Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: INSERT_KEY_HERE |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GetProcAddress |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: LoadLibraryA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: lstrcatA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: OpenEventA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: CreateEventA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: CloseHandle |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: Sleep |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GetUserDefaultLangID |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: VirtualAllocExNuma |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: VirtualFree |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GetSystemInfo |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: VirtualAlloc |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: HeapAlloc |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GetComputerNameA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: lstrcpyA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GetProcessHeap |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GetCurrentProcess |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: lstrlenA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: ExitProcess |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GlobalMemoryStatusEx |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GetSystemTime |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: SystemTimeToFileTime |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: advapi32.dll |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: gdi32.dll |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: user32.dll |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: crypt32.dll |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: ntdll.dll |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GetUserNameA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: CreateDCA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GetDeviceCaps |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: ReleaseDC |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: CryptStringToBinaryA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: sscanf |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: VMwareVMware |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: HAL9TH |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: JohnDoe |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: DISPLAY |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: %hu/%hu/%hu |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: http://193.163.7.88 |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: /a69d09b357e06b52.php |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: /f77a9ad318e8e915/ |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: vor24 |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GetEnvironmentVariableA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GetFileAttributesA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GlobalLock |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: HeapFree |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GetFileSize |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GlobalSize |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: CreateToolhelp32Snapshot |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: IsWow64Process |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: Process32Next |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GetLocalTime |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: FreeLibrary |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GetTimeZoneInformation |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GetSystemPowerStatus |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GetVolumeInformationA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GetWindowsDirectoryA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: Process32First |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GetLocaleInfoA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GetUserDefaultLocaleName |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GetModuleFileNameA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: DeleteFileA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: FindNextFileA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: LocalFree |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: FindClose |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: SetEnvironmentVariableA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: LocalAlloc |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GetFileSizeEx |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: ReadFile |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: SetFilePointer |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: WriteFile |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: CreateFileA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: FindFirstFileA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: CopyFileA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: VirtualProtect |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GetLogicalProcessorInformationEx |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GetLastError |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: lstrcpynA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: MultiByteToWideChar |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GlobalFree |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: WideCharToMultiByte |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GlobalAlloc |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: OpenProcess |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: TerminateProcess |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GetCurrentProcessId |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: gdiplus.dll |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: ole32.dll |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: bcrypt.dll |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: wininet.dll |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: shlwapi.dll |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: shell32.dll |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: psapi.dll |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: rstrtmgr.dll |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: CreateCompatibleBitmap |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: SelectObject |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: BitBlt |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: DeleteObject |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: CreateCompatibleDC |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GdipGetImageEncodersSize |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GdipGetImageEncoders |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GdipCreateBitmapFromHBITMAP |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GdiplusStartup |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GdiplusShutdown |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GdipSaveImageToStream |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GdipDisposeImage |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GdipFree |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GetHGlobalFromStream |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: CreateStreamOnHGlobal |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: CoUninitialize |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: CoInitialize |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: CoCreateInstance |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: BCryptGenerateSymmetricKey |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: BCryptCloseAlgorithmProvider |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: BCryptDecrypt |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: BCryptSetProperty |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: BCryptDestroyKey |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: BCryptOpenAlgorithmProvider |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GetWindowRect |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GetDesktopWindow |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GetDC |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: CloseWindow |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: wsprintfA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: EnumDisplayDevicesA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GetKeyboardLayoutList |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: CharToOemW |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: wsprintfW |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: RegQueryValueExA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: RegEnumKeyExA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: RegOpenKeyExA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: RegCloseKey |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: RegEnumValueA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: CryptBinaryToStringA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: CryptUnprotectData |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: SHGetFolderPathA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: ShellExecuteExA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: InternetOpenUrlA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: InternetConnectA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: InternetCloseHandle |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: InternetOpenA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: