Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:20.0.0
Analysis ID:33765
Start time:19:10:19
Joe Sandbox Product:CloudBasic
Start date:08.10.2017
Overall analysis duration:0h 9m 58s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:obtG43AWHP.bin (renamed file extension from bin to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:40
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Detection:MAL
Classification:mal80.evad.winEXE@77/2@0/0
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 230
  • Number of non-executed functions: 519
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 92.9% (good quality ratio 91.2%)
  • Quality average: 86.3%
  • Quality standard deviation: 23%
Cookbook Comments:
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Report creation exceeded maximum time and may have missing disassembly code information.
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.


Detection

StrategyScoreRangeReportingDetection
Threshold800 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exevirustotal: Detection: 46%Perma Link
Antivirus detection for submitted fileShow sources
Source: obtG43AWH.exevirustotal: Detection: 46%Perma Link

DDoS:

barindex
Too many similar processes foundShow sources
Source: obtG43AWHP.exeProcess created: 71

Boot Survival:

barindex
Creates an autostart registry keyShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run DX9 C++RTL
Source: C:\Users\user\Desktop\obtG43AWHP.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run DX9 C++RTL
Creates autostart registry keys with suspicious namesShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run DX9 C++RTL

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exe

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_030073AC LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_030073AC
PE file contains an invalid checksumShow sources
Source: obtG43AWH.exeStatic PE information: real checksum: 0x8972b should be: 0x81a60
Source: nthost.exe.36.drStatic PE information: real checksum: 0x8972b should be: 0x81a60
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_03005075 push ecx; ret 1_2_03005088
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_00296288 push 00417A1Bh; ret 1_2_002962B3
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_00284190 push 00405941h; ret 1_2_002841D9
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_00294E74 push ecx; mov dword ptr [esp], edx1_2_00294E79
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_002843F8 push 00405B84h; ret 1_2_0028441C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0029744C push 00418BDCh; ret 1_2_00297474
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0028DF4C push 0040F722h; ret 1_2_0028DFBA
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_002849F0 push 0040617Ch; ret 1_2_00284A14
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_002951A0 push 004169ABh; ret 1_2_00295243
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_002965EC push 00417D78h; ret 1_2_00296610
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0028F9FC push ecx; mov dword ptr [esp], edx1_2_0028FA01
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0028DFC4 push 0040F7CCh; ret 1_2_0028E064
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_002843C0 push 00405B4Ch; ret 1_2_002843E4
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_002962D8 push 00417A64h; ret 1_2_002962FC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0029519E push 004169ABh; ret 1_2_00295243
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_002962D6 push 00417A64h; ret 1_2_002962FC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_00295250 push 00416A40h; ret 1_2_002952D8
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0028ACD0 push 0040C49Fh; ret 1_2_0028AD37
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0028ADF8 push 0040C584h; ret 1_2_0028AE1C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0028E8E8 push 00410095h; ret 1_2_0028E92D
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_002846D0 push 00405E5Ch; ret 1_2_002846F4
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0028ADC0 push 0040C54Ch; ret 1_2_0028ADE4
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0029744A push 00418BDCh; ret 1_2_00297474
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0028DF4A push 0040F722h; ret 1_2_0028DFBA
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0028F808 push ecx; mov dword ptr [esp], edx1_2_0028F80D
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_002815C0 push eax; ret 1_2_002815FC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0028ACCE push 0040C49Fh; ret 1_2_0028AD37
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0028B5EC push 0040CD78h; ret 1_2_0028B610
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0028AB50 push 0040C42Ch; ret 1_2_0028ACC4
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0028E940 push 004100CCh; ret 1_2_0028E964
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0028E120 push 0040F8ACh; ret 1_2_0028E144

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 2_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,2_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 4_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,4_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 6_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,6_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 8_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,8_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 10_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,10_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 12_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,12_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 14_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,14_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 16_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,16_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 18_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,18_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 20_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,20_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 22_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,22_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 24_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,24_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 26_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,26_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 28_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,28_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 30_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,30_2_00404E08

