Source: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd491 |
Avira URL Cloud: Label: phishing |
Source: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49r |
Avira URL Cloud: Label: phishing |
Source: https://banusdoret.top/upload/upload.php |
Avira URL Cloud: Label: phishing |
Source: https://banusdoret.top/kh= |
Avira URL Cloud: Label: phishing |
Source: https://banusdoret.top/8 |
Avira URL Cloud: Label: phishing |
Source: https://banusdoret.top/hi0 |
Avira URL Cloud: Label: phishing |
Source: https://banusdoret.top/upload/upload.phpmit |
Avira URL Cloud: Label: phishing |
Source: https://banusdoret.top/upload/upload.phpp/hi0 |
Avira URL Cloud: Label: phishing |
Source: https://banusdoret.top/#hu |
Avira URL Cloud: Label: phishing |
Source: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49 |
Avira URL Cloud: Label: phishing |
Source: https://banusdoret.top/5hc |
Avira URL Cloud: Label: phishing |
Source: https://banusdoret.top/ography |
Avira URL Cloud: Label: phishing |
Source: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49lcanoconiosispZ |
Avira URL Cloud: Label: phishing |
Source: https://banusdoret.top/ |
Avira URL Cloud: Label: phishing |
Source: https://banusdoret.top/sFt |
Avira URL Cloud: Label: phishing |
Source: https://banusdoret.top/Dg |
Avira URL Cloud: Label: phishing |
Source: https://banusdoret.top/Vg |
Avira URL Cloud: Label: phishing |
Source: https://banusdoret.top/oi9 |
Avira URL Cloud: Label: phishing |
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Code function: 0_2_00409931 ??2@YAPAXI@Z,FindFirstFileW,FindClose, |
0_2_00409931 |
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Code function: 0_2_00404402 FindFirstFileW,FindClose,SetLastError,CompareFileTime, |
0_2_00404402 |
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Code function: 0_2_00403327 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z, |
0_2_00403327 |
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Code function: 0_2_00403442 FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW, |
0_2_00403442 |
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com |
Code function: 6_2_0091E334 GetFileAttributesW,FindFirstFileW,FindClose, |
6_2_0091E334 |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_0028E334 GetFileAttributesW,FindFirstFileW,FindClose, |
12_2_0028E334 |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_0029A32C FindFirstFileW,Sleep,FindNextFileW,FindClose, |
12_2_0029A32C |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_002965AE FindFirstFileW,FindNextFileW,FindClose, |
12_2_002965AE |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_0025C6C2 FindFirstFileExW, |
12_2_0025C6C2 |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_00297205 FindFirstFileW,FindClose, |
12_2_00297205 |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_002972A6 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime, |
12_2_002972A6 |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_0028D7CC FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
12_2_0028D7CC |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_0028DB0B FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
12_2_0028DB0B |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_00299E43 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
12_2_00299E43 |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_00299F9E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
12_2_00299F9E |
Source: nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmp |
String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0 |
Source: nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmp |
String found in binary or memory: http://cps.letsencrypt.org0 |
Source: nslookup.exe, 00000010.00000003.514415275.0000000003B97000.00000004.00000001.sdmp |
String found in binary or memory: http://cps.root |
Source: nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmp |
String found in binary or memory: http://cps.root-x1.letsencrypt.org0 |
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr |
String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0 |
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr |
String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0 |
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr |
String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c |
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr |
String found in binary or memory: http://crl.globalsign.net/root-r3.crl0 |
Source: nslookup.exe, 00000010.00000003.514235035.0000000003B7E000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.identrust.com/DST# |
Source: nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0 |
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr |
String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V |
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr |
String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20 |
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr |
String found in binary or memory: http://ocsp2.globalsign.com/rootr306 |
Source: nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmp |
String found in binary or memory: http://r3.i.lencr.org/0- |
Source: nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmp |
String found in binary or memory: http://r3.o.lencr.org0 |
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr |
String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08 |
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr |
String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0 |
Source: Gia.exe.com, 00000006.00000000.354716969.0000000000985000.00000002.00020000.sdmp, Gia.exe.com, 00000007.00000002.502867230.0000000000985000.00000002.00020000.sdmp, juROhmfLml.exe.com, 0000000C.00000002.529162484.00000000002F5000.00000002.00020000.sdmp, Gia.exe.com.5.dr |
String found in binary or memory: http://www.autoitscript.com/autoit3/X |
Source: nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmp, nslookup.exe, 00000010.00000003.584413680.0000000003BE2000.00000004.00000001.sdmp |
String found in binary or memory: https://banusdoret.top/ |
Source: nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmp |
String found in binary or memory: https://banusdoret.top/#hu |
Source: nslookup.exe, 00000010.00000002.591863693.0000000003B64000.00000004.00000020.sdmp |
String found in binary or memory: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49 |
Source: nslookup.exe, 00000010.00000002.591956638.0000000003B7E000.00000004.00000020.sdmp |
String found in binary or memory: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd491 |
Source: nslookup.exe, 00000010.00000002.591717257.0000000003B30000.00000004.00000020.sdmp |
String found in binary or memory: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49lcanoconiosispZ |
Source: nslookup.exe, 00000010.00000002.591956638.0000000003B7E000.00000004.00000020.sdmp |
String found in binary or memory: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49r |
Source: nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmp |
String found in binary or memory: https://banusdoret.top/5hc |
Source: nslookup.exe, 00000010.00000002.591956638.0000000003B7E000.00000004.00000020.sdmp |
String found in binary or memory: https://banusdoret.top/8 |
Source: nslookup.exe, 00000010.00000003.584413680.0000000003BE2000.00000004.00000001.sdmp |
String found in binary or memory: https://banusdoret.top/Dg |
Source: nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmp |
String found in binary or memory: https://banusdoret.top/Vg |
Source: nslookup.exe, 00000010.00000003.536247326.0000000003BE2000.00000004.00000001.sdmp |
String found in binary or memory: https://banusdoret.top/hi0 |
Source: nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmp |
String found in binary or memory: https://banusdoret.top/kh= |
Source: nslookup.exe, 00000010.00000002.591956638.0000000003B7E000.00000004.00000020.sdmp |
String found in binary or memory: https://banusdoret.top/ography |
Source: nslookup.exe, 00000010.00000003.544012619.0000000003BE2000.00000004.00000001.sdmp |
String found in binary or memory: https://banusdoret.top/oi9 |
Source: nslookup.exe, 00000010.00000002.591863693.0000000003B64000.00000004.00000020.sdmp |
String found in binary or memory: https://banusdoret.top/sFt |
Source: nslookup.exe, 00000010.00000002.591747509.0000000003B37000.00000004.00000020.sdmp |
String found in binary or memory: https://banusdoret.top/upload/upload.php |
Source: nslookup.exe, 00000010.00000003.532175709.0000000003BE2000.00000004.00000001.sdmp |
String found in binary or memory: https://banusdoret.top/upload/upload.phpmit |
Source: nslookup.exe, 00000010.00000003.532175709.0000000003BE2000.00000004.00000001.sdmp |
String found in binary or memory: https://banusdoret.top/upload/upload.phpp/hi0 |
Source: nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmp |
String found in binary or memory: https://banusdoret.topctionSettings |
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr |
String found in binary or memory: https://www.autoitscript.com/autoit3/ |
Source: Gia.exe.com.5.dr |
String found in binary or memory: https://www.globalsign.com/repository/0 |
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr |
String found in binary or memory: https://www.globalsign.com/repository/06 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49744 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49743 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49742 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49741 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49740 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49789 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49800 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49766 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49743 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49746 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49781 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49769 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49803 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49795 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49739 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49738 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49737 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49736 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49772 