HttpSendRequestA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: HttpOpenRequestA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: InternetReadFile |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: InternetCrackUrlA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: StrCmpCA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: StrStrA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: StrCmpCW |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: PathMatchSpecA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: GetModuleFileNameExA |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: RmStartSession |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: RmRegisterResources |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: RmGetList |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: RmEndSession |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: sqlite3_open |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: sqlite3_prepare_v2 |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: sqlite3_step |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: sqlite3_column_text |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: sqlite3_finalize |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: sqlite3_close |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: sqlite3_column_bytes |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: sqlite3_column_blob |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: encrypted_key |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: PATH |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: C:\ProgramData\nss3.dll |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: NSS_Init |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: NSS_Shutdown |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: PK11_GetInternalKeySlot |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: PK11_FreeSlot |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: PK11_Authenticate |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: PK11SDR_Decrypt |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: C:\ProgramData\ |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: SELECT origin_url, username_value, password_value FROM logins |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: browser: |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: profile: |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: url: |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: login: |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: password: |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: Opera |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: OperaGX |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: Network |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: cookies |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: .txt |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: TRUE |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: FALSE |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: autofill |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: SELECT name, value FROM autofill |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: history |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: SELECT url FROM urls LIMIT 1000 |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: name: |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: month: |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: year: |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: card: |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: Cookies |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: Login Data |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: Web Data |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: History |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: logins.json |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: formSubmitURL |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: usernameField |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: encryptedUsername |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: encryptedPassword |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: guid |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: SELECT fieldname, value FROM moz_formhistory |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: SELECT url FROM moz_places LIMIT 1000 |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: cookies.sqlite |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: formhistory.sqlite |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: places.sqlite |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: plugins |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: Local Extension Settings |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: Sync Extension Settings |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: IndexedDB |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: Opera Stable |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: Opera GX Stable |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: CURRENT |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: chrome-extension_ |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: _0.indexeddb.leveldb |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: Local State |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: profiles.ini |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: chrome |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: opera |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: firefox |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: wallets |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: %08lX%04lX%lu |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: ProductName |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: %d/%d/%d %d:%d:%d |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0 |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: ProcessorNameString |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: DisplayName |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: DisplayVersion |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: Network Info: |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: - IP: IP? |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: - Country: ISO? |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: System Summary: |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: - HWID: |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: - OS: |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: - Architecture: |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: - UserName: |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: - Computer Name: |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: - Local Time: |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: - UTC: |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: - Language: |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: - Keyboards: |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: - Laptop: |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: - Running Path: |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: - CPU: |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: - Threads: |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: - Cores: |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: - RAM: |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: - Display Resolution: |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: - GPU: |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: User Agents: |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: Installed Apps: |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: All Users: |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: Current User: |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: Process List: |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: system_info.txt |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: freebl3.dll |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: mozglue.dll |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: msvcp140.dll |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: nss3.dll |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: softokn3.dll |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: vcruntime140.dll |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: \Temp\ |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: .exe |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: runas |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: open |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: /c start |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: %DESKTOP% |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: %APPDATA% |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: %LOCALAPPDATA% |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: %USERPROFILE% |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: %DOCUMENTS% |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: %PROGRAMFILES% |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: %PROGRAMFILES_86% |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: %RECENT% |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: *.lnk |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: files |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: \discord\ |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: \Local Storage\leveldb\CURRENT |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: \Local Storage\leveldb |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: \Telegram Desktop\ |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: key_datas |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: D877F783D5D3EF8C* |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: map* |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: A7FDF864FBC10B77* |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: A92DAA6EA6F891F2* |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: F8806DD0C461824F* |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: Telegram |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: *.tox |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: *.ini |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: Password |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\ |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\ |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\ |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\ |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\ |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: 00000001 |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: 00000002 |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: 00000003 |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: 00000004 |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: \Outlook\accounts.txt |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: Pidgin |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: \.purple\ |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: accounts.xml |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: dQw4w9WgXcQ |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: token: |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: Software\Valve\Steam |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: SteamPath |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: \config\ |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: ssfn* |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: config.vdf |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: DialogConfig.vdf |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: DialogConfigOverlay*.vdf |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: libraryfolders.vdf |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: loginusers.vdf |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: \Steam\ |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: sqlite3.dll |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: browsers |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: done |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: soft |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: \Discord\tokens.txt |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: /c timeout /t 5 & del /f /q " |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: " & del "C:\ProgramData\*.dll"" & exit |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: C:\Windows\system32\cmd.exe |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: https |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: Content-Type: multipart/form-data; boundary=---- |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: POST |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: HTTP/1.1 |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: Content-Disposition: form-data; name=" |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: hwid |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: build |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: token |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: file_name |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: file |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: message |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890 |
Source: 3.2.cmd.exe.27b00c8.0.raw.unpack | String decryptor: screenshot.jpg |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Code function: 1_2_00D40576 __EH_prolog3_GS,memset,RegOpenKeyExW,RegQueryValueExW,CryptoData,wcslen,memcpy,RegDeleteValueW,RegDeleteValueW,RegDeleteValueW,RegSetValueExW,memset,wcsnlen,RegCloseKey, | 1_2_00D40576 |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Code function: 1_2_00D413FA CryptoData, | 1_2_00D413FA |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Code function: 1_2_00D21596 CryptAcquireContextW,CryptCreateHash,CryptReleaseContext,GetLastError,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, | 1_2_00D21596 |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Code function: 1_2_00D16031 __EH_prolog3_GS,CryptProtectData,LocalFree,strlen, | 1_2_00D16031 |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Code function: 1_2_00D16887 __EH_prolog3_GS,CryptUnprotectData,LocalFree,LocalFree,LocalFree, | 1_2_00D16887 |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Code function: 1_2_00D7AFE4 __EH_prolog3_GS,CryptAcquireContextW,GetLastError,WideCharToMultiByte,memset,WideCharToMultiByte,memset,_memcpy_s,_memcpy_s,CryptImportKey,GetLastError,CryptDecrypt,GetLastError,CryptImportKey,GetLastError,CryptDecrypt,GetLastError,CryptDestroyKey,CryptReleaseContext, | 1_2_00D7AFE4 |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Code function: 1_2_00D7BD6D __EH_prolog3_GS,CryptAcquireContextW,GetLastError,GetLastError,CryptAcquireContextW,GetLastError,CryptReleaseContext,CryptAcquireContextW,GetLastError,CryptGenKey,GetLastError,CryptGetUserKey,GetLastError,CryptGenKey,GetLastError,CryptExportKey,CryptExportKey,GetLastError,CryptExportKey,GetLastError,memset,GetLastError,_memcpy_s,CryptEncrypt,GetLastError,memset,_memcpy_s,_memcpy_s,_memcpy_s,_memcpy_s,memset,_memcpy_s,_memcpy_s,_memcpy_s,memset,MultiByteToWideChar,memset,MultiByteToWideChar,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext, | 1_2_00D7BD6D |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Code function: 2_2_00210576 __EH_prolog3_GS,memset,RegOpenKeyExW,RegQueryValueExW,CryptoData,wcslen,memcpy,RegDeleteValueW,RegDeleteValueW,RegDeleteValueW,RegSetValueExW,memset,wcsnlen,RegCloseKey, | 2_2_00210576 |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Code function: 2_2_002113FA CryptoData, | 2_2_002113FA |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Code function: 2_2_001F1596 CryptAcquireContextW,CryptCreateHash,CryptReleaseContext,GetLastError,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, | 2_2_001F1596 |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Code function: 2_2_001E6031 __EH_prolog3_GS,CryptProtectData,LocalFree,strlen, | 2_2_001E6031 |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Code function: 2_2_001E6887 __EH_prolog3_GS,CryptUnprotectData,LocalFree,LocalFree,LocalFree, | 2_2_001E6887 |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Code function: 2_2_0024AFE4 __EH_prolog3_GS,CryptAcquireContextW,GetLastError,WideCharToMultiByte,memset,WideCharToMultiByte,memset,_memcpy_s,_memcpy_s,CryptImportKey,GetLastError,CryptDecrypt,GetLastError,CryptImportKey,GetLastError,CryptDecrypt,GetLastError,CryptDestroyKey,CryptReleaseContext, | 2_2_0024AFE4 |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Code function: 2_2_0024BD6D __EH_prolog3_GS,CryptAcquireContextW,GetLastError,GetLastError,CryptAcquireContextW,GetLastError,CryptReleaseContext,CryptAcquireContextW,GetLastError,CryptGenKey,GetLastError,CryptGetUserKey,GetLastError,CryptGenKey,GetLastError,CryptExportKey,CryptExportKey,GetLastError,CryptExportKey,GetLastError,memset,GetLastError,_memcpy_s,CryptEncrypt,GetLastError,memset,_memcpy_s,_memcpy_s,_memcpy_s,_memcpy_s,memset,_memcpy_s,_memcpy_s,_memcpy_s,memset,MultiByteToWideChar,memset,MultiByteToWideChar,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext, | 2_2_0024BD6D |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Code function: 1_2_00D806AF __EH_prolog3_GS,memset,PathCombineW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,memset,FindFirstFileW,OutputDebugStringW,memset,GetShortPathNameW,memset,ShellExecuteExW,GetLastError,FindClose,CloseHandle,FindClose,OutputDebugStringW, | 1_2_00D806AF |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Code function: 1_2_00D80DE5 __EH_prolog3_GS,memset,FindFirstFileW,FindClose,memset,GetShortPathNameW,memset,ShellExecuteExW,CloseHandle, | 1_2_00D80DE5 |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Code function: 1_2_00D7E3E1 __EH_prolog3_GS,memset,PathCombineW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,memset,FindFirstFileW,OutputDebugStringW,memset,GetShortPathNameW,OutputDebugStringW,FindClose,memset,memset,memset,CreateProcessAsUserW,OutputDebugStringW,CreateProcessWithTokenW,GetLastError,CloseHandle,CloseHandle,OutputDebugStringW,CloseHandle,CloseHandle,OutputDebugStringW,OutputDebugStringW, | 1_2_00D7E3E1 |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Code function: 1_2_00D7EB52 __EH_prolog3_GS,memset,PathCombineW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,memset,FindFirstFileW,memset,GetShortPathNameW,memset,memset,memset,CreateProcessW,GetLastError,FindClose,CloseHandle,CloseHandle,CloseHandle,FindClose,OutputDebugStringW, | 1_2_00D7EB52 |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Code function: 1_2_00D5AD39 memset,PathRemoveBackslashW,FindFirstFileW,FindClose, | 1_2_00D5AD39 |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Code function: 1_2_00D7F042 __EH_prolog3_GS,memset,PathCombineW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,memset,FindFirstFileW,OutputDebugStringW,memset,GetShortPathNameW,OutputDebugStringW,FindClose,memset,memset,memset,CreateProcessAsUserW,CloseHandle,GetLastError,OutputDebugStringW,CloseHandle,CloseHandle,OutputDebugStringW,OutputDebugStringW, | 1_2_00D7F042 |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Code function: 2_2_002506AF __EH_prolog3_GS,memset,PathCombineW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,memset,FindFirstFileW,OutputDebugStringW,memset,GetShortPathNameW,memset,ShellExecuteExW,GetLastError,FindClose,CloseHandle,FindClose,OutputDebugStringW, | 2_2_002506AF |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Code function: 2_2_00250DE5 __EH_prolog3_GS,memset,FindFirstFileW,FindClose,memset,GetShortPathNameW,memset,ShellExecuteExW,CloseHandle, | 2_2_00250DE5 |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Code function: 2_2_0024E3E1 __EH_prolog3_GS,memset,PathCombineW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,memset,FindFirstFileW,OutputDebugStringW,memset,GetShortPathNameW,OutputDebugStringW,FindClose,memset,memset,memset,CreateProcessAsUserW,OutputDebugStringW,CreateProcessWithTokenW,GetLastError,CloseHandle,CloseHandle,OutputDebugStringW,CloseHandle,CloseHandle,OutputDebugStringW,OutputDebugStringW, | 2_2_0024E3E1 |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Code function: 2_2_0024EB52 __EH_prolog3_GS,memset,PathCombineW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,memset,FindFirstFileW,memset,GetShortPathNameW,memset,memset,memset,CreateProcessW,GetLastError,FindClose,CloseHandle,CloseHandle,CloseHandle,FindClose,OutputDebugStringW, | 2_2_0024EB52 |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Code function: 2_2_0022AD39 memset,PathRemoveBackslashW,FindFirstFileW,FindClose, | 2_2_0022AD39 |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Code function: 2_2_0024F042 __EH_prolog3_GS,memset,PathCombineW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,memset,FindFirstFileW,OutputDebugStringW,memset,GetShortPathNameW,OutputDebugStringW,FindClose,memset,memset,memset,CreateProcessAsUserW,CloseHandle,GetLastError,OutputDebugStringW,CloseHandle,CloseHandle,OutputDebugStringW,OutputDebugStringW, | 2_2_0024F042 |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000000.1608724925.0000000000DA5000.00000002.00000001.01000000.00000005.sdmp, ptInst.exe, 00000001.00000002.1613171910.0000000000DA5000.00000002.00000001.01000000.00000005.sdmp, ptInst.exe, 00000002.00000002.1681041159.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe, 00000002.00000000.1612672427.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe.0.dr, ptInst.exe.1.dr | String found in binary or memory: HTTPS://PT32.9_TM_0003 |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660656534.0000000002D90000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://c0rl.m |
Source: ptInst.exe, 00000002.00000002.1683248198.0000000003215000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://c0rl.m%L |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, I9IKjqeBAs.exe, 00000000.00000002.1660795168.00000000032E2000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000002.1613546929.000000000308C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612342606.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612100760.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000002.00000002.1683344107.0000000003309000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1933044085.0000000002955000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.1932977357.000000000357F000.00000004.00000800.00020000.00000000.sdmp, WCLDll.dll.1.dr, ptInst.exe.0.dr, ptInst.exe.1.dr, WCLDll.dll.0.dr | String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0 |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.00000000032E2000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000002.1613546929.000000000308C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000002.00000002.1683344107.0000000003309000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1933044085.0000000002955000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.1932977357.000000000357F000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0 |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, I9IKjqeBAs.exe, 00000000.00000002.1660795168.00000000032E2000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000002.1613546929.000000000308C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612342606.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612100760.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000002.00000002.1683344107.0000000003309000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1933044085.0000000002955000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.1932977357.000000000357F000.00000004.00000800.00020000.00000000.sdmp, WCLDll.dll.1.dr, ptInst.exe.0.dr, ptInst.exe.1.dr, WCLDll.dll.0.dr | String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612342606.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612100760.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp, WCLDll.dll.1.dr, ptInst.exe.0.dr, ptInst.exe.1.dr, WCLDll.dll.0.dr | String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0 |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, I9IKjqeBAs.exe, 00000000.00000002.1660795168.00000000032E2000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000002.1613546929.000000000308C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612342606.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612100760.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000002.00000002.1683344107.0000000003309000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1933044085.0000000002955000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.1932977357.000000000357F000.00000004.00000800.00020000.00000000.sdmp, WCLDll.dll.1.dr, ptInst.exe.0.dr, ptInst.exe.1.dr, WCLDll.dll.0.dr | String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 |
Source: I9IKjqeBAs.exe | String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04 |
Source: I9IKjqeBAs.exe | String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y |
Source: I9IKjqeBAs.exe | String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0 |
Source: I9IKjqeBAs.exe | String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t |
Source: ptInst.exe, 00000001.00000002.1613501904.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000002.00000002.1683248198.0000000003215000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl3.digicert.co(m/D |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, I9IKjqeBAs.exe, 00000000.00000002.1660795168.00000000032E2000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000002.1613546929.000000000308C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612342606.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612100760.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000002.00000002.1683344107.0000000003309000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1933044085.0000000002955000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.1932977357.000000000357F000.00000004.00000800.00020000.00000000.sdmp, WCLDll.dll.1.dr, ptInst.exe.0.dr, ptInst.exe.1.dr, WCLDll.dll.0.dr | String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08 |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, I9IKjqeBAs.exe, 00000000.00000002.1660795168.00000000032E2000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000002.1613546929.000000000308C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612342606.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612100760.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000002.00000002.1683344107.0000000003309000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1933044085.0000000002955000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.1932977357.000000000357F000.00000004.00000800.00020000.00000000.sdmp, WCLDll.dll.1.dr, ptInst.exe.0.dr, ptInst.exe.1.dr, WCLDll.dll.0.dr | String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612342606.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612100760.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp, WCLDll.dll.1.dr, ptInst.exe.0.dr, ptInst.exe.1.dr, WCLDll.dll.0.dr | String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, I9IKjqeBAs.exe, 00000000.00000002.1660795168.00000000032E2000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000002.1613546929.000000000308C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612342606.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612100760.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000002.00000002.1683344107.0000000003309000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1933044085.0000000002955000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.1932977357.000000000357F000.00000004.00000800.00020000.00000000.sdmp, WCLDll.dll.1.dr, ptInst.exe.0.dr, ptInst.exe.1.dr, WCLDll.dll.0.dr | String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.00000000032E2000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000002.1613546929.000000000308C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000002.00000002.1683344107.0000000003309000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1933044085.0000000002955000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.1932977357.000000000357F000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00 |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660656534.0000000002D90000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612342606.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612100760.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp, WCLDll.dll.1.dr, ptInst.exe.0.dr, ptInst.exe.1.dr, WCLDll.dll.0.dr | String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05 |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, I9IKjqeBAs.exe, 00000000.00000002.1660795168.00000000032E2000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000002.1613546929.000000000308C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612342606.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612100760.