnbng32.exe Executable created and started: C:\Windows\SysWOW64\Ejoblo32.exe
Source: C:\Windows\SysWOW64\Dkmigjhi.exe Executable created and started: C:\Windows\SysWOW64\Dfbmdbho.exe
Drops PE files
Source: C:\Windows\SysWOW64\Acabel32.exe File created: C:\Windows\SysWOW64\Oeppbb32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Bcfegi32.exe File created: C:\Windows\SysWOW64\Akmbah32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Pojgioig.exe File created: C:\Windows\SysWOW64\Jhegaapi.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Aafpfi32.exe File created: C:\Windows\SysWOW64\Acflplcn.exe Jump to dropped file
Source: C:\Users\user\Desktop\puTBVYGxNA.exe File created: C:\Windows\SysWOW64\Pojgioig.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Aakiahhf.exe File created: C:\Windows\SysWOW64\Hangmbgd.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Dkdohi32.exe File created: C:\Windows\SysWOW64\Jlogbg32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Piokfhim.exe File created: C:\Windows\SysWOW64\Eojaon32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Qclijmlh.exe File created: C:\Windows\SysWOW64\Qlencbbi.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Aheanb32.exe File created: C:\Windows\SysWOW64\Idfghqdo.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Acjekk32.exe File created: C:\Windows\SysWOW64\Bkfjpm32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Acflplcn.exe File created: C:\Windows\SysWOW64\Ahbdhbbe.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Qlencbbi.exe File created: C:\Windows\SysWOW64\Qiinlgab.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Ejoblo32.exe File created: C:\Windows\SysWOW64\Ecggedif.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Ebcapbfh.exe File created: C:\Windows\SysWOW64\Epgaifdb.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Piokfhim.exe File created: C:\Windows\SysWOW64\Peflki32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Aakiahhf.exe File created: C:\Windows\SysWOW64\Aheanb32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Aheanb32.exe File created: C:\Windows\SysWOW64\Acjekk32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Bapbmg32.exe File created: C:\Windows\SysWOW64\Hbdjjlja.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Dokbmhoo.exe File created: C:\Windows\SysWOW64\Dkbbbi32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Epgaifdb.exe File created: C:\Windows\SysWOW64\Elnbng32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Ahbdhbbe.exe File created: C:\Windows\SysWOW64\Aakiahhf.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Ahbdhbbe.exe File created: C:\Windows\SysWOW64\Minhdh32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Cjjpjb32.exe File created: C:\Windows\SysWOW64\Nlhhbhgi.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Peflki32.exe File created: C:\Windows\SysWOW64\Ifckbmfk.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Dkmigjhi.exe File created: C:\Windows\SysWOW64\Mcighdph.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Acflplcn.exe File created: C:\Windows\SysWOW64\Mpckbo32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Cfpqocja.exe File created: C:\Windows\SysWOW64\Dkmigjhi.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Qiinlgab.exe File created: C:\Windows\SysWOW64\Acabel32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Dfggpb32.exe File created: C:\Windows\SysWOW64\Dkdohi32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Djepfp32.exe File created: C:\Windows\SysWOW64\Dobhng32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Blefjp32.exe File created: C:\Windows\SysWOW64\Bcoofjkc.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Bcfegi32.exe File created: C:\Windows\SysWOW64\Chhgjp32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Dobhng32.exe File created: C:\Windows\SysWOW64\Ejhlkp32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Bcoofjkc.exe File created: C:\Windows\SysWOW64\Bcfegi32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Chhgjp32.exe File created: C:\Windows\SysWOW64\Dljmco32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Acjekk32.exe File created: C:\Windows\SysWOW64\Amnpoged.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Pojgioig.exe File created: C:\Windows\SysWOW64\Piokfhim.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Ebcapbfh.exe File created: C:\Windows\SysWOW64\Nmajap32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Bapbmg32.exe File created: C:\Windows\SysWOW64\Blefjp32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Ejoblo32.exe File created: C:\Windows\SysWOW64\Pjpnlq32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Blefjp32.exe File created: C:\Windows\SysWOW64\Goiahmld.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Elnbng32.exe File created: C:\Windows\SysWOW64\Akdfgp32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Peflki32.exe File created: C:\Windows\SysWOW64\Pbjldmnk.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Qclijmlh.exe File created: C:\Windows\SysWOW64\Gdandi32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Dkdohi32.exe File created: C:\Windows\SysWOW64\Djepfp32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Ejhlkp32.exe File created: C:\Windows\SysWOW64\Ebcapbfh.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Acabel32.exe File created: C:\Windows\SysWOW64\Ahnkmc32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Qiinlgab.exe File created: C:\Windows\SysWOW64\Kafafkfn.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Bkfjpm32.exe File created: C:\Windows\SysWOW64\Bapbmg32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Phgemdlb.exe File created: C:\Windows\SysWOW64\Gnbckd32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Qlencbbi.exe File created: C:\Windows\SysWOW64\Kipcln32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Cjjpjb32.exe File created: C:\Windows\SysWOW64\Ckklbjkl.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Chhgjp32.exe File created: C:\Windows\SysWOW64\Cjjpjb32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Pbjldmnk.exe File created: C:\Windows\SysWOW64\Hhchjh32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Bcoofjkc.exe File created: C:\Windows\SysWOW64\Pabjpfjl.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Aafpfi32.exe File created: C:\Windows\SysWOW64\Libmid32.dll Jump to dropped file
Source: C:\Users\user\Desktop\puTBVYGxNA.exe File created: C:\Windows\SysWOW64\Dblhbnio.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ahnkmc32.exe File created: C:\Windows\SysWOW64\Aafpfi32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Pbjldmnk.exe File created: C:\Windows\SysWOW64\Phgemdlb.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Epgaifdb.exe File created: C:\Windows\SysWOW64\Jbhdqi32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ckklbjkl.exe File created: C:\Windows\SysWOW64\Noabbddh.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Dfbmdbho.exe File created: C:\Windows\SysWOW64\Dokbmhoo.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Dkbbbi32.exe File created: C:\Windows\SysWOW64\Dfggpb32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Ejhlkp32.exe File created: C:\Windows\SysWOW64\Kdiaom32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Cfpqocja.exe File created: C:\Windows\SysWOW64\Idehkflp.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ahnkmc32.exe File created: C:\Windows\SysWOW64\Ekqdmopm.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Djepfp32.exe File created: C:\Windows\SysWOW64\Jffcjk32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ckklbjkl.exe File created: C:\Windows\SysWOW64\Cfpqocja.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Dokbmhoo.exe File created: C:\Windows\SysWOW64\Balfnn32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Dkbbbi32.exe File created: C:\Windows\SysWOW64\Eafkpm32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Dobhng32.exe File created: C:\Windows\SysWOW64\Faocenna.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Phgemdlb.exe File created: C:\Windows\SysWOW64\Qclijmlh.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Elnbng32.exe File created: C:\Windows\SysWOW64\Ejoblo32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Bkfjpm32.exe File created: C:\Windows\SysWOW64\Mfkcin32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Dkmigjhi.exe File created: C:\Windows\SysWOW64\Dfbmdbho.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Dfbmdbho.exe File created: C:\Windows\SysWOW64\Cdoonp32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Dfggpb32.exe File created: C:\Windows\SysWOW64\Kohghl32.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\Acabel32.exe File created: C:\Windows\SysWOW64\Oeppbb32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Bcfegi32.exe File created: C:\Windows\SysWOW64\Akmbah32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Pojgioig.exe File created: C:\Windows\SysWOW64\Jhegaapi.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Aafpfi32.exe File created: C:\Windows\SysWOW64\Acflplcn.exe Jump to dropped file
