Windows Analysis Report
Enquiry 230424.bat

Overview

General Information

Sample name: Enquiry 230424.bat
Analysis ID: 1430840
MD5: a9749727f9641b10363c264695ce4822
SHA1: 1d3d5576790a9c72ddb03eaacac1bddd25d77477
SHA256: 49cf050274b9a52bf56ac45d548d91c5a13c6d65c36bf363447ffa3f0143c078
Tags: bat
Infos:

Detection

Remcos, DBatLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sigma detected: Remcos
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Drops or copies certutil.exe with a different name (likely to bypass HIPS)
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Found large BAT file
Installs a global keyboard hook
Machine Learning detection for dropped file
Registers a new ROOT certificate
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Suspicious Program Location with Network Connections
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to execute programs as a different user
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
Name Description Attribution Blogpost URLs Link
DBatLoader This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://geoplugin.net/json.gp URL Reputation: Label: phishing
Source: http://geoplugin.net/json.gp/C URL Reputation: Label: phishing
Found malware configuration
Source: 0000000C.00000002.3701876701.0000000000708000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": "127.0.0.1:47212:1officerem.duckdns.org:47212:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-I8N3XG", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Multi AV Scanner detection for domain / URL
Source: officerem.duckdns.org Virustotal: Detection: 11% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF ReversingLabs: Detection: 26%
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Virustotal: Detection: 57% Perma Link
Source: C:\Users\Public\Libraries\netutils.dll ReversingLabs: Detection: 28%
Source: C:\Users\Public\Libraries\netutils.dll Virustotal: Detection: 47% Perma Link
Source: C:\Users\Public\Libraries\sppsvc.pif ReversingLabs: Detection: 26%
Source: C:\Users\Public\Libraries\sppsvc.pif Virustotal: Detection: 57% Perma Link
Yara detected Remcos RAT
Source: Yara match File source: 27.2.Rwksdoeb.PIF.14550000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.Rwksdoeb.PIF.14550000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.3701876701.0000000000708000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3723892699.000000001517F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.1454883121.0000000014550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.1441490327.0000000000711000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.1518969358.0000000000674000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3701876701.00000000006C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.1466656072.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: sppsvc.pif PID: 1104, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Rwksdoeb.PIF PID: 1652, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Rwksdoeb.PIF PID: 1916, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
Machine Learning detection for dropped file
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Joe Sandbox ML: detected
Source: C:\Users\Public\Libraries\sppsvc.pif Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25C2C2C CryptFindOIDInfo,memset,CryptRegisterOIDInfo,GetLastError,#357, 7_2_00007FF7C25C2C2C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25C2F38 ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,InitializeCriticalSection,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,LocalFree,lstrcmpW,#357,CoInitialize,#357,#357,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,RevertToSelf,#356,#357,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection, 7_2_00007FF7C25C2F38
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2646374 memset,#358,#357,LocalFree,LocalFree,#357,#357,_strlwr,#357,LocalFree,LocalFree,lstrcmpW,#359,#359,#357,CryptAcquireContextW,GetLastError,#256,CryptGenRandom,GetLastError,#254,#357,fopen,fopen,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,LocalAlloc,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,#357,LocalFree,#357,fprintf,fprintf,CertOpenStore,GetLastError,LocalAlloc,CertSaveStore,GetLastError,#357,CertCloseStore,CertFreeCertificateContext,CertFreeCertificateContext,fclose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,CryptReleaseContext,fprintf,fprintf,fflush,ferror, 7_2_00007FF7C2646374
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2642358 #357,#357,CryptReleaseContext,CryptReleaseContext,CertFreeCertificateContext,CertFreeCertificateContext, 7_2_00007FF7C2642358
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2688404 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext, 7_2_00007FF7C2688404