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000002.00000002.1683344107.0000000003309000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1933044085.0000000002955000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.1932977357.000000000357F000.00000004.00000800.00020000.00000000.sdmp, WCLDll.dll.1.dr, ptInst.exe.0.dr, ptInst.exe.1.dr, WCLDll.dll.0.dr | String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, I9IKjqeBAs.exe, 00000000.00000002.1660795168.00000000032E2000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000002.1613546929.000000000308C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612342606.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612100760.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000002.00000002.1683344107.0000000003309000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1933044085.0000000002955000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.1932977357.000000000357F000.00000004.00000800.00020000.00000000.sdmp, WCLDll.dll.1.dr, ptInst.exe.0.dr, ptInst.exe.1.dr, WCLDll.dll.0.dr | String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, I9IKjqeBAs.exe, 00000000.00000002.1660795168.00000000032E2000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000002.1613546929.000000000308C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612342606.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612100760.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000002.00000002.1683344107.0000000003309000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1933044085.0000000002955000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.1932977357.000000000357F000.00000004.00000800.00020000.00000000.sdmp, WCLDll.dll.1.dr, ptInst.exe.0.dr, ptInst.exe.1.dr, WCLDll.dll.0.dr | String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0 |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, I9IKjqeBAs.exe, 00000000.00000002.1660795168.00000000032E2000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000002.1613546929.000000000308C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612342606.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612100760.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000002.00000002.1683344107.0000000003309000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1933044085.0000000002955000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.1932977357.000000000357F000.00000004.00000800.00020000.00000000.sdmp, WCLDll.dll.1.dr, ptInst.exe.0.dr, ptInst.exe.1.dr, WCLDll.dll.0.dr | String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.00000000032E2000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000002.1613546929.000000000308C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000002.00000002.1683344107.0000000003309000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1933044085.0000000002955000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.1932977357.000000000357F000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612342606.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612100760.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp, WCLDll.dll.1.dr, ptInst.exe.0.dr, ptInst.exe.1.dr, WCLDll.dll.0.dr | String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, I9IKjqeBAs.exe, 00000000.00000002.1660795168.00000000032E2000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000002.1613546929.000000000308C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612342606.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612100760.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000002.00000002.1683344107.0000000003309000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1933044085.0000000002955000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.1932977357.000000000357F000.00000004.00000800.00020000.00000000.sdmp, WCLDll.dll.1.dr, ptInst.exe.0.dr, ptInst.exe.1.dr, WCLDll.dll.0.dr | String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 |
Source: I9IKjqeBAs.exe | String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0# |
Source: I9IKjqeBAs.exe | String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0# |
Source: I9IKjqeBAs.exe | String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0# |
Source: I9IKjqeBAs.exe | String found in binary or memory: http://ocsp.comodoca.com0 |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660656534.0000000002D90000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://ocsp.digicert |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660656534.0000000002D90000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://ocsp.digicert. |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660656534.0000000002D90000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://ocsp.digicert.com0 |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, I9IKjqeBAs.exe, 00000000.00000002.1660795168.00000000032E2000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000002.1613546929.000000000308C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612342606.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612100760.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000002.00000002.1683344107.0000000003309000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1933044085.0000000002955000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.1932977357.000000000357F000.00000004.00000800.00020000.00000000.sdmp, WCLDll.dll.1.dr, ptInst.exe.0.dr, ptInst.exe.1.dr, WCLDll.dll.0.dr | String found in binary or memory: http://ocsp.digicert.com0A |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660656534.0000000002D90000.00000004.00000020.00020000.00000000.sdmp, I9IKjqeBAs.exe, 00000000.00000002.1660795168.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, I9IKjqeBAs.exe, 00000000.00000002.1660795168.00000000032E2000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000002.1613546929.000000000308C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612342606.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612100760.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000002.00000002.1683344107.0000000003309000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1933044085.0000000002955000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.1932977357.000000000357F000.00000004.00000800.00020000.00000000.sdmp, WCLDll.dll.1.dr, ptInst.exe.0.dr, ptInst.exe.1.dr, WCLDll.dll.0.dr | String found in binary or memory: http://ocsp.digicert.com0C |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.00000000032E2000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000002.1613546929.000000000308C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000002.00000002.1683344107.0000000003309000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1933044085.0000000002955000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.1932977357.000000000357F000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://ocsp.digicert.com0L |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612342606.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612100760.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp, WCLDll.dll.1.dr, ptInst.exe.0.dr, ptInst.exe.1.dr, WCLDll.dll.0.dr | String found in binary or memory: http://ocsp.digicert.com0N |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, I9IKjqeBAs.exe, 00000000.00000002.1660795168.00000000032E2000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000002.1613546929.000000000308C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612342606.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612100760.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000002.00000002.1683344107.0000000003309000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1933044085.0000000002955000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.1932977357.000000000357F000.00000004.00000800.00020000.00000000.sdmp, WCLDll.dll.1.dr, ptInst.exe.0.dr, ptInst.exe.1.dr, WCLDll.dll.0.dr | String found in binary or memory: http://ocsp.digicert.com0O |
Source: I9IKjqeBAs.exe | String found in binary or memory: http://ocsp.sectigo.com0 |
Source: I9IKjqeBAs.exe | String found in binary or memory: http://ourworld.compuserve.com/homepages/John_Maddock/ZipArchive |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.00000000032E2000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000002.1613546929.000000000308C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000002.00000002.1683344107.0000000003309000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1933044085.0000000002955000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.1932977357.000000000357F000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0 |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.00000000032E2000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000002.1613546929.000000000308C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000002.00000002.1683344107.0000000003309000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1933044085.0000000002955000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.1932977357.000000000357F000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://s2.symcb.com0 |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660656534.0000000002D90000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://sv.sym |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.00000000032E2000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000002.1613546929.000000000308C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000002.00000002.1683344107.0000000003309000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1933044085.0000000002955000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.1932977357.000000000357F000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://sv.symcb.com/sv.crl0a |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.00000000032E2000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000002.1613546929.000000000308C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000002.00000002.1683344107.0000000003309000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1933044085.0000000002955000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.1932977357.000000000357F000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://sv.symcb.com/sv.crt0 |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.00000000032E2000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000002.1613546929.000000000308C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000002.00000002.1683344107.0000000003309000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1933044085.0000000002955000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.1932977357.000000000357F000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://sv.symcd.com0& |