Source: C:\Users\user\Desktop\puTBVYGxNA.exe File created: C:\Windows\SysWOW64\Pojgioig.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Aakiahhf.exe File created: C:\Windows\SysWOW64\Hangmbgd.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Dkdohi32.exe File created: C:\Windows\SysWOW64\Jlogbg32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Piokfhim.exe File created: C:\Windows\SysWOW64\Eojaon32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Qclijmlh.exe File created: C:\Windows\SysWOW64\Qlencbbi.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Aheanb32.exe File created: C:\Windows\SysWOW64\Idfghqdo.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Acjekk32.exe File created: C:\Windows\SysWOW64\Bkfjpm32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Acflplcn.exe File created: C:\Windows\SysWOW64\Ahbdhbbe.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Qlencbbi.exe File created: C:\Windows\SysWOW64\Qiinlgab.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Ejoblo32.exe File created: C:\Windows\SysWOW64\Ecggedif.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Ebcapbfh.exe File created: C:\Windows\SysWOW64\Epgaifdb.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Piokfhim.exe File created: C:\Windows\SysWOW64\Peflki32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Aakiahhf.exe File created: C:\Windows\SysWOW64\Aheanb32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Aheanb32.exe File created: C:\Windows\SysWOW64\Acjekk32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Bapbmg32.exe File created: C:\Windows\SysWOW64\Hbdjjlja.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Dokbmhoo.exe File created: C:\Windows\SysWOW64\Dkbbbi32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Epgaifdb.exe File created: C:\Windows\SysWOW64\Elnbng32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Ahbdhbbe.exe File created: C:\Windows\SysWOW64\Aakiahhf.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Ahbdhbbe.exe File created: C:\Windows\SysWOW64\Minhdh32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Cjjpjb32.exe File created: C:\Windows\SysWOW64\Nlhhbhgi.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Peflki32.exe File created: C:\Windows\SysWOW64\Ifckbmfk.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Dkmigjhi.exe File created: C:\Windows\SysWOW64\Mcighdph.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Acflplcn.exe File created: C:\Windows\SysWOW64\Mpckbo32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Cfpqocja.exe File created: C:\Windows\SysWOW64\Dkmigjhi.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Qiinlgab.exe File created: C:\Windows\SysWOW64\Acabel32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Dfggpb32.exe File created: C:\Windows\SysWOW64\Dkdohi32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Djepfp32.exe File created: C:\Windows\SysWOW64\Dobhng32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Blefjp32.exe File created: C:\Windows\SysWOW64\Bcoofjkc.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Bcfegi32.exe File created: C:\Windows\SysWOW64\Chhgjp32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Dobhng32.exe File created: C:\Windows\SysWOW64\Ejhlkp32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Bcoofjkc.exe File created: C:\Windows\SysWOW64\Bcfegi32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Chhgjp32.exe File created: C:\Windows\SysWOW64\Dljmco32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Acjekk32.exe File created: C:\Windows\SysWOW64\Amnpoged.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Pojgioig.exe File created: C:\Windows\SysWOW64\Piokfhim.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Ebcapbfh.exe File created: C:\Windows\SysWOW64\Nmajap32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Bapbmg32.exe File created: C:\Windows\SysWOW64\Blefjp32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Ejoblo32.exe File created: C:\Windows\SysWOW64\Pjpnlq32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Blefjp32.exe File created: C:\Windows\SysWOW64\Goiahmld.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Elnbng32.exe File created: C:\Windows\SysWOW64\Akdfgp32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Peflki32.exe File created: C:\Windows\SysWOW64\Pbjldmnk.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Qclijmlh.exe File created: C:\Windows\SysWOW64\Gdandi32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Dkdohi32.exe File created: C:\Windows\SysWOW64\Djepfp32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Ejhlkp32.exe File created: C:\Windows\SysWOW64\Ebcapbfh.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Acabel32.exe File created: C:\Windows\SysWOW64\Ahnkmc32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Qiinlgab.exe File created: C:\Windows\SysWOW64\Kafafkfn.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Bkfjpm32.exe File created: C:\Windows\SysWOW64\Bapbmg32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Phgemdlb.exe File created: C:\Windows\SysWOW64\Gnbckd32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Qlencbbi.exe File created: C:\Windows\SysWOW64\Kipcln32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Cjjpjb32.exe File created: C:\Windows\SysWOW64\Ckklbjkl.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Chhgjp32.exe File created: C:\Windows\SysWOW64\Cjjpjb32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Pbjldmnk.exe File created: C:\Windows\SysWOW64\Hhchjh32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Bcoofjkc.exe File created: C:\Windows\SysWOW64\Pabjpfjl.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Aafpfi32.exe File created: C:\Windows\SysWOW64\Libmid32.dll Jump to dropped file
Source: C:\Users\user\Desktop\puTBVYGxNA.exe File created: C:\Windows\SysWOW64\Dblhbnio.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ahnkmc32.exe File created: C:\Windows\SysWOW64\Aafpfi32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Pbjldmnk.exe File created: C:\Windows\SysWOW64\Phgemdlb.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Epgaifdb.exe File created: C:\Windows\SysWOW64\Jbhdqi32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ckklbjkl.exe File created: C:\Windows\SysWOW64\Noabbddh.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Dfbmdbho.exe File created: C:\Windows\SysWOW64\Dokbmhoo.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Dkbbbi32.exe File created: C:\Windows\SysWOW64\Dfggpb32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Ejhlkp32.exe File created: C:\Windows\SysWOW64\Kdiaom32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Cfpqocja.exe File created: C:\Windows\SysWOW64\Idehkflp.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ahnkmc32.exe File created: C:\Windows\SysWOW64\Ekqdmopm.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Djepfp32.exe File created: C:\Windows\SysWOW64\Jffcjk32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ckklbjkl.exe File created: C:\Windows\SysWOW64\Cfpqocja.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Dokbmhoo.exe File created: C:\Windows\SysWOW64\Balfnn32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Dkbbbi32.exe File created: C:\Windows\SysWOW64\Eafkpm32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Dobhng32.exe File created: C:\Windows\SysWOW64\Faocenna.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Phgemdlb.exe File created: C:\Windows\SysWOW64\Qclijmlh.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Elnbng32.exe File created: C:\Windows\SysWOW64\Ejoblo32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Bkfjpm32.exe File created: C:\Windows\SysWOW64\Mfkcin32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Dkmigjhi.exe File created: C:\Windows\SysWOW64\Dfbmdbho.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Dfbmdbho.exe File created: C:\Windows\SysWOW64\Cdoonp32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Dfggpb32.exe File created: C:\Windows\SysWOW64\Kohghl32.dll Jump to dropped file