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25D4410 GetUserDefaultUILanguage,GetSystemDefaultUILanguage,#357,#357,CryptFindOIDInfo,CryptEnumOIDInfo,#360,CryptFindOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,CryptEnumOIDInfo,#258,#358,#357,#357,#357,LocalFree,#224,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree, 7_2_00007FF7C25D4410
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25F23E8 BCryptResolveProviders,#360,#360,BCryptFreeBuffer, 7_2_00007FF7C25F23E8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25DE3B0 #357,#357,CryptDecodeObject,LocalFree, 7_2_00007FF7C25DE3B0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2648488 #357,CertGetCertificateChain,GetLastError,LocalAlloc,CertGetCRLContextProperty,GetLastError,GetLastError,GetLastError,CryptAcquireContextW,GetLastError,memset,CryptMsgOpenToEncode,GetLastError,CryptMsgUpdate,GetLastError,#357,#357,CryptReleaseContext,CryptMsgClose,CertCloseStore,CertFreeCertificateChain,LocalFree,LocalFree,LocalFree, 7_2_00007FF7C2648488
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C262A450 #357,#358,#357,#223,SetLastError,SetLastError,memmove,memmove,#357,#357,GetLastError,#357,#357,strcmp,GetLastError,strcmp,strcmp,strcmp,qsort,#357,CompareFileTime,CompareFileTime,#357,#357,CertFreeCertificateContext,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertCloseStore,CertCloseStore,CertFreeCTLContext,LocalFree,free, 7_2_00007FF7C262A450
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C262C450 CertOpenStore,GetLastError,#357,CryptQueryObject,CertAddStoreToCollection,GetLastError,#357,CertAddStoreToCollection,GetLastError,CertOpenStore,GetLastError,CertAddStoreToCollection,GetLastError,CertCloseStore,CertCloseStore,CertCloseStore,CertCloseStore, 7_2_00007FF7C262C450
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C267E516 ??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalFree,NCryptIsKeyHandle,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z, 7_2_00007FF7C267E516
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25DC514 CryptGetProvParam,SetLastError,LocalAlloc,LocalFree, 7_2_00007FF7C25DC514
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25C44E0 #357,#256,#357,GetLastError,CryptImportPublicKeyInfoEx2,GetLastError,CryptHashCertificate2,GetLastError,#357,LocalAlloc,GetLastError,memmove,BCryptVerifySignature,BCryptVerifySignature,BCryptDestroyKey,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree, 7_2_00007FF7C25C44E0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26224D4 #357,CertCompareCertificateName,CertCompareCertificateName,GetSystemTime,SystemTimeToFileTime,GetLastError,#357,CompareFileTime,CompareFileTime,CompareFileTime,CompareFileTime,CryptVerifyCertificateSignature,GetLastError,#357,strcmp,strcmp,#357,#357,#357,CertCompareCertificateName,#357,CertCompareCertificateName,#357,CertFreeCTLContext, 7_2_00007FF7C26224D4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2636194 CryptQueryObject,GetLastError,CertEnumCertificatesInStore,CertAddStoreToCollection,GetLastError,#357,CertCloseStore,CertFreeCertificateContext, 7_2_00007FF7C2636194
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C261417C #360,#360,#359,#357,#357,#357,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,LocalFree,LocalFree,LocalFree,CryptDestroyKey, 7_2_00007FF7C261417C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26B613C CryptDecodeObjectEx, 7_2_00007FF7C26B613C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26B6214 CryptDecodeObjectEx,CryptDecodeObjectEx,SetLastError, 7_2_00007FF7C26B6214
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C264E1F8 CertSaveStore,GetLastError,LocalAlloc,#357,CertSaveStore,GetLastError,#357,LocalFree,#357,#357,NCryptOpenStorageProvider,NCryptImportKey,NCryptSetProperty,NCryptFinalizeKey,LocalFree,LocalFree,NCryptFreeObject, 7_2_00007FF7C264E1F8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C268A1F8 LocalAlloc,CryptEnumProvidersA,GetLastError,#358,LocalFree,#357, 7_2_00007FF7C268A1F8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C263A1E8 LocalFree,CryptHashCertificate2,CertGetCRLContextProperty,CertGetNameStringA,memmove,memmove,GetLastError,GetLastError,#357,GetLastError,#357,GetLastError,GetLastError,GetLastError,#357,LocalFree,memmove,GetLastError,#357,GetLastError,#359,LocalFree, 7_2_00007FF7C263A1E8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25F21A4 #360,#359,#357,#357,BCryptFreeBuffer, 7_2_00007FF7C25F21A4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26761AC SysStringLen,SysStringLen,CryptStringToBinaryW,GetLastError,#357, 7_2_00007FF7C26761AC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2672278 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,LocalAlloc,memmove,#357,#357,CryptDestroyHash,CryptReleaseContext, 7_2_00007FF7C2672278