Source: I9IKjqeBAs.exe | String found in binary or memory: http://www.artpol-software.com/CrystalEdit |
Source: I9IKjqeBAs.exe | String found in binary or memory: http://www.codeproject.com/www.codeguru.comhttp://www.codeguru.com/Several |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, I9IKjqeBAs.exe, 00000000.00000002.1660795168.00000000032E2000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000002.1613546929.000000000308C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612342606.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612100760.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000002.00000002.1683344107.0000000003309000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1933044085.0000000002955000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.1932977357.000000000357F000.00000004.00000800.00020000.00000000.sdmp, WCLDll.dll.1.dr, ptInst.exe.0.dr, ptInst.exe.1.dr, WCLDll.dll.0.dr | String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0 |
Source: I9IKjqeBAs.exe | String found in binary or memory: http://www.grigsoft.com |
Source: I9IKjqeBAs.exe | String found in binary or memory: http://www.grigsoft.com/ |
Source: I9IKjqeBAs.exe | String found in binary or memory: http://www.grigsoft.com/wc3addin.htm |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000002.1613546929.0000000003036000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000002.00000002.1683344107.00000000032B3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1933044085.000000000290D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.1932977357.0000000003537000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.info-zip.org/ |
Source: I9IKjqeBAs.exe | String found in binary or memory: http://www.softechsoftware.it/RegEx |
Source: I9IKjqeBAs.exe | String found in binary or memory: http://www.softidentity.com/this |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.00000000032E2000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000002.1613546929.000000000308C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000002.00000002.1683344107.0000000003309000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1933044085.0000000002955000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.1932977357.000000000357F000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.symauth.com/cps0( |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.00000000032E2000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000002.1613546929.000000000308C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000002.00000002.1683344107.0000000003309000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1933044085.0000000002955000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.1932977357.000000000357F000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.symauth.com/rpa00 |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.00000000032E2000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000002.1613546929.000000000308C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000002.00000002.1683344107.0000000003309000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1933044085.0000000002955000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.1932977357.000000000357F000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.vmware.com/0 |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660656534.0000000002D90000.00000004.00000020.00020000.00000000.sdmp, I9IKjqeBAs.exe, 00000000.00000002.1660795168.00000000032E2000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000002.1613546929.000000000308C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000002.00000002.1683344107.0000000003309000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1933044085.0000000002955000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.1932977357.000000000357F000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.vmware.com/0/ |
Source: ptInst.exe, ptInst.exe, 00000002.00000002.1681041159.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe, 00000002.00000000.1612672427.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe.0.dr, ptInst.exe.1.dr | String found in binary or memory: http://www.webex.com/schemas/2002/06/service |
Source: ptInst.exe, ptInst.exe, 00000002.00000002.1681041159.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe, 00000002.00000000.1612672427.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe.0.dr, ptInst.exe.1.dr | String found in binary or memory: https://%s/%s/changePassword.php?PT=1 |
Source: ptInst.exe, ptInst.exe, 00000002.00000002.1681041159.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe, 00000002.00000000.1612672427.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe.0.dr, ptInst.exe.1.dr | String found in binary or memory: https://%s/%s/e.php?AT=CM |
Source: ptInst.exe | String found in binary or memory: https://%s/%s/e.php?AT=FPNF |
Source: ptInst.exe | String found in binary or memory: https://%s/%s/e.php?AT=MO |
Source: ptInst.exe | String found in binary or memory: https://%s/%s/e.php?AT=MO&isUTF8=1 |
Source: ptInst.exe, ptInst.exe, 00000002.00000002.1681041159.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe, 00000002.00000000.1612672427.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe.0.dr, ptInst.exe.1.dr | String found in binary or memory: https://%s/%s/e.php?AT=OCS&IT=1 |
Source: ptInst.exe | String found in binary or memory: https://%s/%s/featureconfig.php |
Source: ptInst.exe | String found in binary or memory: https://%s/%s/ipphone.php |
Source: ptInst.exe, ptInst.exe, 00000002.00000002.1681041159.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe, 00000002.00000000.1612672427.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe.0.dr, ptInst.exe.1.dr | String found in binary or memory: https://%s/%s/joinMeetingByNumber.php?PT=1&languageID=1 |
Source: ptInst.exe, ptInst.exe, 00000002.00000002.1681041159.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe, 00000002.00000000.1612672427.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe.0.dr, ptInst.exe.1.dr | String found in binary or memory: https://%s/%s/k2/e.php?AT=CM |
Source: ptInst.exe, ptInst.exe, 00000002.00000002.1681041159.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe, 00000002.00000000.1612672427.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe.0.dr, ptInst.exe.1.dr | String found in binary or memory: https://%s/%s/mywebex/site/forgotpwd.php?EFlag=1&Rnd=%lu |
Source: ptInst.exe, ptInst.exe, 00000002.00000002.1681041159.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe, 00000002.00000000.1612672427.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe.0.dr, ptInst.exe.1.dr | String found in binary or memory: https://%s/%s/mywebex/tool/frame/mywebexframe.php?MWAT=mw&strUserName=%s&%s=%s&UTF8=1&SubMenu=PTIMS& |
Source: ptInst.exe, ptInst.exe, 00000002.00000002.1681041159.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe, 00000002.00000000.1612672427.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe.0.dr, ptInst.exe.1.dr | String found in binary or memory: https://%s/%s/mywebex/tool/frame/mywebexframe.php?MWAT=mw&strUserName=%s&%s=%s&UTF8=1&SubMenu=PTPMR |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000000.1608724925.0000000000DA5000.00000002.00000001.01000000.00000005.sdmp, ptInst.exe, 00000001.00000002.1613171910.0000000000DA5000.00000002.00000001.01000000.00000005.sdmp, ptInst.exe, 00000001.00000003.1612100760.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000002.00000002.1681041159.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe, 00000002.00000000.1612672427.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe.0.dr, ptInst.exe.1.dr | String found in binary or memory: https://%s/%s/mywebex/tool/frame/mywebexframe.php?MWAT=mw&strUserName=%s&%s=%s&UTF8=1&SubMenu=PTPMRh |
Source: ptInst.exe, ptInst.exe, 00000002.00000002.1681041159.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe, 00000002.00000000.1612672427.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe.0.dr, ptInst.exe.1.dr | String found in binary or memory: https://%s/%s/mywebex/tool/frame/mywebexframe.php?MWAT=mw&strUserName=%s&TK=%s&UTF8=1 |
Source: ptInst.exe, ptInst.exe, 00000002.00000002.1681041159.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe, 00000002.00000000.1612672427.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe.0.dr, ptInst.exe.1.dr | String found in binary or memory: https://%s/%s/mywebex/tool/frame/mywebexframe.php?MWAT=mw&strUserName=%s&TK=%s&UTF8=1&SubMenu=MPSP |
Source: ptInst.exe | String found in binary or memory: https://%s/%s/nobrowser.php? |
Source: ptInst.exe, ptInst.exe, 00000002.00000002.1681041159.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe, 00000002.00000000.1612672427.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe.0.dr, ptInst.exe.1.dr | String found in binary or memory: https://%s/%s/onstage/e.php?AT=CM |
Source: ptInst.exe | String found in binary or memory: https://%s/%s/outlook.php |
Source: ptInst.exe | String found in binary or memory: https://%s/%s/p.php?AT=LI&WID=%s&TK=%s&SPL=1&MU= |
Source: ptInst.exe, ptInst.exe, 00000002.00000002.1681041159.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe, 00000002.00000000.1612672427.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe.0.dr, ptInst.exe.1.dr | String found in binary or memory: https://%s/%s/p.php?AT=LI&isUTF8=1&SK=%s&WID=%s&MU=%s |