Boot Survival
barindex
Creates an undocumented autostart registry key
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Web Event Logger Jump to behavior
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Web Event Logger Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Windows\SysWOW64\Blefjp32.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Windows\SysWOW64\Bcfegi32.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Windows\SysWOW64\Cfpqocja.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Windows\SysWOW64\Piokfhim.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Windows\SysWOW64\Qlencbbi.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Windows\SysWOW64\Qclijmlh.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Windows\SysWOW64\Pojgioig.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Windows\SysWOW64\Aafpfi32.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Windows\SysWOW64\Acabel32.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Windows\SysWOW64\Bapbmg32.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Windows\SysWOW64\Ahbdhbbe.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Windows\SysWOW64\Qiinlgab.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Windows\SysWOW64\Bkfjpm32.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Windows\SysWOW64\Acflplcn.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Windows\SysWOW64\Aheanb32.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Windows\SysWOW64\Acjekk32.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Windows\SysWOW64\Phgemdlb.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Windows\SysWOW64\Ckklbjkl.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Windows\SysWOW64\Aakiahhf.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Windows\SysWOW64\Cjjpjb32.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Windows\SysWOW64\Peflki32.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Windows\SysWOW64\Bcoofjkc.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Windows\SysWOW64\Chhgjp32.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\Acabel32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Oeppbb32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ebcapbfh.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Nmajap32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Bcfegi32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Akmbah32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ejoblo32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Pjpnlq32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Elnbng32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Akdfgp32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Blefjp32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Goiahmld.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Pojgioig.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Jhegaapi.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Qclijmlh.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Gdandi32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Aakiahhf.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Hangmbgd.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Dkdohi32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Jlogbg32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Qiinlgab.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Kafafkfn.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Piokfhim.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Eojaon32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Qlencbbi.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Kipcln32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Phgemdlb.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Gnbckd32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Aheanb32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Idfghqdo.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ejoblo32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Ecggedif.exe Jump to dropped file
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Hhchjh32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Bcoofjkc.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Pabjpfjl.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Aafpfi32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Libmid32.dll Jump to dropped file
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Dblhbnio.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Epgaifdb.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Jbhdqi32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Bapbmg32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Hbdjjlja.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ckklbjkl.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Noabbddh.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ahbdhbbe.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Minhdh32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Cjjpjb32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Nlhhbhgi.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Dkmigjhi.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Mcighdph.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Peflki32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Ifckbmfk.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ejhlkp32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Kdiaom32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Cfpqocja.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Idehkflp.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Acflplcn.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Mpckbo32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Djepfp32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Jffcjk32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Ekqdmopm.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Dokbmhoo.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Balfnn32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Dkbbbi32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Eafkpm32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Dobhng32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Faocenna.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Bkfjpm32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Mfkcin32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Dfggpb32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Kohghl32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Chhgjp32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Dljmco32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Dfbmdbho.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Cdoonp32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\Acjekk32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Amnpoged.dll Jump to dropped file
Found evasive API chain (date check)