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2626280 #357,#254,#357,CertGetCRLContextProperty,GetLastError,memcmp,#254,#357,#360,#360,CertGetPublicKeyLength,GetLastError,#359,strcmp,GetLastError,CryptFindOIDInfo,#357,LocalFree,CryptFindOIDInfo,#357,#357,#359,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree, 7_2_00007FF7C2626280
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C267E274 GetLastError,#358,CryptAcquireCertificatePrivateKey,GetLastError,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,LocalFree,NCryptIsKeyHandle,GetLastError,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z, 7_2_00007FF7C267E274
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25F0300 NCryptOpenStorageProvider,#357,#357,#357,#357,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,NCryptFreeObject,#357, 7_2_00007FF7C25F0300
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26BA2E0 NCryptOpenStorageProvider,NCryptOpenKey,NCryptFreeObject, 7_2_00007FF7C26BA2E0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2688298 #357,CryptFindOIDInfo,LocalAlloc,#357,memmove, 7_2_00007FF7C2688298
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C268A740 CryptAcquireContextW,GetLastError,#357,CryptImportKey,GetLastError,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,CryptGetUserKey,GetLastError,CryptDestroyKey,#357,CryptDestroyKey,CryptReleaseContext, 7_2_00007FF7C268A740
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2650740 BCryptCloseAlgorithmProvider,#205,#357,#357, 7_2_00007FF7C2650740
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2642724 CryptDecodeObject,GetLastError,#357, 7_2_00007FF7C2642724
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2688814 NCryptIsKeyHandle,NCryptIsKeyHandle,#357,#359,#357,CryptFindOIDInfo,LocalAlloc,#357,LocalAlloc,#357,CryptFindOIDInfo,#359,LocalAlloc,#357,memmove,LocalFree,#357, 7_2_00007FF7C2688814
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26507F4 BCryptDestroyKey,#205,#357, 7_2_00007FF7C26507F4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C263C7F0 GetLastError,#357,CertOpenStore,GetLastError,CertEnumCertificatesInStore,CertCompareCertificateName,CertFindExtension,CryptDecodeObject,GetLastError,#357,CertGetCRLContextProperty,GetLastError,#357,CertSetCTLContextProperty,GetLastError,#357,GetSystemTimeAsFileTime,I_CryptCreateLruEntry,GetLastError,#357,I_CryptInsertLruEntry,I_CryptReleaseLruEntry,GetLastError,#357,CertEnumCertificatesInStore,I_CryptCreateLruEntry,GetLastError,#357,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,CertFreeCertificateChain,GetLastError,I_CryptInsertLruEntry,I_CryptReleaseLruEntry,#357,CertCloseStore,CertFreeCertificateContext, 7_2_00007FF7C263C7F0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26607D0 memset,#357,#360,#359,#357,#358,LoadCursorW,SetCursor,#360,#358,CertGetPublicKeyLength,GetLastError,#357,strcmp,GetLastError,#357,CryptFindOIDInfo,#357,#357,LocalFree,#357,LocalFree,#358,#358,#357,SetCursor,SetCursor,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,#357,#225,#359,#359,#357,#359,LocalFree,#359,#223,#359,#357,#223,#359,#359,#359,DialogBoxParamW,SysStringByteLen,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,SysFreeString,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z, 7_2_00007FF7C26607D0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26427BC _strnicmp,#357,#357,#357,#357,CryptDecodeObject,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree, 7_2_00007FF7C26427BC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25B67CC LocalAlloc,#357,GetSystemTimeAsFileTime,LocalAlloc,#357,LocalAlloc,#357,memmove,memcmp,CryptEncodeObjectEx,memmove,LocalFree,GetLastError,#357,#359,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree, 7_2_00007FF7C25B67CC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26507A4 BCryptDestroyHash,#205,#357, 7_2_00007FF7C26507A4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2650844 BCryptExportKey,#205,#359,#357,#357, 7_2_00007FF7C2650844
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25D6824 CryptHashCertificate,GetLastError,#357, 7_2_00007FF7C25D6824
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2684914 GetLastError,#359,CryptGetUserKey,CryptGetUserKey,GetLastError,#357,CryptDestroyKey,CryptReleaseContext, 7_2_00007FF7C2684914
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C263E914 CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,GetLastError,GetLastError,GetLastError,#357,CryptDestroyHash, 7_2_00007FF7C263E914
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26508EC BCryptGetProperty,#205,#359,#357,#357, 7_2_00007FF7C26508EC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25CA8CC CryptFindLocalizedName,CertEnumCertificatesInStore,CertFindCertificateInStore,CertGetCRLContextProperty,#357,#357,#357,CertEnumCertificatesInStore, 7_2_00007FF7C25CA8CC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26BE8B0 CryptDecodeObjectEx,GetLastError,CryptBinaryToStringW,GetLastError,memset,CryptBinaryToStringW,??3@YAXPEAX@Z,LocalFree, 7_2_00007FF7C26BE8B0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C268A590 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext, 7_2_00007FF7C268A590