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal80.evad.winEXE@77/2@0/0
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 2_2_004076D4 GetDiskFreeSpaceA,2_2_004076D4
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 2_2_0040BA10 FreeResource,2_2_0040BA10
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\DirectX
Launches a second explorer.exe instanceShow sources
Source: unknownProcess created: C:\Windows\explorer.exe
PE file has an executable .text section and no other executable sectionShow sources
Source: obtG43AWH.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using Borland Delphi (Probably coded in Delphi)Show sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exeKey opened: HKEY_USERS\Software\Borland\Delphi\Locales
Reads ini filesShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeFile read: C:\Users\user\Desktop\desktop.ini
Reads software policiesShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Sample is known by Antivirus (Virustotal or Metascan)Show sources
Source: obtG43AWH.exeVirustotal: hash found
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe'
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe'
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 0
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 0
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 1
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 1
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 2
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 2
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 3
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 3
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 4
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 4
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 5
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 5
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 6
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 6
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 7
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 7
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 8
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 8
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 9
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 9
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 10
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 10
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 11
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 11
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 12
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 12
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 13
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 13
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 14
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 14
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 15
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 15
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 16
Source: unknownProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 16
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exe 'C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exe' 17 DEL 'C:\Users\user\Desktop\obtG43AWHP.exe'
Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exe 'C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exe' 17 DEL 'C:\Users\user\Desktop\obtG43AWHP.exe'
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe'
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 0
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 0
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 1
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 1
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 2
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 2
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 3
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 3
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 4
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 4
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 5
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 5
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 6
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 6
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 7
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 7
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 8
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 8
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 9
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 9
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 10
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 10
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 11
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 11
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 12
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 12
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 13
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 13
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 14
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 14
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 15
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 15
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 16
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\Desktop\obtG43AWHP.exe 'C:\Users\user\Desktop\obtG43AWHP.exe' 16
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exe 'C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exe' 17 DEL 'C:\Users\user\Desktop\obtG43AWHP.exe'
Source: C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exe 'C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exe' 17 DEL 'C:\Users\user\Desktop\obtG43AWHP.exe'
Source: C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exeProcess created: unknown unknown
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0027E080 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualAlloc,ReadProcessMemory,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,1_2_0027E080
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 2_2_00417F5C CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualFree,TerminateProcess,2_2_00417F5C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 3_2_0029E080 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualAlloc,ReadProcessMemory,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,3_2_0029E080
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 4_2_00417F5C CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualFree,TerminateProcess,4_2_00417F5C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 5_2_0020E080 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualAlloc,ReadProcessMemory,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,5_2_0020E080
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 6_2_00417F5C CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualFree,TerminateProcess,6_2_00417F5C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 7_2_0028E080 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualAlloc,ReadProcessMemory,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,7_2_0028E080
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 8_2_00417F5C CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualFree,TerminateProcess,8_2_00417F5C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 9_2_0028E080 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualAlloc,ReadProcessMemory,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,9_2_0028E080
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 10_2_00417F5C CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualFree,TerminateProcess,10_2_00417F5C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 11_2_001AE080 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualAlloc,ReadProcessMemory,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,11_2_001AE080
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 12_2_00417F5C CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualFree,TerminateProcess,12_2_00417F5C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 13_2_002DE080 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualAlloc,ReadProcessMemory,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,13_2_002DE080
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 14_2_00417F5C CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualFree,TerminateProcess,14_2_00417F5C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 15_2_0020E080 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualAlloc,ReadProcessMemory,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,15_2_0020E080
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 16_2_00417F5C CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualFree,TerminateProcess,16_2_00417F5C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 17_2_0037E080 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualAlloc,ReadProcessMemory,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,17_2_0037E080
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 18_2_00417F5C CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualFree,TerminateProcess,18_2_00417F5C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 19_2_0018E080 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualAlloc,ReadProcessMemory,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,19_2_0018E080
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 20_2_00417F5C CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualFree,TerminateProcess,20_2_00417F5C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 21_2_0024E080 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualAlloc,ReadProcessMemory,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,21_2_0024E080
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 22_2_00417F5C CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualFree,TerminateProcess,22_2_00417F5C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 23_2_0020E080 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualAlloc,ReadProcessMemory,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,23_2_0020E080
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 24_2_00417F5C CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualFree,TerminateProcess,24_2_00417F5C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 25_2_0027E080 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualAlloc,ReadProcessMemory,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,25_2_0027E080
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 26_2_00417F5C CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualFree,TerminateProcess,26_2_00417F5C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 27_2_0024E080 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualAlloc,ReadProcessMemory,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,27_2_0024E080
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 28_2_00417F5C CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualFree,TerminateProcess,28_2_00417F5C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 29_2_0027E080 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualAlloc,ReadProcessMemory,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,29_2_0027E080
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 30_2_00417F5C CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualFree,TerminateProcess,30_2_00417F5C
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00405CF0 appears 90 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00411DBC appears 105 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00401268 appears 60 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 004118D4 appears 105 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 0040A628 appears 45 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00407F03 appears 45 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00217214 appears 33 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 0040CA14 appears 315 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 03005030 appears 38 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 0021589C appears 54 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 0040539C appears 75 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00404194 appears 60 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00401314 appears 75 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 004038E8 appears 105 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00403894 appears 60 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 0040F48C appears 45 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00281D0C appears 42 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00405A90 appears 150 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 0040346C appears 210 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 0040450C appears 105 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00211D0C appears 42 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00287214 appears 33 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00405C80 appears 255 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 0025589C appears 36 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00403EAC appears 405 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 0028589C appears 54 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 004111AC appears 45 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00403114 appears 105 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00408974 appears 165 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 0040DB18 appears 165 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00405C78 appears 45 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 0040345C appears 45 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00403E88 appears 1095 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00401260 appears 45 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 00406EFC appears 60 times
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: String function: 0029589C appears 36 times