Source: C:\Windows\SysWOW64\Bapbmg32.exe Evasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Windows\SysWOW64\Qlencbbi.exe Evasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Windows\SysWOW64\Acflplcn.exe Evasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Windows\SysWOW64\Piokfhim.exe Evasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Windows\SysWOW64\Bcoofjkc.exe Evasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Evasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Windows\SysWOW64\Aheanb32.exe Evasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Windows\SysWOW64\Bkfjpm32.exe Evasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Windows\SysWOW64\Blefjp32.exe Evasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Windows\SysWOW64\Chhgjp32.exe Evasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Windows\SysWOW64\Phgemdlb.exe Evasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Windows\SysWOW64\Aakiahhf.exe Evasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Windows\SysWOW64\Bcfegi32.exe Evasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Windows\SysWOW64\Acjekk32.exe Evasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Windows\SysWOW64\Cjjpjb32.exe Evasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Windows\SysWOW64\Peflki32.exe Evasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Windows\SysWOW64\Ckklbjkl.exe Evasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Windows\SysWOW64\Qclijmlh.exe Evasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Windows\SysWOW64\Aafpfi32.exe Evasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Windows\SysWOW64\Cfpqocja.exe Evasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Windows\SysWOW64\Pojgioig.exe Evasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Evasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Windows\SysWOW64\Ahbdhbbe.exe Evasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Windows\SysWOW64\Acabel32.exe Evasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Evasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Windows\SysWOW64\Qiinlgab.exe Evasive API call chain: GetLocalTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\puTBVYGxNA.exe API coverage: 4.5 %
Source: C:\Windows\SysWOW64\Pojgioig.exe API coverage: 4.5 %
Source: C:\Windows\SysWOW64\Piokfhim.exe API coverage: 4.5 %
Source: C:\Windows\SysWOW64\Peflki32.exe API coverage: 4.5 %
Source: C:\Windows\SysWOW64\Pbjldmnk.exe API coverage: 4.5 %
Source: C:\Windows\SysWOW64\Phgemdlb.exe API coverage: 4.5 %
Source: C:\Windows\SysWOW64\Qclijmlh.exe API coverage: 4.5 %
Source: C:\Windows\SysWOW64\Qlencbbi.exe API coverage: 4.5 %
Source: C:\Windows\SysWOW64\Qiinlgab.exe API coverage: 4.5 %
Source: C:\Windows\SysWOW64\Acabel32.exe API coverage: 4.5 %
Source: C:\Windows\SysWOW64\Ahnkmc32.exe API coverage: 4.5 %
Source: C:\Windows\SysWOW64\Aafpfi32.exe API coverage: 4.5 %
Source: C:\Windows\SysWOW64\Acflplcn.exe API coverage: 4.5 %
Source: C:\Windows\SysWOW64\Ahbdhbbe.exe API coverage: 4.5 %
Source: C:\Windows\SysWOW64\Aakiahhf.exe API coverage: 4.5 %
Source: C:\Windows\SysWOW64\Aheanb32.exe API coverage: 4.5 %
Source: C:\Windows\SysWOW64\Acjekk32.exe API coverage: 4.5 %
Source: C:\Windows\SysWOW64\Bkfjpm32.exe API coverage: 4.5 %
Source: C:\Windows\SysWOW64\Bapbmg32.exe API coverage: 4.5 %
Source: C:\Windows\SysWOW64\Blefjp32.exe API coverage: 4.5 %
Source: C:\Windows\SysWOW64\Bcoofjkc.exe API coverage: 4.5 %
Source: C:\Windows\SysWOW64\Bcfegi32.exe API coverage: 4.5 %
Source: C:\Windows\SysWOW64\Chhgjp32.exe API coverage: 4.5 %
Source: C:\Windows\SysWOW64\Cjjpjb32.exe API coverage: 4.5 %
Source: C:\Windows\SysWOW64\Ckklbjkl.exe API coverage: 4.5 %
Source: C:\Windows\SysWOW64\Cfpqocja.exe API coverage: 4.5 %
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 0_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 0_2_00408349
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 1_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 1_2_00408349
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 2_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 2_2_00408349
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 3_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 3_2_00408349
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 4_2_00408349
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 5_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 5_2_00408349
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 6_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 6_2_00408349
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 8_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 8_2_00408349
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 9_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 9_2_00408349
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 10_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 10_2_00408349
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 11_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 11_2_00408349
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 12_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 12_2_00408349
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: 13_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 13_2_00408349
Source: C:\Windows\SysWOW64\Ahbdhbbe.exe Code function: 14_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 14_2_00408349
Source: C:\Windows\SysWOW64\Aakiahhf.exe Code function: 15_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 15_2_00408349
Source: C:\Windows\SysWOW64\Aheanb32.exe Code function: 16_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 16_2_00408349
Source: C:\Windows\SysWOW64\Acjekk32.exe Code function: 17_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 17_2_00408349
Source: C:\Windows\SysWOW64\Bkfjpm32.exe Code function: 18_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 18_2_00408349
Source: C:\Windows\SysWOW64\Bapbmg32.exe Code function: 19_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 19_2_00408349
Source: C:\Windows\SysWOW64\Blefjp32.exe Code function: 20_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 20_2_00408349
Source: C:\Windows\SysWOW64\Bcoofjkc.exe Code function: 21_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 21_2_00408349
Source: C:\Windows\SysWOW64\Bcfegi32.exe Code function: 22_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 22_2_00408349
Source: C:\Windows\SysWOW64\Chhgjp32.exe Code function: 23_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 23_2_00408349
Source: C:\Windows\SysWOW64\Cjjpjb32.exe Code function: 24_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 24_2_00408349
Source: C:\Windows\SysWOW64\Ckklbjkl.exe Code function: 25_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 25_2_00408349
Source: C:\Windows\SysWOW64\Cfpqocja.exe Code function: 26_2_00408349 lstrlenA,send,sprintf,sprintf,lstrlenA,send,FindFirstFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindNextFileA,FileTimeToSystemTime,sprintf,lstrlenA,send,FindClose,closesocket,lstrlenA,send, 26_2_00408349
Source: C:\Users\user\Desktop\puTBVYGxNA.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\Pojgioig.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\Piokfhim.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\Peflki32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\Pbjldmnk.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\Phgemdlb.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\Qclijmlh.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\Qlencbbi.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\Qiinlgab.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\Acabel32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\Ahnkmc32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\Aafpfi32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\Acflplcn.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\Ahbdhbbe.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\Aakiahhf.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\Aheanb32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\Acjekk32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\Bkfjpm32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\Bapbmg32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\Blefjp32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\Bcoofjkc.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\Bcfegi32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\Chhgjp32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\Cjjpjb32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\Ckklbjkl.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\Cfpqocja.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 0_2_00402C54 LocalAlloc,LoadLibraryA,GetProcAddress,FreeLibrary,LocalFree, 0_2_00402C54
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 0_2_0040B504 strchr,strchr,GetLocalTime,GetTimeZoneInformation,lstrlenA,sprintf,sprintf,lstrlenA,DeleteFileA, 0_2_0040B504
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 0_2_0040B504 strchr,strchr,GetLocalTime,GetTimeZoneInformation,lstrlenA,sprintf,sprintf,lstrlenA,DeleteFileA, 0_2_0040B504
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 0_2_0040BB73 GetTickCount,GetTickCount,GetCurrentProcessId,OpenMutexA,GetTickCount,GetCurrentThreadId,CloseHandle,ExitProcess,GetSystemDirectoryA,GetTickCount,srand,GetModuleFileNameA,rand,rand,rand,sprintf,CopyFileA,WinExec,ExitProcess,sprintf,LoadCursorA,OleUninitialize,RegisterClassA,CreateWindowExA,CreateMutexA,WSAStartup,GetVersionExA,rand,rand,sprintf,sprintf,DeleteFileA,SetTimer,SetTimer, 0_2_0040BB73
