Windows Analysis Report
yDoZVwXSMG.exe

Overview

General Information

Sample name: yDoZVwXSMG.exe
renamed because original name is a hash value
Original sample name: 21922_224871481_da5669cb6c0e24e7679e4cce556acae9d1fabff38df9769fae96837617c38753_au_.exe
Analysis ID: 1559721
MD5: a82c9640641c01795da7322ed1b2462f
SHA1: af1c79055759a4c698220a22eff9cef97ac8209e
SHA256: da5669cb6c0e24e7679e4cce556acae9d1fabff38df9769fae96837617c38753
Infos:

Detection

Score: 4
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Source: yDoZVwXSMG.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe Code function: 0_2_00406775 FindFirstFileA,FindClose, 0_2_00406775
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe Code function: 0_2_00402A84 FindFirstFileA, 0_2_00402A84
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe Code function: 0_2_00405B99 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00405B99
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Code function: 2_2_00406775 FindFirstFileA,FindClose, 2_2_00406775
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Code function: 2_2_00405B99 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 2_2_00405B99
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Code function: 2_2_00402A84 FindFirstFileA, 2_2_00402A84
Source: Au_.exe, Au_.exe, 00000002.00000002.3439503883.000000000040A000.00000004.00000001.01000000.00000004.sdmp, Au_.exe, 00000002.00000000.2190560048.000000000040A000.00000008.00000001.01000000.00000004.sdmp, yDoZVwXSMG.exe, Au_.exe.0.dr String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: yDoZVwXSMG.exe, Au_.exe.0.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: yDoZVwXSMG.exe, 00000000.00000002.2191564328.00000000028C3000.00000004.00000020.00020000.00000000.sdmp, yDoZVwXSMG.exe, 00000000.00000002.2191258259.00000000005DE000.00000004.00000020.00020000.00000000.sdmp, yDoZVwXSMG.exe, 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmp, Au_.exe, Au_.exe, 00000002.00000002.3439987828.0000000002828000.00000004.00000020.00020000.00000000.sdmp, Au_.exe, 00000002.00000002.3439724667.000000000057E000.00000004.00000020.00020000.00000000.sdmp, Au_.exe, 00000002.00000002.3440578387.0000000010003000.00000004.00000001.01000000.00000007.sdmp, nsvC710.tmp.0.dr, nsqC8C5.tmp.2.dr String found in binary or memory: https://www.gegridsolutions.com/multilin/
Source: yDoZVwXSMG.exe, 00000000.00000002.2191564328.00000000028C3000.00000004.00000020.00020000.00000000.sdmp, yDoZVwXSMG.exe, 00000000.00000002.2191258259.00000000005DE000.00000004.00000020.00020000.00000000.sdmp, yDoZVwXSMG.exe, 00000000.00000002.2191048241.000000000040C000.00000004.00000001.01000000.00000003.sdmp, Au_.exe, 00000002.00000002.3439987828.0000000002828000.00000004.00000020.00020000.00000000.sdmp, Au_.exe, 00000002.00000002.3439724667.000000000057E000.00000004.00000020.00020000.00000000.sdmp, nsvC710.tmp.0.dr, nsqC8C5.tmp.2.dr String found in binary or memory: https://www.gegridsolutions.com/multilin/200Set
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe Code function: 0_2_00405683 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405683
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Code function: 2_2_03A11D4E GetDlgCtrlID,OpenClipboard,GetClipboardData,GlobalLock,lstrlenA,SendMessageA,GlobalUnlock,CloseClipboard,CallWindowProcA, 2_2_03A11D4E
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe Code function: 0_2_004048DE GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_004048DE
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe Code function: 0_2_004036E7 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_004036E7
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Code function: 2_2_004036E7 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 2_2_004036E7
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe Code function: 0_2_00404E7A 0_2_00404E7A
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe Code function: 0_2_00406AB6 0_2_00406AB6
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Code function: 2_2_00404E7A 2_2_00404E7A
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Code function: 2_2_00406AB6 2_2_00406AB6
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe Code function: String function: 00406747 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Code function: String function: 00406747 appears 58 times
Source: yDoZVwXSMG.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: clean4.winEXE@3/11@0/0
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe Code function: 0_2_004048DE GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_004048DE
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe Code function: 0_2_004022F1 CoCreateInstance,MultiByteToWideChar, 0_2_004022F1
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe File created: C:\Users\user\AppData\Local\Temp\nsfC6FF.tmp Jump to behavior
Source: yDoZVwXSMG.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe File read: C:\Users\user\Desktop\yDoZVwXSMG.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\yDoZVwXSMG.exe "C:\Users\user\Desktop\yDoZVwXSMG.exe"
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe Process created: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe "C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe" _?=C:\Users\user\Desktop\
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe Process created: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe "C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe" _?=C:\Users\user\Desktop\ Jump to behavior
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe File written: C:\Users\user\AppData\Local\Temp\nslC943.tmp\ioSpecial.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Automated click: Next >
Source: Window Recorder Window detected: More than 3 window changes detected
Source: yDoZVwXSMG.exe Static file information: File size 2469638 > 1048576
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Code function: 2_2_039F4DB4 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 2_2_039F4DB4
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Code function: 2_2_039F3F10 push eax; ret 2_2_039F3F3E
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe File created: C:\Users\user\AppData\Local\Temp\nslC943.tmp\BrandingURL.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe File created: C:\Users\user\AppData\Local\Temp\nslC943.tmp\FindProcDLL.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe File created: C:\Users\user\AppData\Local\Temp\nslC943.tmp\LangDLL.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe File created: C:\Users\user\AppData\Local\Temp\nslC943.tmp\LogEx.dll Jump to dropped file
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe File created: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe File created: C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Code function: 2_2_03A11410 wsprintfA,lstrcpyA,GetPrivateProfileStringA,lstrcpyA,CharNextA, 2_2_03A11410
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nslC943.tmp\BrandingURL.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nslC943.tmp\FindProcDLL.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nslC943.tmp\LangDLL.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nslC943.tmp\LogEx.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nslC943.tmp\InstallOptions.dll Jump to dropped file
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe Code function: 0_2_00406775 FindFirstFileA,FindClose, 0_2_00406775
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe Code function: 0_2_00402A84 FindFirstFileA, 0_2_00402A84
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe Code function: 0_2_00405B99 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00405B99
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Code function: 2_2_00406775 FindFirstFileA,FindClose, 2_2_00406775
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Code function: 2_2_00405B99 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 2_2_00405B99
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Code function: 2_2_00402A84 FindFirstFileA, 2_2_00402A84
Source: Au_.exe, 00000002.00000002.3439724667.000000000057E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsuA.tmp\Au_.exe Code function: 2_2_039F4DB4 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 2_2_039F4DB4
Source: C:\Users\user\Desktop\yDoZVwXSMG.exe Code function: 0_2_004036E7 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_004036E7
No contacted IP infos