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to inject code into remote processesShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0027E080 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualAlloc,ReadProcessMemory,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,1_2_0027E080
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeMemory written: C:\Users\user\Desktop\obtG43AWHP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\obtG43AWHP.exeMemory written: C:\Users\user\Desktop\obtG43AWHP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\obtG43AWHP.exeMemory written: C:\Users\user\Desktop\obtG43AWHP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\obtG43AWHP.exeMemory written: C:\Users\user\Desktop\obtG43AWHP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\obtG43AWHP.exeMemory written: C:\Users\user\Desktop\obtG43AWHP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\obtG43AWHP.exeMemory written: C:\Users\user\Desktop\obtG43AWHP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\obtG43AWHP.exeMemory written: C:\Users\user\Desktop\obtG43AWHP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\obtG43AWHP.exeMemory written: C:\Users\user\Desktop\obtG43AWHP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\obtG43AWHP.exeMemory written: C:\Users\user\Desktop\obtG43AWHP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\obtG43AWHP.exeMemory written: C:\Users\user\Desktop\obtG43AWHP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\obtG43AWHP.exeMemory written: C:\Users\user\Desktop\obtG43AWHP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\obtG43AWHP.exeMemory written: C:\Users\user\Desktop\obtG43AWHP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\obtG43AWHP.exeMemory written: C:\Users\user\Desktop\obtG43AWHP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\obtG43AWHP.exeMemory written: C:\Users\user\Desktop\obtG43AWHP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\obtG43AWHP.exeMemory written: C:\Users\user\Desktop\obtG43AWHP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\obtG43AWHP.exeMemory written: C:\Users\user\Desktop\obtG43AWHP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\obtG43AWHP.exeMemory written: C:\Users\user\Desktop\obtG43AWHP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\obtG43AWHP.exeMemory written: C:\Users\user\Desktop\obtG43AWHP.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\DirectX\nthost.exe base: 400000 value starts with: 4D5A
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeThread register set: target process: 3120