Contains functionality to search for IE or Outlook window (often done to steal information)
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 0_2_0040A029 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 0_2_0040A029
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 0_2_0040A737 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 0_2_0040A737
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 1_2_0040A029 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 1_2_0040A029
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 1_2_0040A737 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 1_2_0040A737
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 2_2_0040A029 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 2_2_0040A029
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 2_2_0040A737 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 2_2_0040A737
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 3_2_0040A029 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 3_2_0040A029
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 3_2_0040A737 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 3_2_0040A737
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4_2_0040A029 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 4_2_0040A029
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4_2_0040A737 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 4_2_0040A737
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 5_2_0040A029 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 5_2_0040A029
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 5_2_0040A737 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 5_2_0040A737
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 6_2_0040A029 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 6_2_0040A029
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 6_2_0040A737 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 6_2_0040A737
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 8_2_0040A029 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 8_2_0040A029
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 8_2_0040A737 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 8_2_0040A737
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 9_2_0040A029 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 9_2_0040A029
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 9_2_0040A737 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 9_2_0040A737
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 10_2_0040A029 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 10_2_0040A029
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 10_2_0040A737 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 10_2_0040A737
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 11_2_0040A029 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 11_2_0040A029
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 11_2_0040A737 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 11_2_0040A737
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 12_2_0040A029 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 12_2_0040A029
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 12_2_0040A737 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 12_2_0040A737
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: 13_2_0040A029 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 13_2_0040A029
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: 13_2_0040A737 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 13_2_0040A737
Source: C:\Windows\SysWOW64\Ahbdhbbe.exe Code function: 14_2_0040A029 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 14_2_0040A029
Source: C:\Windows\SysWOW64\Ahbdhbbe.exe Code function: 14_2_0040A737 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 14_2_0040A737
Source: C:\Windows\SysWOW64\Aakiahhf.exe Code function: 15_2_0040A029 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 15_2_0040A029
Source: C:\Windows\SysWOW64\Aakiahhf.exe Code function: 15_2_0040A737 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 15_2_0040A737
Source: C:\Windows\SysWOW64\Aheanb32.exe Code function: 16_2_0040A029 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 16_2_0040A029
Source: C:\Windows\SysWOW64\Aheanb32.exe Code function: 16_2_0040A737 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 16_2_0040A737
Source: C:\Windows\SysWOW64\Acjekk32.exe Code function: 17_2_0040A029 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 17_2_0040A029
Source: C:\Windows\SysWOW64\Acjekk32.exe Code function: 17_2_0040A737 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 17_2_0040A737
Source: C:\Windows\SysWOW64\Bkfjpm32.exe Code function: 18_2_0040A029 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 18_2_0040A029
Source: C:\Windows\SysWOW64\Bkfjpm32.exe Code function: 18_2_0040A737 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 18_2_0040A737
Source: C:\Windows\SysWOW64\Bapbmg32.exe Code function: 19_2_0040A029 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 19_2_0040A029
Source: C:\Windows\SysWOW64\Bapbmg32.exe Code function: 19_2_0040A737 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 19_2_0040A737
Source: C:\Windows\SysWOW64\Blefjp32.exe Code function: 20_2_0040A029 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 20_2_0040A029
Source: C:\Windows\SysWOW64\Blefjp32.exe Code function: 20_2_0040A737 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 20_2_0040A737
Source: C:\Windows\SysWOW64\Bcoofjkc.exe Code function: 21_2_0040A029 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 21_2_0040A029
Source: C:\Windows\SysWOW64\Bcoofjkc.exe Code function: 21_2_0040A737 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 21_2_0040A737
Source: C:\Windows\SysWOW64\Bcfegi32.exe Code function: 22_2_0040A029 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 22_2_0040A029
Source: C:\Windows\SysWOW64\Bcfegi32.exe Code function: 22_2_0040A737 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 22_2_0040A737
Source: C:\Windows\SysWOW64\Chhgjp32.exe Code function: 23_2_0040A029 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 23_2_0040A029
Source: C:\Windows\SysWOW64\Chhgjp32.exe Code function: 23_2_0040A737 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 23_2_0040A737
Source: C:\Windows\SysWOW64\Cjjpjb32.exe Code function: 24_2_0040A029 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 24_2_0040A029
Source: C:\Windows\SysWOW64\Cjjpjb32.exe Code function: 24_2_0040A737 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 24_2_0040A737
Source: C:\Windows\SysWOW64\Ckklbjkl.exe Code function: 25_2_0040A029 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 25_2_0040A029
Source: C:\Windows\SysWOW64\Ckklbjkl.exe Code function: 25_2_0040A737 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 25_2_0040A737
Source: C:\Windows\SysWOW64\Cfpqocja.exe Code function: 26_2_0040A029 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,InterlockedIncrement,memset,GetTickCount,srand,LocalFree,ExpandEnvironmentStringsA,LocalFree,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,Sleep,GetWindowTextA,DeleteFileA,LocalFree,TerminateProcess,CloseHandle, 26_2_0040A029
Source: C:\Windows\SysWOW64\Cfpqocja.exe Code function: 26_2_0040A737 lstrlenA,GetTickCount,srand,InterlockedIncrement,memset,ExpandEnvironmentStringsA,strcat,strcat,memset,CreateProcessA,CloseHandle,sprintf,FindWindowA,Sleep,Sleep,GetWindowTextA,CopyFileA,DeleteFileA,lstrlenA,strncmp,lstrlenA,LocalFree,DeleteFileA,TerminateProcess,CloseHandle, 26_2_0040A737
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 0_2_0040947E memset,socket,htons,bind,closesocket,listen,accept,closesocket,CreateThread,CloseHandle, 0_2_0040947E
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 0_2_0040400C socket,htonl,htons,bind,listen,accept,CreateThread,CloseHandle, 0_2_0040400C
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 0_2_00405536 socket,htons,bind,listen,accept,closesocket,CreateThread,CloseHandle, 0_2_00405536