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49812 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49784 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49749 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49763 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49806 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49752 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49777 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49798 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49790 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49787 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49748 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49760 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49745 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49793 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49805 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49751 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49774 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49757 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49782 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49799 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49798 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49797 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49796 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49795 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49794 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49793 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49792 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49814 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49791 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49790 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49740 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49765 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49768 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49796 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49808 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49811 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49754 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49737 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49771 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49789 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49788 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49787 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49779 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49784 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49783 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49782 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49781 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49780 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49762 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49807 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49776 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49799 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49810 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49736 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49791 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49814 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49759 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49753 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49779 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49812 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49778 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49811 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49777 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49810 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49776 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49775 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49774 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49773 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49772 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49771 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49770 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49788 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49742 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49767 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49780 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49794 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49802 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49809 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49808 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49807 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49806 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49805 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49804 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49773 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49803 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49769 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49802 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49768 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49801 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49739 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49756 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49767 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49800 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49766 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49758 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49765 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49783 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49764 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49763 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49762 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49761 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49760 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49741 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49764 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49770 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49797 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49801 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49809 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49759 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49778 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49758 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49757 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49738 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49755 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49756 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49755 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49754 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49753 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49752 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49730 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49751 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49750 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49761 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49747 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49804 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49744 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49775 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49750 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49749 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49748 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49747 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49792 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49746 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49745 |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_002B9B7E DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, |
12_2_002B9B7E |
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Code function: 0_2_00406024 |
0_2_00406024 |
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Code function: 0_2_0041C873 |
0_2_0041C873 |
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Code function: 0_2_0041A836 |
0_2_0041A836 |
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Code function: 0_2_0040B140 |
0_2_0040B140 |
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Code function: 0_2_004171F6 |
0_2_004171F6 |
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Code function: 0_2_0040B9A0 |
0_2_0040B9A0 |
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Code function: 0_2_0040AAA0 |
0_2_0040AAA0 |
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Code function: 0_2_0040B350 |
0_2_0040B350 |
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Code function: 0_2_0040A3F0 |
0_2_0040A3F0 |
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Code function: 0_2_0041543A |
0_2_0041543A |
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Code function: 0_2_0040C4E0 |
0_2_0040C4E0 |
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Code function: 0_2_0041C501 |
0_2_0041C501 |
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Code function: 0_2_0041BD00 |
0_2_0041BD00 |
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Code function: 0_2_0041C5DB |
0_2_0041C5DB |
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Code function: 0_2_0040A5B0 |
0_2_0040A5B0 |
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Code function: 0_2_00410740 |
0_2_00410740 |
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Code function: 0_2_00405729 |
0_2_00405729 |
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Code function: 0_2_0040FFD8 |
0_2_0040FFD8 |
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com |
Code function: 6_2_008D80C7 |
6_2_008D80C7 |
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com |
Code function: 6_2_008EE920 |
6_2_008EE920 |
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com |
Code function: 6_2_008E6B8B |
6_2_008E6B8B |
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com |
Code function: 6_2_008DCEC0 |
6_2_008DCEC0 |
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com |
Code function: 6_2_008DE600 |
6_2_008DE600 |
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com |
Code function: 6_2_008D7E6A |
6_2_008D7E6A |
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com |