Anti Debugging:

barindex
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_03003F30 SetUnhandledExceptionFilter,1_2_03003F30
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_03003CD8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_03003CD8
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_03006BA0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_03006BA0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 2_2_03003CD8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_03003CD8
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 2_2_03006BA0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_03006BA0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 2_2_03003F30 SetUnhandledExceptionFilter,2_2_03003F30
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_03003CD8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_03003CD8
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_030073AC LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_030073AC
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0027DFB2 push dword ptr fs:[00000030h]1_2_0027DFB2
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 3_2_0029DFB2 push dword ptr fs:[00000030h]3_2_0029DFB2
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 5_2_0020DFB2 push dword ptr fs:[00000030h]5_2_0020DFB2
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 7_2_0028DFB2 push dword ptr fs:[00000030h]7_2_0028DFB2
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 9_2_0028DFB2 push dword ptr fs:[00000030h]9_2_0028DFB2
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 11_2_001ADFB2 push dword ptr fs:[00000030h]11_2_001ADFB2
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 13_2_002DDFB2 push dword ptr fs:[00000030h]13_2_002DDFB2
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 15_2_0020DFB2 push dword ptr fs:[00000030h]15_2_0020DFB2
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 17_2_0037DFB2 push dword ptr fs:[00000030h]17_2_0037DFB2
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 19_2_0018DFB2 push dword ptr fs:[00000030h]19_2_0018DFB2
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 21_2_0024DFB2 push dword ptr fs:[00000030h]21_2_0024DFB2
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 23_2_0020DFB2 push dword ptr fs:[00000030h]23_2_0020DFB2
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 25_2_0027DFB2 push dword ptr fs:[00000030h]25_2_0027DFB2
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 27_2_0024DFB2 push dword ptr fs:[00000030h]27_2_0024DFB2
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 29_2_0027DFB2 push dword ptr fs:[00000030h]29_2_0027DFB2

Malware Analysis System Evasion:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 2_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,2_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 4_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,4_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 6_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,6_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 8_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,8_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 10_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,10_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 12_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,12_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 14_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,14_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 16_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,16_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 18_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,18_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 20_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,20_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 22_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,22_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 24_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,24_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 26_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,26_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 28_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,28_2_00404E08
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 30_2_00404E08 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,30_2_00404E08
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 2_2_0041844E GetSystemInfo,2_2_0041844E
Program exit pointsShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end nodegraph_1-19518
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end nodegraph_1-18629
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end nodegraph_1-19034
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end nodegraph_1-19038
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end nodegraph_1-19161
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end nodegraph_2-17672
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end nodegraph_2-17610
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end nodegraph_4-14048
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end nodegraph_6-14048
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end nodegraph_8-14048
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end nodegraph_10-14048
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end nodegraph_12-14048
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end nodegraph_14-14048
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end nodegraph_16-14048
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end nodegraph_18-14048
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end nodegraph_20-14048
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end nodegraph_22-14048
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end nodegraph_24-14048
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI call chain: ExitProcess graph end node
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_1-18709
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI coverage: 4.4 %
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI coverage: 6.7 %
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI coverage: 6.7 %
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI coverage: 6.7 %
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI coverage: 6.7 %
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI coverage: 6.7 %
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI coverage: 6.7 %
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI coverage: 6.7 %
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI coverage: 6.7 %
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI coverage: 6.7 %
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI coverage: 6.7 %
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI coverage: 6.7 %
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI coverage: 6.7 %
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI coverage: 6.7 %
Source: C:\Users\user\Desktop\obtG43AWHP.exeAPI coverage: 6.7 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\explorer.exe TID: 3720Thread sleep time: -60000s >= -60s

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\obtG43AWHP.exeProcess information set: NOOPENFILEERRORBOX
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 2_2_00417A70 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_00417A70