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 0_2_004079F2 memset,socket,htons,bind,listen,memset,accept,CreateThread,CloseHandle,sprintf,closesocket,memset, 0_2_004079F2
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 0_2_00403DAB htons,bind,listen,accept,htons, 0_2_00403DAB
Source: C:\Users\user\Desktop\puTBVYGxNA.exe Code function: 0_2_00403E36 listen, 0_2_00403E36
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 1_2_0040947E memset,socket,htons,bind,closesocket,listen,accept,closesocket,CreateThread,CloseHandle, 1_2_0040947E
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 1_2_0040400C socket,htonl,htons,bind,listen,accept,CreateThread,CloseHandle, 1_2_0040400C
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 1_2_00405536 socket,htons,bind,listen,accept,closesocket,CreateThread,CloseHandle, 1_2_00405536
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 1_2_004079F2 memset,socket,htons,bind,listen,memset,accept,CreateThread,CloseHandle,sprintf,closesocket,memset, 1_2_004079F2
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 1_2_00403DAB htons,bind,listen,accept,htons, 1_2_00403DAB
Source: C:\Windows\SysWOW64\Pojgioig.exe Code function: 1_2_00403E36 listen, 1_2_00403E36
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 2_2_0040947E memset,socket,htons,bind,closesocket,listen,accept,closesocket,CreateThread,CloseHandle, 2_2_0040947E
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 2_2_0040400C socket,htonl,htons,bind,listen,accept,CreateThread,CloseHandle, 2_2_0040400C
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 2_2_00405536 socket,htons,bind,listen,accept,closesocket,CreateThread,CloseHandle, 2_2_00405536
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 2_2_004079F2 memset,socket,htons,bind,listen,memset,accept,CreateThread,CloseHandle,sprintf,closesocket,memset, 2_2_004079F2
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 2_2_00403DAB htons,bind,listen,accept,htons, 2_2_00403DAB
Source: C:\Windows\SysWOW64\Piokfhim.exe Code function: 2_2_00403E36 listen, 2_2_00403E36
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 3_2_0040947E memset,socket,htons,bind,closesocket,listen,accept,closesocket,CreateThread,CloseHandle, 3_2_0040947E
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 3_2_0040400C socket,htonl,htons,bind,listen,accept,CreateThread,CloseHandle, 3_2_0040400C
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 3_2_00405536 socket,htons,bind,listen,accept,closesocket,CreateThread,CloseHandle, 3_2_00405536
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 3_2_004079F2 memset,socket,htons,bind,listen,memset,accept,CreateThread,CloseHandle,sprintf,closesocket,memset, 3_2_004079F2
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 3_2_00403DAB htons,bind,listen,accept,htons, 3_2_00403DAB
Source: C:\Windows\SysWOW64\Peflki32.exe Code function: 3_2_00403E36 listen, 3_2_00403E36
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4_2_0040947E memset,socket,htons,bind,closesocket,listen,accept,closesocket,CreateThread,CloseHandle, 4_2_0040947E
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4_2_0040400C socket,htonl,htons,bind,listen,accept,CreateThread,CloseHandle, 4_2_0040400C
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4_2_00405536 socket,htons,bind,listen,accept,closesocket,CreateThread,CloseHandle, 4_2_00405536
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4_2_004079F2 memset,socket,htons,bind,listen,memset,accept,CreateThread,CloseHandle,sprintf,closesocket,memset, 4_2_004079F2
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4_2_00403DAB htons,bind,listen,accept,htons, 4_2_00403DAB
Source: C:\Windows\SysWOW64\Pbjldmnk.exe Code function: 4_2_00403E36 listen, 4_2_00403E36
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 5_2_0040947E memset,socket,htons,bind,closesocket,listen,accept,closesocket,CreateThread,CloseHandle, 5_2_0040947E
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 5_2_0040400C socket,htonl,htons,bind,listen,accept,CreateThread,CloseHandle, 5_2_0040400C
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 5_2_00405536 socket,htons,bind,listen,accept,closesocket,CreateThread,CloseHandle, 5_2_00405536
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 5_2_004079F2 memset,socket,htons,bind,listen,memset,accept,CreateThread,CloseHandle,sprintf,closesocket,memset, 5_2_004079F2
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 5_2_00403DAB htons,bind,listen,accept,htons, 5_2_00403DAB
Source: C:\Windows\SysWOW64\Phgemdlb.exe Code function: 5_2_00403E36 listen, 5_2_00403E36
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 6_2_0040947E memset,socket,htons,bind,closesocket,listen,accept,closesocket,CreateThread,CloseHandle, 6_2_0040947E
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 6_2_0040400C socket,htonl,htons,bind,listen,accept,CreateThread,CloseHandle, 6_2_0040400C
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 6_2_00405536 socket,htons,bind,listen,accept,closesocket,CreateThread,CloseHandle, 6_2_00405536
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 6_2_004079F2 memset,socket,htons,bind,listen,memset,accept,CreateThread,CloseHandle,sprintf,closesocket,memset, 6_2_004079F2
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 6_2_00403DAB htons,bind,listen,accept,htons, 6_2_00403DAB
Source: C:\Windows\SysWOW64\Qclijmlh.exe Code function: 6_2_00403E36 listen, 6_2_00403E36
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 8_2_0040947E memset,socket,htons,bind,closesocket,listen,accept,closesocket,CreateThread,CloseHandle, 8_2_0040947E
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 8_2_0040400C socket,htonl,htons,bind,listen,accept,CreateThread,CloseHandle, 8_2_0040400C
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 8_2_00405536 socket,htons,bind,listen,accept,closesocket,CreateThread,CloseHandle, 8_2_00405536
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 8_2_004079F2 memset,socket,htons,bind,listen,memset,accept,CreateThread,CloseHandle,sprintf,closesocket,memset, 8_2_004079F2
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 8_2_00403DAB htons,bind,listen,accept,htons, 8_2_00403DAB
Source: C:\Windows\SysWOW64\Qlencbbi.exe Code function: 8_2_00403E36 listen, 8_2_00403E36
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 9_2_0040947E memset,socket,htons,bind,closesocket,listen,accept,closesocket,CreateThread,CloseHandle, 9_2_0040947E
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 9_2_0040400C socket,htonl,htons,bind,listen,accept,CreateThread,CloseHandle, 9_2_0040400C
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 9_2_00405536 socket,htons,bind,listen,accept,closesocket,CreateThread,CloseHandle, 9_2_00405536
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 9_2_004079F2 memset,socket,htons,bind,listen,memset,accept,CreateThread,CloseHandle,sprintf,closesocket,memset, 9_2_004079F2
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 9_2_00403DAB htons,bind,listen,accept,htons, 9_2_00403DAB
Source: C:\Windows\SysWOW64\Qiinlgab.exe Code function: 9_2_00403E36 listen, 9_2_00403E36
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 10_2_0040947E memset,socket,htons,bind,closesocket,listen,accept,closesocket,CreateThread,CloseHandle, 10_2_0040947E
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 10_2_0040400C socket,htonl,htons,bind,listen,accept,CreateThread,CloseHandle, 10_2_0040400C
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 10_2_00405536 socket,htons,bind,listen,accept,closesocket,CreateThread,CloseHandle, 10_2_00405536
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 10_2_004079F2 memset,socket,htons,bind,listen,memset,accept,CreateThread,CloseHandle,sprintf,closesocket,memset, 10_2_004079F2
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 10_2_00403DAB htons,bind,listen,accept,htons, 10_2_00403DAB
Source: C:\Windows\SysWOW64\Acabel32.exe Code function: 10_2_00403E36 listen, 10_2_00403E36
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 11_2_0040947E memset,socket,htons,bind,closesocket,listen,accept,closesocket,CreateThread,CloseHandle, 11_2_0040947E
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 11_2_0040400C socket,htonl,htons,bind,listen,accept,CreateThread,CloseHandle, 11_2_0040400C
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 11_2_00405536 socket,htons,bind,listen,accept,closesocket,CreateThread,CloseHandle, 11_2_00405536