Code function: 6_2_008D17B4 |
6_2_008D17B4 |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_00242097 |
12_2_00242097 |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_002480C7 |
12_2_002480C7 |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_002221FD |
12_2_002221FD |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_0025A30E |
12_2_0025A30E |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_00242352 |
12_2_00242352 |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_0023C45C |
12_2_0023C45C |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_002AC5C4 |
12_2_002AC5C4 |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_002928D7 |
12_2_002928D7 |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_0025E920 |
12_2_0025E920 |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_00288AB4 |
12_2_00288AB4 |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_0023CBB2 |
12_2_0023CBB2 |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_00256B8B |
12_2_00256B8B |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_0024CEC0 |
12_2_0024CEC0 |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_002B4F4F |
12_2_002B4F4F |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_0022D000 |
12_2_0022D000 |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_002571F9 |
12_2_002571F9 |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_00229540 |
12_2_00229540 |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_002417B4 |
12_2_002417B4 |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_00229A20 |
12_2_00229A20 |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_00241B26 |
12_2_00241B26 |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_00247C3B |
12_2_00247C3B |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_00241DD0 |
12_2_00241DD0 |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_00247E6A |
12_2_00247E6A |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_00229E80 |
12_2_00229E80 |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_0023DF78 |
12_2_0023DF78 |
Source: C:\Windows\SysWOW64\nslookup.exe |
Code function: 16_3_03B97C2C |
16_3_03B97C2C |
Source: C:\Windows\SysWOW64\nslookup.exe |
Code function: 16_3_03B97C2C |
16_3_03B97C2C |
Source: C:\Windows\SysWOW64\nslookup.exe |
Code function: 16_3_03B97C2C |
16_3_03B97C2C |
Source: C:\Windows\SysWOW64\nslookup.exe |
Code function: 16_3_03B97C2C |
16_3_03B97C2C |
Source: unknown |
Process created: C:\Users\user\Desktop\WDnE51mua6.exe 'C:\Users\user\Desktop\WDnE51mua6.exe' |
|
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Process created: C:\Windows\SysWOW64\svchost.exe 'C:\Windows\System32\svchost.exe' |
|
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c CmD < Poi.vsd |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\cmd.exe CmD |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R '^nZwSZJdQSZwKBWJCtpbfZHNwzsXALugVPsbikcLGmlTQMSJGkUUtRoHQkZmHLQyLLuVpnCdInRQPNWfBIsgQkprGKGWkWrUJtiyFXmiJDkGqaSrgKXZxBgABegmS$' Che.vsd |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com Gia.exe.com D |
|
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com |
Process created: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com D |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30 |
|
Source: unknown |
Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\zPgFqFUsML\wAYZqHgYEOdcYU.js' |
|
Source: unknown |
Process created: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com C:\Users\user\AppData\Roaming\zPgFqFUsML\I |
|
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com |
Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe |
|
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe |
|
Source: C:\Windows\SysWOW64\nslookup.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ver > 'C:\Users\user\AppData\Local\Temp\chrCF8.tmp' |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\nslookup.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C wmic process get Name > 'C:\Users\user\AppData\Local\Temp\chr1073.tmp' |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process get Name |
|
Source: C:\Windows\SysWOW64\nslookup.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd /c makecab /V3 'C:\Users\user\AppData\Local\Temp\4624a8e10d6df3306e1dd46223b6b1968208dd49' 'C:\Users\user\AppData\Local\Temp\chr2302.tmp' |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\makecab.exe makecab /V3 'C:\Users\user\AppData\Local\Temp\4624a8e10d6df3306e1dd46223b6b1968208dd49' 'C:\Users\user\AppData\Local\Temp\chr2302.tmp' |
|
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Process created: C:\Windows\SysWOW64\svchost.exe 'C:\Windows\System32\svchost.exe' |
Jump to behavior |
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c CmD < Poi.vsd |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\cmd.exe CmD |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R '^nZwSZJdQSZwKBWJCtpbfZHNwzsXALugVPsbikcLGmlTQMSJGkUUtRoHQkZmHLQyLLuVpnCdInRQPNWfBIsgQkprGKGWkWrUJtiyFXmiJDkGqaSrgKXZxBgABegmS$' Che.vsd |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com Gia.exe.com D |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30 |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com |