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 1_2_0300521F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,1_2_0300521F
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: 2_2_0040AD2C GetVersionExA,2_2_0040AD2C
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: _strlen,ShellExecuteA,ShellAboutW,ExtractIconA,GetColorSpace,GetLogColorSpaceA,ChoosePixelFormat,SetICMMode,GetPrivateProfileSectionNamesA,GetCalendarInfoW,GetLocaleInfoW,GetModuleHandleW,LocalAlloc,VirtualProtect,GetTickCount,1_2_0300966F
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,2_2_00404FC0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,2_2_004050CC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,2_2_0040587A
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,GetACP,2_2_0040B2B4
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,2_2_00409DB0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,2_2_0040587C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,2_2_00409DFC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: _strlen,ShellExecuteA,ShellAboutW,ExtractIconA,GetColorSpace,GetLogColorSpaceA,ChoosePixelFormat,SetICMMode,GetPrivateProfileSectionNamesA,GetCalendarInfoW,GetLocaleInfoW,GetModuleHandleW,LocalAlloc,VirtualProtect,GetTickCount,2_2_0300966F
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,4_2_00404FC0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,4_2_004050CC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,4_2_0040587A
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,GetACP,4_2_0040B2B4
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,4_2_00409DB0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,4_2_0040587C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,4_2_00409DFC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,6_2_00404FC0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,6_2_004050CC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,6_2_0040587A
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,GetACP,6_2_0040B2B4
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,6_2_00409DB0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,6_2_0040587C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,6_2_00409DFC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,8_2_00404FC0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,8_2_004050CC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,8_2_0040587A
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,GetACP,8_2_0040B2B4
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,8_2_00409DB0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,8_2_0040587C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,8_2_00409DFC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,10_2_00404FC0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,10_2_004050CC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,10_2_0040587A
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,GetACP,10_2_0040B2B4
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,10_2_00409DB0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,10_2_0040587C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,10_2_00409DFC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,12_2_00404FC0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,12_2_004050CC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,12_2_0040587A
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,GetACP,12_2_0040B2B4
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,12_2_00409DB0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,12_2_0040587C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,12_2_00409DFC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,14_2_00404FC0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,14_2_004050CC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,14_2_0040587A
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,GetACP,14_2_0040B2B4
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,14_2_00409DB0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,14_2_0040587C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,14_2_00409DFC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,16_2_00404FC0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,16_2_004050CC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,16_2_0040587A
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,GetACP,16_2_0040B2B4
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,16_2_00409DB0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,16_2_0040587C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,16_2_00409DFC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,18_2_00404FC0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,18_2_004050CC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,18_2_0040587A
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,GetACP,18_2_0040B2B4
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,18_2_00409DB0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,18_2_0040587C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,18_2_00409DFC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,20_2_00404FC0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,20_2_004050CC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,20_2_0040587A
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,GetACP,20_2_0040B2B4
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,20_2_00409DB0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,20_2_0040587C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,20_2_00409DFC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,22_2_00404FC0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,22_2_004050CC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,22_2_0040587A
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,GetACP,22_2_0040B2B4
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,22_2_00409DB0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,22_2_0040587C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,22_2_00409DFC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,24_2_00404FC0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,24_2_004050CC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,24_2_0040587A
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,GetACP,24_2_0040B2B4
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,24_2_00409DB0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,24_2_0040587C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,24_2_00409DFC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,26_2_00404FC0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,26_2_004050CC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,26_2_0040587A
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,GetACP,26_2_0040B2B4
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,26_2_00409DB0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,26_2_0040587C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,26_2_00409DFC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,28_2_00404FC0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,28_2_004050CC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,28_2_0040587A
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,GetACP,28_2_0040B2B4
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,28_2_00409DB0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,28_2_0040587C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,28_2_00409DFC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,30_2_00404FC0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,30_2_004050CC
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,30_2_0040587A
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,GetACP,30_2_0040B2B4
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,30_2_00409DB0
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,30_2_0040587C
Source: C:\Users\user\Desktop\obtG43AWHP.exeCode function: GetLocaleInfoA,30_2_00409DFC