Source: ptInst.exe, ptInst.exe, 00000002.00000002.1681041159.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe, 00000002.00000000.1612672427.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe.0.dr, ptInst.exe.1.dr | String found in binary or memory: https://%s/%s/p.php?AT=LI&isUTF8=1&TK=%s&WID=%s&MU=%s |
Source: ptInst.exe | String found in binary or memory: https://%s/%s/pt.php |
Source: ptInst.exe | String found in binary or memory: https://%s/%s/pt.php?AT=HELP&LanguageID=%s |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000000.1608724925.0000000000DA5000.00000002.00000001.01000000.00000005.sdmp, ptInst.exe, 00000001.00000002.1613171910.0000000000DA5000.00000002.00000001.01000000.00000005.sdmp, ptInst.exe, 00000002.00000002.1681041159.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe, 00000002.00000000.1612672427.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe.0.dr, ptInst.exe.1.dr | String found in binary or memory: https://%s/%s/pt.php?AT=HELP&LanguageID=%sstrFmt.c_str()OpenHelp--URLntdll.dllNtSetInformationProces |
Source: ptInst.exe, ptInst.exe, 00000002.00000002.1681041159.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe, 00000002.00000000.1612672427.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe.0.dr, ptInst.exe.1.dr | String found in binary or memory: https://%s/%s/sac/e.php?AT=CM |
Source: ptInst.exe, ptInst.exe, 00000002.00000002.1681041159.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe, 00000002.00000000.1612672427.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe.0.dr, ptInst.exe.1.dr | String found in binary or memory: https://%s/%s/servicerds.php?SP=MC |
Source: ptInst.exe | String found in binary or memory: https://%s/%s/surl.php |
Source: ptInst.exe, ptInst.exe, 00000002.00000002.1681041159.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe, 00000002.00000000.1612672427.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe.0.dr, ptInst.exe.1.dr | String found in binary or memory: https://%s/%s/teleconfaccount.php?resFunction=0&form=&backUrl=0&serviceType=MW¤tIndex=0&PT=1 |
Source: ptInst.exe | String found in binary or memory: https://%s/%s/user.php |
Source: ptInst.exe | String found in binary or memory: https://%s/%s/w.php |
Source: ptInst.exe | String found in binary or memory: https://%s/%s/w.php?AT=HO&MK=%s&BI=%s&isUTF8=1 |
Source: ptInst.exe | String found in binary or memory: https://%s/%s/w.php?AT=JO&MK=%s&isUTF8=1&IT=1&CallbackNumber=%s&PTDisclaimer=1 |
Source: ptInst.exe | String found in binary or memory: https://%s/%s/w.php?AT=JO&MK=%s&isUTF8=1&IT=1&MHAtteID=%u&PTDisclaimer=1 |
Source: ptInst.exe | String found in binary or memory: https://%s/dispatcher/CIAuthService.do?cmd=login&siteurl=%s&from=PT&locale=%s&email=%s |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000000.1608724925.0000000000DA5000.00000002.00000001.01000000.00000005.sdmp, ptInst.exe, 00000001.00000002.1613171910.0000000000DA5000.00000002.00000001.01000000.00000005.sdmp, ptInst.exe, 00000002.00000002.1681041159.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe, 00000002.00000000.1612672427.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe.0.dr, ptInst.exe.1.dr | String found in binary or memory: https://%s/dispatcher/CIAuthService.do?cmd=login&siteurl=%s&from=PT&locale=%s&email=%shttps://%s/%s/ |
Source: ptInst.exe, ptInst.exe, 00000002.00000002.1681041159.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe, 00000002.00000000.1612672427.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe.0.dr, ptInst.exe.1.dr | String found in binary or memory: https://%s/dispatcher/CIAuthService.do?cmd=login&siteurl=%s&from=PT&locale=null |
Source: ptInst.exe | String found in binary or memory: https://%s/dispatcher/FederatedSSO.do?siteurl=%s&AT=config&TYPE=PT |
Source: ptInst.exe | String found in binary or memory: https://%s/dispatcher/getSiteName.php |
Source: ptInst.exe, ptInst.exe, 00000002.00000002.1681041159.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe, 00000002.00000000.1612672427.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe.0.dr, ptInst.exe.1.dr | String found in binary or memory: https://%s/orion/profile.do?PT=1&username=%s&ticket=%s&IsLogin=1&rnd=%lu |
Source: ptInst.exe, ptInst.exe, 00000002.00000002.1681041159.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe, 00000002.00000000.1612672427.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe.0.dr, ptInst.exe.1.dr | String found in binary or memory: https://%s/orion/ptmeeting.do?username=%s&ticket=%s&action=joinbynumber&rnd=%lu |
Source: ptInst.exe, ptInst.exe, 00000002.00000002.1681041159.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe, 00000002.00000000.1612672427.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe.0.dr, ptInst.exe.1.dr | String found in binary or memory: https://%s/orion/ptmeeting.do?username=%s&ticket=%s&action=recording&rnd=%lu |
Source: ptInst.exe, ptInst.exe, 00000002.00000002.1681041159.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe, 00000002.00000000.1612672427.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe.0.dr, ptInst.exe.1.dr | String found in binary or memory: https://%s/orion/ptmeeting.do?username=%s&ticket=%s&action=schedule&rnd=%lu |
Source: ptInst.exe, ptInst.exe, 00000002.00000002.1681041159.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe, 00000002.00000000.1612672427.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe.0.dr, ptInst.exe.1.dr | String found in binary or memory: https://%s/orion/ptmeeting.do?username=%s&ticket=%s&rnd=%lu |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000000.1608724925.0000000000DA5000.00000002.00000001.01000000.00000005.sdmp, ptInst.exe, 00000001.00000002.1613171910.0000000000DA5000.00000002.00000001.01000000.00000005.sdmp, ptInst.exe, 00000001.00000003.1612100760.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000002.00000002.1681041159.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe, 00000002.00000000.1612672427.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe.0.dr, ptInst.exe.1.dr | String found in binary or memory: https://%s/orion/ptmeeting.do?username=%s&ticket=%s&rnd=%luhttps://%s/orion/profile.do?PT=1&username |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000000.1608724925.0000000000DA5000.00000002.00000001.01000000.00000005.sdmp, ptInst.exe, 00000001.00000002.1613171910.0000000000DA5000.00000002.00000001.01000000.00000005.sdmp, ptInst.exe, 00000002.00000002.1681041159.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe, 00000002.00000000.1612672427.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe.0.dr, ptInst.exe.1.dr | String found in binary or memory: https://&<>"'%s_%s.mymy%s.%s%s/%sThe |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.00000000032E2000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000002.1613546929.000000000308C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000002.00000002.1683344107.0000000003309000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1933044085.0000000002955000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.1932977357.000000000357F000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://d.symcb.com/cps0% |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.00000000032E2000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000002.1613546929.000000000308C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000002.00000002.1683344107.0000000003309000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1933044085.0000000002955000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.1932977357.000000000357F000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://d.symcb.com/rpa0 |
Source: ptInst.exe | String found in binary or memory: https://hm1gla-rvproxy.qa.webex.com/gla/GLAService |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000000.1608724925.0000000000DA5000.00000002.00000001.01000000.00000005.sdmp, ptInst.exe, 00000001.00000002.1613171910.0000000000DA5000.00000002.00000001.01000000.00000005.sdmp, ptInst.exe, 00000002.00000002.1681041159.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe, 00000002.00000000.1612672427.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe.0.dr, ptInst.exe.1.dr | String found in binary or memory: https://hm1gla-rvproxy.qa.webex.com/gla/GLAServicehttps://meetings-api.webex.com/gla/GLAServiceCSCvf |
Source: ptInst.exe | String found in binary or memory: https://meetings-api.webex.com/gla/GLAService |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612100760.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.0.dr, msvcp140.dll.1.dr, vcruntime140.dll.1.dr, msvcp140.dll.0.dr | String found in binary or memory: https://onedrive.live.com/about/en-us/0 |
Source: I9IKjqeBAs.exe | String found in binary or memory: https://sectigo.com/CPS0 |
Source: ptInst.exe | String found in binary or memory: https://supportforums.cisco.com/community/12156681/cisco-proximity |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000000.1608724925.0000000000DA5000.00000002.00000001.01000000.00000005.sdmp, ptInst.exe, 00000001.00000002.1613171910.0000000000DA5000.00000002.00000001.01000000.00000005.sdmp, ptInst.exe, 00000002.00000002.1681041159.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe, 00000002.00000000.1612672427.0000000000275000.00000002.00000001.01000000.00000009.sdmp, ptInst.exe.0.dr, ptInst.exe.1.dr | String found in binary or memory: https://supportforums.cisco.com/community/12156681/cisco-proximitySiteNamedwMsitypedwRetCTEUpdate::I |