Process created: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com D |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com |
Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ver > 'C:\Users\user\AppData\Local\Temp\chrCF8.tmp' |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C wmic process get Name > 'C:\Users\user\AppData\Local\Temp\chr1073.tmp' |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd /c makecab /V3 'C:\Users\user\AppData\Local\Temp\4624a8e10d6df3306e1dd46223b6b1968208dd49' 'C:\Users\user\AppData\Local\Temp\chr2302.tmp' |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process get Name |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\makecab.exe makecab /V3 'C:\Users\user\AppData\Local\Temp\4624a8e10d6df3306e1dd46223b6b1968208dd49' 'C:\Users\user\AppData\Local\Temp\chr2302.tmp' |
Jump to behavior |
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Code function: 0_3_0464985C pushfd ; retf 0001h |
0_3_0464985D |
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Code function: 0_3_0464985C pushfd ; retf 0001h |
0_3_0464985D |
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Code function: 0_3_0464985C pushfd ; retf 0001h |
0_3_0464985D |
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Code function: 0_3_0464985C pushfd ; retf 0001h |
0_3_0464985D |
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Code function: 0_2_0041C1C0 push eax; ret |
0_2_0041C1EE |
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Code function: 0_2_0041BEF0 push ecx; mov dword ptr [esp], ecx |
0_2_0041BEF1 |
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com |
Code function: 6_2_008D0E96 push ecx; ret |
6_2_008D0EA9 |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_00240E96 push ecx; ret |
12_2_00240EA9 |
Source: C:\Windows\SysWOW64\nslookup.exe |
Code function: 16_3_03B9799C push esi; retf |
16_3_03B979C3 |
Source: C:\Windows\SysWOW64\nslookup.exe |
Code function: 16_3_03B9799C push esi; retf |
16_3_03B979C3 |
Source: C:\Windows\SysWOW64\nslookup.exe |
Code function: 16_3_03B9799C push esi; retf |
16_3_03B979C3 |
Source: C:\Windows\SysWOW64\nslookup.exe |
Code function: 16_3_03B972F3 push esi; retf |
16_3_03B9739A |
Source: C:\Windows\SysWOW64\nslookup.exe |
Code function: 16_3_03B972F3 push esi; retf |
16_3_03B9739A |
Source: C:\Windows\SysWOW64\nslookup.exe |
Code function: 16_3_03B972F3 push esi; retf |
16_3_03B9739A |
Source: C:\Windows\SysWOW64\nslookup.exe |
Code function: 16_3_03B96AE2 push esi; retf |
16_3_03B96B09 |
Source: C:\Windows\SysWOW64\nslookup.exe |
Code function: 16_3_03B96AE2 push esi; retf |
16_3_03B96B09 |
Source: C:\Windows\SysWOW64\nslookup.exe |
Code function: 16_3_03B972D6 push esi; retf |
16_3_03B9739A |
Source: C:\Windows\SysWOW64\nslookup.exe |
Code function: 16_3_03B972D6 push esi; retf |
16_3_03B9739A |
Source: C:\Windows\SysWOW64\nslookup.exe |
Code function: 16_3_03B972D6 push esi; retf |
16_3_03B9739A |
Source: C:\Windows\SysWOW64\nslookup.exe |
Code function: 16_3_03B9642F push esi; retf |
16_3_03B964D6 |
Source: C:\Windows\SysWOW64\nslookup.exe |
Code function: 16_3_03B9642F push esi; retf |
16_3_03B964D6 |
Source: C:\Windows\SysWOW64\nslookup.exe |
Code function: 16_3_03B9D24C push esi; iretd |
16_3_03B9D24D |
Source: C:\Windows\SysWOW64\nslookup.exe |
Code function: 16_3_03B9D24C push esi; iretd |
16_3_03B9D24D |
Source: C:\Windows\SysWOW64\nslookup.exe |
Code function: 16_3_03B9D24C push esi; iretd |
16_3_03B9D24D |
Source: C:\Windows\SysWOW64\nslookup.exe |
Code function: 16_3_03B9799C push esi; retf |
16_3_03B979C3 |
Source: C:\Windows\SysWOW64\nslookup.exe |
Code function: 16_3_03B9799C push esi; retf |
16_3_03B979C3 |
Source: C:\Windows\SysWOW64\nslookup.exe |
Code function: 16_3_03B9799C push esi; retf |
16_3_03B979C3 |
Source: C:\Windows\SysWOW64\nslookup.exe |
Code function: 16_3_03B972F3 push esi; retf |
16_3_03B9739A |
Source: C:\Windows\SysWOW64\nslookup.exe |
Code function: 16_3_03B972F3 push esi; retf |
16_3_03B9739A |
Source: C:\Windows\SysWOW64\nslookup.exe |
Code function: 16_3_03B972F3 push esi; retf |
16_3_03B9739A |
Source: C:\Windows\SysWOW64\nslookup.exe |
Code function: 16_3_03B96AE2 push esi; retf |
16_3_03B96B09 |
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com |
Code function: 6_2_008CFC88 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, |
6_2_008CFC88 |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_002B231B IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, |
12_2_002B231B |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_0023FC88 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, |
12_2_0023FC88 |
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com |
Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com |
Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com |
Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\wbem\WMIC.exe |
Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Code function: 0_2_00409931 ??2@YAPAXI@Z,FindFirstFileW,FindClose, |
0_2_00409931 |
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Code function: 0_2_00404402 FindFirstFileW,FindClose,SetLastError,CompareFileTime, |
0_2_00404402 |
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Code function: 0_2_00403327 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z, |