Behavior Graph

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behavior_graph main Behavior Graph ID: 33765 Sample:  obtG43AWHP.bin Startdate:  08/10/2017 Architecture:  WINDOWS Score:  80 1 obtG43AWHP.exe main->1      started     38 explorer.exe main->38      started     3481sig Contains functionality to inject code into remote processes 5501sig Creates autostart registry keys with suspicious names 1541sig Injects a PE file into a foreign processes 3482sig Contains functionality to inject code into remote processes 5502sig Creates autostart registry keys with suspicious names 1542sig Injects a PE file into a foreign processes 3483sig Contains functionality to inject code into remote processes 5503sig Creates autostart registry keys with suspicious names 1543sig Injects a PE file into a foreign processes 3484sig Contains functionality to inject code into remote processes 5504sig Creates autostart registry keys with suspicious names 1544sig Injects a PE file into a foreign processes 3485sig Contains functionality to inject code into remote processes 5505sig Creates autostart registry keys with suspicious names 1545sig Injects a PE file into a foreign processes 3486sig Contains functionality to inject code into remote processes 5506sig Creates autostart registry keys with suspicious names 1546sig Injects a PE file into a foreign processes 3487sig Contains functionality to inject code into remote processes 5507sig Creates autostart registry keys with suspicious names 1547sig Injects a PE file into a foreign processes 3488sig Contains functionality to inject code into remote processes 5508sig Creates autostart registry keys with suspicious names 1548sig Injects a PE file into a foreign processes 3489sig Contains functionality to inject code into remote processes 5509sig Creates autostart registry keys with suspicious names 1549sig Injects a PE file into a foreign processes 34810sig Contains functionality to inject code into remote processes 55010sig Creates autostart registry keys with suspicious names 15410sig Injects a PE file into a foreign processes 34811sig Contains functionality to inject code into remote processes 55011sig Creates autostart registry keys with suspicious names 15411sig Injects a PE file into a foreign processes 34812sig Contains functionality to inject code into remote processes 55012sig Creates autostart registry keys with suspicious names 15412sig Injects a PE file into a foreign processes 34813sig Contains functionality to inject code into remote processes 55013sig Creates autostart registry keys with suspicious names 15413sig Injects a PE file into a foreign processes 34814sig Contains functionality to inject code into remote processes 55014sig Creates autostart registry keys with suspicious names 15414sig Injects a PE file into a foreign processes 34815sig Contains functionality to inject code into remote processes 55015sig Creates autostart registry keys with suspicious names 15415sig Injects a PE file into a foreign processes 34816sig Contains functionality to inject code into remote processes 55016sig Creates autostart registry keys with suspicious names 15416sig Injects a PE file into a foreign processes 34817sig Contains functionality to inject code into remote processes 55017sig Creates autostart registry keys with suspicious names 15417sig Injects a PE file into a foreign processes 34818sig Contains functionality to inject code into remote processes 55018sig Creates autostart registry keys with suspicious names 15418sig Injects a PE file into a foreign processes 34819sig Contains functionality to inject code into remote processes 55019sig Creates autostart registry keys with suspicious names 15419sig Injects a PE file into a foreign processes 34820sig Contains functionality to inject code into remote processes 55020sig Creates autostart registry keys with suspicious names 15420sig Injects a PE file into a foreign processes 34821sig Contains functionality to inject code into remote processes 55021sig Creates autostart registry keys with suspicious names 15421sig Injects a PE file into a foreign processes 34822sig Contains functionality to inject code into remote processes 55022sig Creates autostart registry keys with suspicious names 15422sig Injects a PE file