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 11_2_004079F2 memset,socket,htons,bind,listen,memset,accept,CreateThread,CloseHandle,sprintf,closesocket,memset, 11_2_004079F2
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 11_2_00403DAB htons,bind,listen,accept,htons, 11_2_00403DAB
Source: C:\Windows\SysWOW64\Ahnkmc32.exe Code function: 11_2_00403E36 listen, 11_2_00403E36
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 12_2_0040947E memset,socket,htons,bind,closesocket,listen,accept,closesocket,CreateThread,CloseHandle, 12_2_0040947E
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 12_2_0040400C socket,htonl,htons,bind,listen,accept,CreateThread,CloseHandle, 12_2_0040400C
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 12_2_00405536 socket,htons,bind,listen,accept,closesocket,CreateThread,CloseHandle, 12_2_00405536
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 12_2_004079F2 memset,socket,htons,bind,listen,memset,accept,CreateThread,CloseHandle,sprintf,closesocket,memset, 12_2_004079F2
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 12_2_00403DAB htons,bind,listen,accept,htons, 12_2_00403DAB
Source: C:\Windows\SysWOW64\Aafpfi32.exe Code function: 12_2_00403E36 listen, 12_2_00403E36
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: 13_2_0040947E memset,socket,htons,bind,closesocket,listen,accept,closesocket,CreateThread,CloseHandle, 13_2_0040947E
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: 13_2_0040400C socket,htonl,htons,bind,listen,accept,CreateThread,CloseHandle, 13_2_0040400C
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: 13_2_00405536 socket,htons,bind,listen,accept,closesocket,CreateThread,CloseHandle, 13_2_00405536
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: 13_2_004079F2 memset,socket,htons,bind,listen,memset,accept,CreateThread,CloseHandle,sprintf,closesocket,memset, 13_2_004079F2
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: 13_2_00403DAB htons,bind,listen,accept,htons, 13_2_00403DAB
Source: C:\Windows\SysWOW64\Acflplcn.exe Code function: 13_2_00403E36 listen, 13_2_00403E36
Source: C:\Windows\SysWOW64\Ahbdhbbe.exe Code function: 14_2_0040947E memset,socket,htons,bind,closesocket,listen,accept,closesocket,CreateThread,CloseHandle, 14_2_0040947E
Source: C:\Windows\SysWOW64\Ahbdhbbe.exe Code function: 14_2_0040400C socket,htonl,htons,bind,listen,accept,CreateThread,CloseHandle, 14_2_0040400C
Source: C:\Windows\SysWOW64\Ahbdhbbe.exe Code function: 14_2_00405536 socket,htons,bind,listen,accept,closesocket,CreateThread,CloseHandle, 14_2_00405536
Source: C:\Windows\SysWOW64\Ahbdhbbe.exe Code function: 14_2_004079F2 memset,socket,htons,bind,listen,memset,accept,CreateThread,CloseHandle,sprintf,closesocket,memset, 14_2_004079F2
Source: C:\Windows\SysWOW64\Ahbdhbbe.exe Code function: 14_2_00403DAB htons,bind,listen,accept,htons, 14_2_00403DAB
Source: C:\Windows\SysWOW64\Ahbdhbbe.exe Code function: 14_2_00403E36 listen, 14_2_00403E36
Source: C:\Windows\SysWOW64\Aakiahhf.exe Code function: 15_2_0040947E memset,socket,htons,bind,closesocket,listen,accept,closesocket,CreateThread,CloseHandle, 15_2_0040947E
Source: C:\Windows\SysWOW64\Aakiahhf.exe Code function: 15_2_0040400C socket,htonl,htons,bind,listen,accept,CreateThread,CloseHandle, 15_2_0040400C
Source: C:\Windows\SysWOW64\Aakiahhf.exe Code function: 15_2_00405536 socket,htons,bind,listen,accept,closesocket,CreateThread,CloseHandle, 15_2_00405536
Source: C:\Windows\SysWOW64\Aakiahhf.exe Code function: 15_2_004079F2 memset,socket,htons,bind,listen,memset,accept,CreateThread,CloseHandle,sprintf,closesocket,memset, 15_2_004079F2
Source: C:\Windows\SysWOW64\Aakiahhf.exe Code function: 15_2_00403DAB htons,bind,listen,accept,htons, 15_2_00403DAB
Source: C:\Windows\SysWOW64\Aakiahhf.exe Code function: 15_2_00403E36 listen, 15_2_00403E36
Source: C:\Windows\SysWOW64\Aheanb32.exe Code function: 16_2_0040947E memset,socket,htons,bind,closesocket,listen,accept,closesocket,CreateThread,CloseHandle, 16_2_0040947E
Source: C:\Windows\SysWOW64\Aheanb32.exe Code function: 16_2_0040400C socket,htonl,htons,bind,listen,accept,CreateThread,CloseHandle, 16_2_0040400C
Source: C:\Windows\SysWOW64\Aheanb32.exe Code function: 16_2_00405536 socket,htons,bind,listen,accept,closesocket,CreateThread,CloseHandle, 16_2_00405536
Source: C:\Windows\SysWOW64\Aheanb32.exe Code function: 16_2_004079F2 memset,socket,htons,bind,listen,memset,accept,CreateThread,CloseHandle,sprintf,closesocket,memset, 16_2_004079F2
Source: C:\Windows\SysWOW64\Aheanb32.exe Code function: 16_2_00403DAB htons,bind,listen,accept,htons, 16_2_00403DAB
Source: C:\Windows\SysWOW64\Aheanb32.exe Code function: 16_2_00403E36 listen, 16_2_00403E36
Source: C:\Windows\SysWOW64\Acjekk32.exe Code function: 17_2_0040947E memset,socket,htons,bind,closesocket,listen,accept,closesocket,CreateThread,CloseHandle, 17_2_0040947E
Source: C:\Windows\SysWOW64\Acjekk32.exe Code function: 17_2_0040400C socket,htonl,htons,bind,listen,accept,CreateThread,CloseHandle, 17_2_0040400C
Source: C:\Windows\SysWOW64\Acjekk32.exe Code function: 17_2_00405536 socket,htons,bind,listen,accept,closesocket,CreateThread,CloseHandle, 17_2_00405536
Source: C:\Windows\SysWOW64\Acjekk32.exe Code function: 17_2_004079F2 memset,socket,htons,bind,listen,memset,accept,CreateThread,CloseHandle,sprintf,closesocket,memset, 17_2_004079F2
Source: C:\Windows\SysWOW64\Acjekk32.exe Code function: 17_2_00403DAB htons,bind,listen,accept,htons, 17_2_00403DAB
Source: C:\Windows\SysWOW64\Acjekk32.exe Code function: 17_2_00403E36 listen, 17_2_00403E36
Source: C:\Windows\SysWOW64\Bkfjpm32.exe Code function: 18_2_0040947E memset,socket,htons,bind,closesocket,listen,accept,closesocket,CreateThread,CloseHandle, 18_2_0040947E
Source: C:\Windows\SysWOW64\Bkfjpm32.exe Code function: 18_2_0040400C socket,htonl,htons,bind,listen,accept,CreateThread,CloseHandle, 18_2_0040400C
Source: C:\Windows\SysWOW64\Bkfjpm32.exe Code function: 18_2_00405536 socket,htons,bind,listen,accept,closesocket,CreateThread,CloseHandle, 18_2_00405536
Source: C:\Windows\SysWOW64\Bkfjpm32.exe Code function: 18_2_004079F2 memset,socket,htons,bind,listen,memset,accept,CreateThread,CloseHandle,sprintf,closesocket,memset, 18_2_004079F2
Source: C:\Windows\SysWOW64\Bkfjpm32.exe Code function: 18_2_00403DAB htons,bind,listen,accept,htons, 18_2_00403DAB
Source: C:\Windows\SysWOW64\Bkfjpm32.exe Code function: 18_2_00403E36 listen, 18_2_00403E36
Source: C:\Windows\SysWOW64\Bapbmg32.exe Code function: 19_2_0040947E memset,socket,htons,bind,closesocket,listen,accept,closesocket,CreateThread,CloseHandle, 19_2_0040947E
Source: C:\Windows\SysWOW64\Bapbmg32.exe Code function: 19_2_0040400C socket,htonl,htons,bind,listen,accept,CreateThread,CloseHandle, 19_2_0040400C
Source: C:\Windows\SysWOW64\Bapbmg32.exe Code function: 19_2_00405536 socket,htons,bind,listen,accept,closesocket,CreateThread,CloseHandle, 19_2_00405536
Source: C:\Windows\SysWOW64\Bapbmg32.exe Code function: 19_2_004079F2 memset,socket,htons,bind,listen,memset,accept,CreateThread,CloseHandle,sprintf,closesocket,memset, 19_2_004079F2
Source: C:\Windows\SysWOW64\Bapbmg32.exe Code function: 19_2_00403DAB htons,bind,listen,accept,htons, 19_2_00403DAB
Source: C:\Windows\SysWOW64\Bapbmg32.exe Code function: 19_2_00403E36 listen, 19_2_00403E36
Source: C:\Windows\SysWOW64\Blefjp32.exe Code function: 20_2_0040947E memset,socket,htons,bind,closesocket,listen,accept,closesocket,CreateThread,CloseHandle, 20_2_0040947E
Source: C:\Windows\SysWOW64\Blefjp32.exe Code function: 20_2_0040400C socket,htonl,htons,bind,listen,accept,CreateThread,CloseHandle, 20_2_0040400C
Source: C:\Windows\SysWOW64\Blefjp32.exe Code function: 20_2_00405536 socket,htons,bind,listen,accept,closesocket,CreateThread,CloseHandle, 20_2_00405536
Source: C:\Windows\SysWOW64\Blefjp32.exe Code function: 20_2_004079F2 memset,socket,htons,bind,listen,memset,accept,CreateThread,CloseHandle,sprintf,closesocket,memset, 20_2_004079F2
Source: C:\Windows\SysWOW64\Blefjp32.exe Code function: 20_2_00403DAB htons,bind,listen,accept,htons, 20_2_00403DAB
Source: C:\Windows\SysWOW64\Blefjp32.exe Code function: 20_2_00403E36 listen, 20_2_00403E36
Source: C:\Windows\SysWOW64\Bcoofjkc.exe Code function: 21_2_0040947E memset,socket,htons,bind,closesocket,listen,accept,closesocket,CreateThread,CloseHandle, 21_2_0040947E