0_2_00403327 |
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Code function: 0_2_00403442 FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW, |
0_2_00403442 |
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com |
Code function: 6_2_0091E334 GetFileAttributesW,FindFirstFileW,FindClose, |
6_2_0091E334 |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_0028E334 GetFileAttributesW,FindFirstFileW,FindClose, |
12_2_0028E334 |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_0029A32C FindFirstFileW,Sleep,FindNextFileW,FindClose, |
12_2_0029A32C |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_002965AE FindFirstFileW,FindNextFileW,FindClose, |
12_2_002965AE |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_0025C6C2 FindFirstFileExW, |
12_2_0025C6C2 |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_00297205 FindFirstFileW,FindClose, |
12_2_00297205 |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_002972A6 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime, |
12_2_002972A6 |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_0028D7CC FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
12_2_0028D7CC |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_0028DB0B FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
12_2_0028DB0B |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_00299E43 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
12_2_00299E43 |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_00299F9E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
12_2_00299F9E |
Source: Gia.exe.com, 00000006.00000003.373817469.0000000003A0F000.00000004.00000001.sdmp |
Binary or memory string: VSBQTQCGHGFSVBZNPa |
Source: Gia.exe.com, 00000007.00000003.481222837.0000000000C86000.00000004.00000001.sdmp |
Binary or memory string: For $XiNdoKGhHHMCONMOTWHGfSTeNgLuudMzhkzCOkswjyqkIf = 14 To 21iHv |
Source: WMIC.exe, 0000001B.00000002.525079315.0000000003240000.00000002.00000001.sdmp |
Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed. |
Source: Gia.exe.com, 00000006.00000003.379643001.00000000014A1000.00000004.00000001.sdmp, Gia.exe.com, 00000007.00000003.500853897.0000000001015000.00000004.00000001.sdmp |
Binary or memory string: XINDOKGHHHMCONMOTWHGFSTENGLUUDMZHKZCOKSWJYQKIF |
Source: Gia.exe.com, 00000006.00000003.363693331.0000000001246000.00000004.00000001.sdmp |
Binary or memory string: Local $vSBQTqCgHgfSVBzNP = WFzUldrKAarEmh("108$94$113$95$116$92$108$80$122$95$72$111$72$127$80$120$83$92$116$80$124$110$124$126$74$120",5)bpP'V |
Source: Gia.exe.com, 00000006.00000003.363693331.0000000001246000.00000004.00000001.sdmp, juROhmfLml.exe.com, 0000000C.00000003.517559340.0000000001815000.00000004.00000001.sdmp, D.4.dr |
Binary or memory string: $vSBQTqCgHgfSVBzNP = WFzUldrKAarEmh("74$118$85$93$119$111$103$125$93$120$113$69$110$114$80$80$85$74$112$115$120$76$106$102$115",4) |
Source: Gia.exe.com, 00000007.00000003.484283807.0000000000E1B000.00000004.00000001.sdmp, juROhmfLml.exe.com, 0000000C.00000003.512752448.0000000001735000.00000004.00000001.sdmp, D.4.dr |
Binary or memory string: Local $vSBQTqCgHgfSVBzNP = WFzUldrKAarEmh("108$94$113$95$116$92$108$80$122$95$72$111$72$127$80$120$83$92$116$80$124$110$124$126$74$120",5) |
Source: nslookup.exe, 00000010.00000002.591956638.0000000003B7E000.00000004.00000020.sdmp |
Binary or memory string: Hyper-V RAW |
Source: Gia.exe.com, 00000006.00000003.363693331.0000000001246000.00000004.00000001.sdmp, Gia.exe.com, 00000007.00000003.485762857.0000000000DEE000.00000004.00000001.sdmp, juROhmfLml.exe.com, 0000000C.00000003.517346905.00000000017B0000.00000004.00000001.sdmp, D.4.dr |
Binary or memory string: Local $OAqRAdBbLENaGz = Execute(WFzUldrKAarEmh("83$116$114$105$110$103$73$115$70$108$111$97$116$40$39$99$88$111$72$89$77$97$80$97$39$41",0)), $rmmUODWAgzS = 'WnhgFsHZLPgRZzChkPpMgNPUzgtiphUTx' |
Source: juROhmfLml.exe.com, 0000000C.00000003.525890863.0000000003A7D000.00000004.00000001.sdmp |
Binary or memory string: AYMJRBYKOZPULCBEXEFVMCIRPJNVHKMNQLYPKHLNORGCWOLBBRWSHWLTBV |
Source: WMIC.exe, 0000001B.00000002.525079315.0000000003240000.00000002.00000001.sdmp |
Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported. |
Source: juROhmfLml.exe.com, 0000000C.00000003.526715313.00000000019DF000.00000004.00000001.sdmp |
Binary or memory string: XINDOKGHHHMCONMOTWHGFSTENGLUUDMZHKZCOKSWJYQKIFzY6 |
Source: juROhmfLml.exe.com, 0000000C.00000003.521769343.0000000003EAD000.00000004.00000001.sdmp |
Binary or memory string: VSBQTQCGHGFSVBZNP= |
Source: Gia.exe.com, 00000007.00000003.497896623.000000000333D000.00000004.00000001.sdmp, juROhmfLml.exe.com, 0000000C.00000003.523133517.0000000003D3B000.00000004.00000001.sdmp |
Binary or memory string: WnhgFsHZLPgRZzChkPpMgNPUzgtiphUTx |
Source: Gia.exe.com, 00000007.00000003.491094566.0000000003773000.00000004.00000001.sdmp, juROhmfLml.exe.com, 0000000C.00000002.530969482.00000000041DF000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: Gia.exe.com, 00000007.00000003.479485061.0000000000C89000.00000004.00000001.sdmp |
Binary or memory string: For $AyMjRBYKozpULCBeXeFVMcIRpJnVhKmNQLypkhlNOrGCWOLBbRWsHwltbV = 2 To 35'~O |
Source: Gia.exe.com, 00000007.00000003.361970252.0000000003812000.00000004.00000001.sdmp, D.4.dr |