into a foreign processes 34823sig Contains functionality to inject code into remote processes 55023sig Creates autostart registry keys with suspicious names 15423sig Injects a PE file into a foreign processes 34824sig Contains functionality to inject code into remote processes 55024sig Creates autostart registry keys with suspicious names 15424sig Injects a PE file into a foreign processes 34825sig Contains functionality to inject code into remote processes 55025sig Creates autostart registry keys with suspicious names 15425sig Injects a PE file into a foreign processes 34826sig Contains functionality to inject code into remote processes 55026sig Creates autostart registry keys with suspicious names 15426sig Injects a PE file into a foreign processes 34827sig Contains functionality to inject code into remote processes 55027sig Creates autostart registry keys with suspicious names 15427sig Injects a PE file into a foreign processes 34828sig Contains functionality to inject code into remote processes 55028sig Creates autostart registry keys with suspicious names 15428sig Injects a PE file into a foreign processes 34829sig Contains functionality to inject code into remote processes 55029sig Creates autostart registry keys with suspicious names 15429sig Injects a PE file into a foreign processes 34830sig Contains functionality to inject code into remote processes 55030sig Creates autostart registry keys with suspicious names 15430sig Injects a PE file into a foreign processes 34831sig Contains functionality to inject code into remote processes 55031sig Creates autostart registry keys with suspicious names 15431sig Injects a PE file into a foreign processes 34832sig Contains functionality to inject code into remote processes 55032sig Creates autostart registry keys with suspicious names 15432sig Injects a PE file into a foreign processes 34833sig Contains functionality to inject code into remote processes 55033sig Creates autostart registry keys with suspicious names 15433sig Injects a PE file into a foreign processes 34834sig Contains functionality to inject code into remote processes 55034sig Creates autostart registry keys with suspicious names 15434sig Injects a PE file into a foreign processes 34835sig Contains functionality to inject code into remote processes 55035sig Creates autostart registry keys with suspicious names 15435sig Injects a PE file into a foreign processes 34836sig Contains functionality to inject code into remote processes 55036sig Creates autostart registry keys with suspicious names 15436sig Injects a PE file into a foreign processes 15437sig Injects a PE file into a foreign processes 59037sig Antivirus detection for dropped file 15439sig Injects a PE file into a foreign processes 59039sig Antivirus detection for dropped file d1e569798 nthost.exe, PE32 1->3481sig 1->5501sig 1->1541sig 2 obtG43AWHP.exe 1 1->2      started     2->3482sig 2->5502sig 2->1542sig 3 obtG43AWHP.exe 2->3      started     3->3483sig 3->5503sig 3->1543sig 4 obtG43AWHP.exe 1 3->4      started     4->3484sig 4->5504sig 4->1544sig 5 obtG43AWHP.exe 4->5      started     5->3485sig 5->5505sig 5->1545sig 6 obtG43AWHP.exe 1 5->6      started     6->3486sig 6->5506sig 6->1546sig 7 obtG43AWHP.exe 6->7      started     7->3487sig 7->5507sig 7->1547sig 8 obtG43AWHP.exe 1 7->8      started     8->3488sig 8->5508sig 8->1548sig 9 obtG43AWHP.exe 8->9      started     9->3489sig 9->5509sig 9->1549sig 10 obtG43AWHP.exe 1 9->10      started     10->34810sig 10->55010sig 10->15410sig 11 obtG43AWHP.exe 10->11      started     11->34811sig 11->55011sig 11->15411sig 12 obtG43AWHP.exe 1 11->12      started     12->34812sig 12->55012sig 12->15412sig 13 obtG43AWHP.exe 12->13      started     13->34813sig 13->55013sig 13->15413sig 14 obtG43AWHP.exe 1 13->14      started     14->34814sig 14->55014sig 14->15414sig 15 obtG43AWHP.exe 14->15      started     15->34815sig 15->55015sig 15->15415sig 16 obtG43AWHP.exe 1 15->16      started     16->34816sig 16->55016sig 16->15416sig 17 obtG43AWHP.exe 16->17      started     17->34817sig 17->55017sig 17->15417sig 18 obtG43AWHP.exe 1 17->18      started     18->34818sig 18->55018sig 18->15418sig 19 obtG43AWHP.exe 18->19      started     19->34819sig 19->55019sig 19->15419sig 20 obtG43AWHP.exe