Source: I9IKjqeBAs.exe, 00000000.00000002.1660795168.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, I9IKjqeBAs.exe, 00000000.00000002.1660795168.00000000032E2000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000002.1613546929.000000000308C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612342606.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000001.00000003.1612100760.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp, ptInst.exe, 00000002.00000002.1683344107.0000000003309000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.1933044085.0000000002955000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.1932977357.000000000357F000.00000004.00000800.00020000.00000000.sdmp, WCLDll.dll.1.dr, ptInst.exe.0.dr, ptInst.exe.1.dr, WCLDll.dll.0.dr | String found in binary or memory: https://www.digicert.com/CPS0 |
Source: C:\Users\user\Desktop\I9IKjqeBAs.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\I9IKjqeBAs.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Users\user\Desktop\I9IKjqeBAs.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Users\user\Desktop\I9IKjqeBAs.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Users\user\Desktop\I9IKjqeBAs.exe | Section loaded: winhttp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\I9IKjqeBAs.exe | Section loaded: pla.dll | Jump to behavior |
Source: C:\Users\user\Desktop\I9IKjqeBAs.exe | Section loaded: pdh.dll | Jump to behavior |
Source: C:\Users\user\Desktop\I9IKjqeBAs.exe | Section loaded: tdh.dll | Jump to behavior |
Source: C:\Users\user\Desktop\I9IKjqeBAs.exe | Section loaded: cabinet.dll | Jump to behavior |
Source: C:\Users\user\Desktop\I9IKjqeBAs.exe | Section loaded: wevtapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\I9IKjqeBAs.exe | Section loaded: shdocvw.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Section loaded: wininet.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Section loaded: wcldll.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Section loaded: msvcp140.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Section loaded: wtsapi32.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Section loaded: vcruntime140.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Section loaded: msvcp140.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Section loaded: msimg32.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Section loaded: dwmapi.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Section loaded: usp10.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Section loaded: vcruntime140.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Section loaded: vcruntime140.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Section loaded: dbghelp.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Section loaded: pla.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Section loaded: pdh.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Section loaded: tdh.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Section loaded: cabinet.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Section loaded: wevtapi.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Section loaded: shdocvw.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Section loaded: ntmarta.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Section loaded: wininet.dll | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Section loaded: wcldll.dll | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Section loaded: msvcp140.dll | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Section loaded: wtsapi32.dll | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Section loaded: vcruntime140.dll | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Section loaded: msvcp140.dll | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Section loaded: msimg32.dll | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Section loaded: dwmapi.dll | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Section loaded: usp10.dll | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Section loaded: vcruntime140.dll | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Section loaded: vcruntime140.dll | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Section loaded: dbghelp.dll | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Section loaded: pla.dll | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Section loaded: pdh.dll | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Section loaded: tdh.dll | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Section loaded: cabinet.dll | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Section loaded: wevtapi.dll | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Section loaded: shdocvw.dll | Jump to behavior |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Section loaded: winhttp.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Section loaded: winbrand.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Section loaded: shdocvw.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: aepic.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: twinapi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: powrprof.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: dxgi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: propsys.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: coremessaging.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: urlmon.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: wtsapi32.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: wininet.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: dwmapi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: twinapi.appcore.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: ntmarta.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: iertutil.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: srvcli.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: netutils.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: umpdc.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\explorer.exe | Section loaded: shdocvw.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Code function: 1_2_00D806AF __EH_prolog3_GS,memset,PathCombineW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,memset,FindFirstFileW,OutputDebugStringW,memset,GetShortPathNameW,memset,ShellExecuteExW,GetLastError,FindClose,CloseHandle,FindClose,OutputDebugStringW, | 1_2_00D806AF |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Code function: 1_2_00D80DE5 __EH_prolog3_GS,memset,FindFirstFileW,FindClose,memset,GetShortPathNameW,memset,ShellExecuteExW,CloseHandle, | 1_2_00D80DE5 |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Code function: 1_2_00D7E3E1 __EH_prolog3_GS,memset,PathCombineW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,memset,FindFirstFileW,OutputDebugStringW,memset,GetShortPathNameW,OutputDebugStringW,FindClose,memset,memset,memset,CreateProcessAsUserW,OutputDebugStringW,CreateProcessWithTokenW,GetLastError,CloseHandle,CloseHandle,OutputDebugStringW,CloseHandle,CloseHandle,OutputDebugStringW,OutputDebugStringW, | 1_2_00D7E3E1 |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Code function: 1_2_00D7EB52 __EH_prolog3_GS,memset,PathCombineW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,memset,FindFirstFileW,memset,GetShortPathNameW,memset,memset,memset,CreateProcessW,GetLastError,FindClose,CloseHandle,CloseHandle,CloseHandle,FindClose,OutputDebugStringW, | 1_2_00D7EB52 |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Code function: 1_2_00D5AD39 memset,PathRemoveBackslashW,FindFirstFileW,FindClose, | 1_2_00D5AD39 |
Source: C:\Users\user\AppData\Local\Temp\ClientAdvanced\ptInst.exe | Code function: 1_2_00D7F042 __EH_prolog3_GS,memset,PathCombineW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,memset,FindFirstFileW,OutputDebugStringW,memset,GetShortPathNameW,OutputDebugStringW,FindClose,memset,memset,memset,CreateProcessAsUserW,CloseHandle,GetLastError,OutputDebugStringW,CloseHandle,CloseHandle,OutputDebugStringW,OutputDebugStringW, | 1_2_00D7F042 |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Code function: 2_2_002506AF __EH_prolog3_GS,memset,PathCombineW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,memset,FindFirstFileW,OutputDebugStringW,memset,GetShortPathNameW,memset,ShellExecuteExW,GetLastError,FindClose,CloseHandle,FindClose,OutputDebugStringW, | 2_2_002506AF |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Code function: 2_2_00250DE5 __EH_prolog3_GS,memset,FindFirstFileW,FindClose,memset,GetShortPathNameW,memset,ShellExecuteExW,CloseHandle, | 2_2_00250DE5 |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Code function: 2_2_0024E3E1 __EH_prolog3_GS,memset,PathCombineW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,memset,FindFirstFileW,OutputDebugStringW,memset,GetShortPathNameW,OutputDebugStringW,FindClose,memset,memset,memset,CreateProcessAsUserW,OutputDebugStringW,CreateProcessWithTokenW,GetLastError,CloseHandle,CloseHandle,OutputDebugStringW,CloseHandle,CloseHandle,OutputDebugStringW,OutputDebugStringW, | 2_2_0024E3E1 |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Code function: 2_2_0024EB52 __EH_prolog3_GS,memset,PathCombineW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,memset,FindFirstFileW,memset,GetShortPathNameW,memset,memset,memset,CreateProcessW,GetLastError,FindClose,CloseHandle,CloseHandle,CloseHandle,FindClose,OutputDebugStringW, | 2_2_0024EB52 |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Code function: 2_2_0022AD39 memset,PathRemoveBackslashW,FindFirstFileW,FindClose, | 2_2_0022AD39 |
Source: C:\Users\user\AppData\Roaming\ClientAdvanced\ptInst.exe | Code function: 2_2_0024F042 __EH_prolog3_GS,memset,PathCombineW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,memset,FindFirstFileW,OutputDebugStringW,memset,GetShortPathNameW,OutputDebugStringW,FindClose,memset,memset,memset,CreateProcessAsUserW,CloseHandle,GetLastError,OutputDebugStringW,CloseHandle,CloseHandle,OutputDebugStringW,OutputDebugStringW, | 2_2_0024F042 |