Binary or memory string: For $XiNdoKGhHHMCONMOTWHGfSTeNgLuudMzhkzCOkswjyqkIf = 14 To 21 |
Source: nslookup.exe, 00000010.00000002.591747509.0000000003B37000.00000004.00000020.sdmp |
Binary or memory string: Hyper-V RAW8O |
Source: Gia.exe.com, 00000006.00000003.375300453.00000000038A4000.00000004.00000001.sdmp |
Binary or memory string: WnhgFsHZLPgRZzChkPpMgNPUzgtiphUTx; |
Source: D.4.dr |
Binary or memory string: For $AyMjRBYKozpULCBeXeFVMcIRpJnVhKmNQLypkhlNOrGCWOLBbRWsHwltbV = 2 To 35 |
Source: Gia.exe.com, 00000007.00000003.488239080.0000000000E52000.00000004.00000001.sdmp |
Binary or memory string: $vSBQTqCgHgfSVBzNP = WFzUldrKAarEmh("74$118$85$93$119$111$103$125$93$120$113$69$110$114$80$80$85$74$112$115$120$76$106$102$115",4)W |
Source: WMIC.exe, 0000001B.00000002.525079315.0000000003240000.00000002.00000001.sdmp |
Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service. |
Source: Gia.exe.com, 00000007.00000003.495710670.00000000034B7000.00000004.00000001.sdmp |
Binary or memory string: VSBQTQCGHGFSVBZNPG |
Source: Gia.exe.com, 00000006.00000003.373817469.0000000003A0F000.00000004.00000001.sdmp, Gia.exe.com, 00000007.00000003.495710670.00000000034B7000.00000004.00000001.sdmp, juROhmfLml.exe.com, 0000000C.00000003.521769343.0000000003EAD000.00000004.00000001.sdmp |
Binary or memory string: VSBQTQCGHGFSVBZNP |
Source: WMIC.exe, 0000001B.00000002.525079315.0000000003240000.00000002.00000001.sdmp |
Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service. |
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com |
Code function: 6_2_008D1041 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
6_2_008D1041 |
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com |
Code function: 6_2_008E29B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
6_2_008E29B2 |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_00240DF5 SetUnhandledExceptionFilter, |
12_2_00240DF5 |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_002529B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
12_2_002529B2 |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_00240C5F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
12_2_00240C5F |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Code function: 12_2_00241041 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
12_2_00241041 |
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Process created: C:\Windows\SysWOW64\svchost.exe 'C:\Windows\System32\svchost.exe' |
Jump to behavior |
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c CmD < Poi.vsd |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\cmd.exe CmD |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R '^nZwSZJdQSZwKBWJCtpbfZHNwzsXALugVPsbikcLGmlTQMSJGkUUtRoHQkZmHLQyLLuVpnCdInRQPNWfBIsgQkprGKGWkWrUJtiyFXmiJDkGqaSrgKXZxBgABegmS$' Che.vsd |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com Gia.exe.com D |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30 |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com |
Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com |
Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ver > 'C:\Users\user\AppData\Local\Temp\chrCF8.tmp' |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C wmic process get Name > 'C:\Users\user\AppData\Local\Temp\chr1073.tmp' |
Jump to behavior |
Source: C:\Windows\SysWOW64\nslookup.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd /c makecab /V3 'C:\Users\user\AppData\Local\Temp\4624a8e10d6df3306e1dd46223b6b1968208dd49' 'C:\Users\user\AppData\Local\Temp\chr2302.tmp' |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process get Name |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\makecab.exe makecab /V3 'C:\Users\user\AppData\Local\Temp\4624a8e10d6df3306e1dd46223b6b1968208dd49' 'C:\Users\user\AppData\Local\Temp\chr2302.tmp' |
Jump to behavior |
Source: Gia.exe.com, 00000006.00000000.354662827.0000000000973000.00000002.00020000.sdmp, Gia.exe.com, 00000007.00000002.502815629.0000000000973000.00000002.00020000.sdmp, juROhmfLml.exe.com, 0000000C.00000002.529054024.00000000002E3000.00000002.00020000.sdmp, Gia.exe.com.5.dr |
Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning |
Source: Gia.exe.com, juROhmfLml.exe.com, nslookup.exe, 00000010.00000002.592440613.00000000040C0000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: nslookup.exe, 00000010.00000002.592440613.00000000040C0000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: nslookup.exe, 00000010.00000002.592440613.00000000040C0000.00000002.00000001.sdmp |
Binary or memory string: &Program Manager |
Source: nslookup.exe, 00000010.00000002.592440613.00000000040C0000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Users\user\Desktop\WDnE51mua6.exe |
Code function: 0_2_00406024 ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z,KiUserCallbackDispatcher,GetVersionExW,GetCommandLineW,GetCommandLineW,GetCommandLineW,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,??3@YAXPAX@Z,lstrlenW,GetCommandLineW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetCurrentProcess,SetProcessWorkingSetSize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,_wtol,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA, |
0_2_00406024 |