Source: C:\Windows\SysWOW64\Bcoofjkc.exe Code function: 21_2_0040400C socket,htonl,htons,bind,listen,accept,CreateThread,CloseHandle, 21_2_0040400C
Source: C:\Windows\SysWOW64\Bcoofjkc.exe Code function: 21_2_00405536 socket,htons,bind,listen,accept,closesocket,CreateThread,CloseHandle, 21_2_00405536
Source: C:\Windows\SysWOW64\Bcoofjkc.exe Code function: 21_2_004079F2 memset,socket,htons,bind,listen,memset,accept,CreateThread,CloseHandle,sprintf,closesocket,memset, 21_2_004079F2
Source: C:\Windows\SysWOW64\Bcoofjkc.exe Code function: 21_2_00403DAB htons,bind,listen,accept,htons, 21_2_00403DAB
Source: C:\Windows\SysWOW64\Bcoofjkc.exe Code function: 21_2_00403E36 listen, 21_2_00403E36
Source: C:\Windows\SysWOW64\Bcfegi32.exe Code function: 22_2_0040947E memset,socket,htons,bind,closesocket,listen,accept,closesocket,CreateThread,CloseHandle, 22_2_0040947E
Source: C:\Windows\SysWOW64\Bcfegi32.exe Code function: 22_2_0040400C socket,htonl,htons,bind,listen,accept,CreateThread,CloseHandle, 22_2_0040400C
Source: C:\Windows\SysWOW64\Bcfegi32.exe Code function: 22_2_00405536 socket,htons,bind,listen,accept,closesocket,CreateThread,CloseHandle, 22_2_00405536
Source: C:\Windows\SysWOW64\Bcfegi32.exe Code function: 22_2_004079F2 memset,socket,htons,bind,listen,memset,accept,CreateThread,CloseHandle,sprintf,closesocket,memset, 22_2_004079F2
Source: C:\Windows\SysWOW64\Bcfegi32.exe Code function: 22_2_00403DAB htons,bind,listen,accept,htons, 22_2_00403DAB
Source: C:\Windows\SysWOW64\Bcfegi32.exe Code function: 22_2_00403E36 listen, 22_2_00403E36
Source: C:\Windows\SysWOW64\Chhgjp32.exe Code function: 23_2_0040947E memset,socket,htons,bind,closesocket,listen,accept,closesocket,CreateThread,CloseHandle, 23_2_0040947E
Source: C:\Windows\SysWOW64\Chhgjp32.exe Code function: 23_2_0040400C socket,htonl,htons,bind,listen,accept,CreateThread,CloseHandle, 23_2_0040400C
Source: C:\Windows\SysWOW64\Chhgjp32.exe Code function: 23_2_00405536 socket,htons,bind,listen,accept,closesocket,CreateThread,CloseHandle, 23_2_00405536
Source: C:\Windows\SysWOW64\Chhgjp32.exe Code function: 23_2_004079F2 memset,socket,htons,bind,listen,memset,accept,CreateThread,CloseHandle,sprintf,closesocket,memset, 23_2_004079F2
Source: C:\Windows\SysWOW64\Chhgjp32.exe Code function: 23_2_00403DAB htons,bind,listen,accept,htons, 23_2_00403DAB
Source: C:\Windows\SysWOW64\Chhgjp32.exe Code function: 23_2_00403E36 listen, 23_2_00403E36
Source: C:\Windows\SysWOW64\Cjjpjb32.exe Code function: 24_2_0040947E memset,socket,htons,bind,closesocket,listen,accept,closesocket,CreateThread,CloseHandle, 24_2_0040947E
Source: C:\Windows\SysWOW64\Cjjpjb32.exe Code function: 24_2_0040400C socket,htonl,htons,bind,listen,accept,CreateThread,CloseHandle, 24_2_0040400C
Source: C:\Windows\SysWOW64\Cjjpjb32.exe Code function: 24_2_00405536 socket,htons,bind,listen,accept,closesocket,CreateThread,CloseHandle, 24_2_00405536
Source: C:\Windows\SysWOW64\Cjjpjb32.exe Code function: 24_2_004079F2 memset,socket,htons,bind,listen,memset,accept,CreateThread,CloseHandle,sprintf,closesocket,memset, 24_2_004079F2
Source: C:\Windows\SysWOW64\Cjjpjb32.exe Code function: 24_2_00403DAB htons,bind,listen,accept,htons, 24_2_00403DAB
Source: C:\Windows\SysWOW64\Cjjpjb32.exe Code function: 24_2_00403E36 listen, 24_2_00403E36
Source: C:\Windows\SysWOW64\Ckklbjkl.exe Code function: 25_2_0040947E memset,socket,htons,bind,closesocket,listen,accept,closesocket,CreateThread,CloseHandle, 25_2_0040947E
Source: C:\Windows\SysWOW64\Ckklbjkl.exe Code function: 25_2_0040400C socket,htonl,htons,bind,listen,accept,CreateThread,CloseHandle, 25_2_0040400C
Source: C:\Windows\SysWOW64\Ckklbjkl.exe Code function: 25_2_00405536 socket,htons,bind,listen,accept,closesocket,CreateThread,CloseHandle, 25_2_00405536
Source: C:\Windows\SysWOW64\Ckklbjkl.exe Code function: 25_2_004079F2 memset,socket,htons,bind,listen,memset,accept,CreateThread,CloseHandle,sprintf,closesocket,memset, 25_2_004079F2
Source: C:\Windows\SysWOW64\Ckklbjkl.exe Code function: 25_2_00403DAB htons,bind,listen,accept,htons, 25_2_00403DAB
Source: C:\Windows\SysWOW64\Ckklbjkl.exe Code function: 25_2_00403E36 listen, 25_2_00403E36
Source: C:\Windows\SysWOW64\Cfpqocja.exe Code function: 26_2_0040947E memset,socket,htons,bind,closesocket,listen,accept,closesocket,CreateThread,CloseHandle, 26_2_0040947E
Source: C:\Windows\SysWOW64\Cfpqocja.exe Code function: 26_2_0040400C socket,htonl,htons,bind,listen,accept,CreateThread,CloseHandle, 26_2_0040400C
Source: C:\Windows\SysWOW64\Cfpqocja.exe Code function: 26_2_00405536 socket,htons,bind,listen,accept,closesocket,CreateThread,CloseHandle, 26_2_00405536
Source: C:\Windows\SysWOW64\Cfpqocja.exe Code function: 26_2_004079F2 memset,socket,htons,bind,listen,memset,accept,CreateThread,CloseHandle,sprintf,closesocket,memset, 26_2_004079F2
Source: C:\Windows\SysWOW64\Cfpqocja.exe Code function: 26_2_00403DAB htons,bind,listen,accept,htons, 26_2_00403DAB
Source: C:\Windows\SysWOW64\Cfpqocja.exe Code function: 26_2_00403E36 listen, 26_2_00403E36
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1543681 Sample: puTBVYGxNA Startdate: 28/10/2024 Architecture: WINDOWS Score: 96 96 Antivirus detection for dropped file 2->96 98 Antivirus / Scanner detection for submitted sample 2->98 100 Multi AV Scanner detection for dropped file 2->100 102 5 other signatures 2->102 14 puTBVYGxNA.exe 3 3 2->14         started        process3 file4 82 C:\Windows\SysWOW64\Pojgioig.exe, PE32 14->82 dropped 84 C:\Windows\SysWOW64\Dblhbnio.dll, PE32 14->84 dropped 86 C:\Windows\...\Pojgioig.exe:Zone.Identifier, ASCII 14->86 dropped 122 Creates an undocumented autostart registry key 14->122 124 Drops executables to the windows directory (C:\Windows) and starts them 14->124 18 Pojgioig.exe 2 14->18         started        signatures5 process6 file7 54 C:\Windows\SysWOW64\Piokfhim.exe, PE32 18->54 dropped 56 C:\Windows\SysWOW64\Jhegaapi.dll, PE32 18->56 dropped 104 Drops executables to the windows directory (C:\Windows) and starts them 18->104 22 Piokfhim.exe 2 18->22         started        signatures8 process9 file10 66 C:\Windows\SysWOW64\Peflki32.exe, PE32 22->66 dropped 68 C:\Windows\SysWOW64ojaon32.dll, PE32 22->68 dropped 114 Drops executables to the windows directory (C:\Windows) and starts them 22->114 26 Peflki32.exe 2 22->26         started        signatures11 process12 file13 74 C:\Windows\SysWOW64\Pbjldmnk.exe, PE32 26->74 dropped 76 C:\Windows\SysWOW64\Ifckbmfk.dll, PE32 26->76 dropped 118 Drops executables to the windows directory (C:\Windows) and starts them 26->118 30 Pbjldmnk.exe 2 26->30         started        signatures14 process15 file16 88 C:\Windows\SysWOW64\Phgemdlb.exe, PE32 30->88 dropped 90 C:\Windows\SysWOW64\Hhchjh32.dll, PE32 30->90 dropped 126 Drops executables to the windows directory (C:\Windows) and starts them 30->126 34 Phgemdlb.exe 2 30->34         started        signatures17 process18 file19 58 C:\Windows\SysWOW64\Qclijmlh.exe, PE32 34->58 dropped 60 C:\Windows\SysWOW64behaviorgraphnbckd32.dll, PE32 34->60 dropped 106 Drops executables to the windows directory (C:\Windows) and starts them 34->106 38 Qclijmlh.exe 2 34->38         started        signatures20 process21 file22 70 C:\Windows\SysWOW64\Qlencbbi.exe, PE32 38->70 dropped 72 C:\Windows\SysWOW64behaviorgraphdandi32.dll, PE32 38->72 dropped 116 Drops executables to the windows directory (C:\Windows) and starts them 38->116 42 Qlencbbi.exe 2 38->42         started        signatures23 process24 file25 78 C:\Windows\SysWOW64\Qiinlgab.exe, PE32 42->78 dropped 80 C:\Windows\SysWOW64\Kipcln32.dll, PE32 42->80 dropped 120 Drops executables to the windows directory (C:\Windows) and starts them 42->120 46 Qiinlgab.exe 2 42->46         started        signatures26 process27 file28 92 C:\Windows\SysWOW64\Kafafkfn.dll, PE32 46->92 dropped 94 C:\Windows\SysWOW64\Acabel32.exe, PE32 46->94 dropped 128 Drops executables to the windows directory (C:\Windows) and starts them 46->128 50 Acabel32.exe 2 46->50         started        signatures29 process30 file31 62 C:\Windows\SysWOW64\Oeppbb32.dll, PE32 50->62 dropped 64 C:\Windows\SysWOW64\Ahnkmc32.exe, PE32 50->64 dropped 108 Antivirus detection for dropped file 50->108 110 Machine Learning detection for dropped file 50->110 112 Drops executables to the windows directory (C:\Windows) and starts them 50->112 signatures32
No contacted IP infos