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26BA58C NCryptOpenStorageProvider,NCryptOpenKey,NCryptGetProperty,GetProcessHeap,HeapAlloc,NCryptGetProperty,NCryptFreeObject,NCryptFreeObject, 7_2_00007FF7C26BA58C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C264E57C CertOpenStore,GetLastError,#357,CertAddEncodedCertificateToStore,GetLastError,#358,CryptFindCertificateKeyProvInfo,GetLastError,#358,#357,CertSetCTLContextProperty,GetLastError,CryptAcquireCertificatePrivateKey,GetLastError,CertSetCTLContextProperty,GetLastError,LocalFree,CertFreeCertificateContext,CertCloseStore, 7_2_00007FF7C264E57C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25D8600 #357,CryptDecodeObject,GetLastError,LocalFree, 7_2_00007FF7C25D8600
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26125E8 #357,#357,#357,CryptImportKey,GetLastError,#358,#357,CryptSetKeyParam,LocalFree,GetLastError,#357,#357,#357,CertFreeCertificateContext,CryptDestroyKey, 7_2_00007FF7C26125E8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25DC5D4 NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,#357,#357,#357,#357,LocalFree,LocalFree, 7_2_00007FF7C25DC5D4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26565B4 NCryptIsKeyHandle,_CxxThrowException, 7_2_00007FF7C26565B4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2624694 CertFindAttribute,CryptHashCertificate2,memcmp,#357, 7_2_00007FF7C2624694
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25E6694 CryptQueryObject,GetLastError,#359,#357,#357,LocalFree,CertCloseStore,CryptMsgClose, 7_2_00007FF7C25E6694
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2686654 NCryptGetProperty,#360, 7_2_00007FF7C2686654
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C261A654 CryptVerifyCertificateSignature,GetLastError,#358,CertVerifyTimeValidity,CertOpenStore,GetLastError,#357,CryptVerifyCertificateSignature,CertVerifyRevocation,GetLastError,#357,CertCloseStore, 7_2_00007FF7C261A654
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25E0630 #357,CryptDecodeObject,GetLastError,#357,GetLastError,GetLastError,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree, 7_2_00007FF7C25E0630
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25F26E0 #357,#357,LocalAlloc,memmove,memset,#357,BCryptFreeBuffer,#357,#357,#357, 7_2_00007FF7C25F26E0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26866D8 NCryptFreeObject,#360, 7_2_00007FF7C26866D8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26786D8 CertFindCertificateInStore,CryptAcquireCertificatePrivateKey,GetLastError,#359,CertFindCertificateInStore,GetLastError,#359,#357,CertFreeCertificateContext, 7_2_00007FF7C26786D8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2650B80 NCryptCreatePersistedKey,#205,#359,#359,#357, 7_2_00007FF7C2650B80
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26BEB38 CryptDecodeObjectEx,GetLastError,??3@YAXPEAX@Z,LocalFree, 7_2_00007FF7C26BEB38
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2680BF4 CryptDuplicateHash,GetLastError,#357,CryptGetHashParam,GetLastError,#203,CryptDestroyHash, 7_2_00007FF7C2680BF4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2652BC0 CryptCreateHash,#205,GetLastError,#357,#357,#357,SetLastError, 7_2_00007FF7C2652BC0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C267CBB4 CryptGetProvParam,GetLastError,#358,LocalAlloc,#357,CryptGetProvParam,GetLastError,#357,LocalFree, 7_2_00007FF7C267CBB4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25DCB98 NCryptIsKeyHandle,GetLastError,#358,#360,NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,#359,LocalFree,NCryptIsKeyHandle,CryptGetUserKey,GetLastError,#357,CryptGetKeyParam,GetLastError,#359,CryptDestroyKey,NCryptIsKeyHandle,#359,NCryptIsKeyHandle, 7_2_00007FF7C25DCB98
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2680B9C CryptHashData,GetLastError,#357, 7_2_00007FF7C2680B9C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2686C88 NCryptEnumAlgorithms,#360, 7_2_00007FF7C2686C88
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2694C80 CryptAcquireContextW,GetLastError,#357,CryptGenRandom,GetLastError,CryptGenRandom,GetLastError,memset,CryptReleaseContext, 7_2_00007FF7C2694C80
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2652C80 CryptDestroyHash,#205,GetLastError,#357,SetLastError, 7_2_00007FF7C2652C80
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2688C58 #357,LocalAlloc,#357,memmove,memset,BCryptFreeBuffer,#357,#357,#360,#359,#359,#359,LocalAlloc,memmove,LocalAlloc,memmove,#357,#357,CryptGetDefaultProviderW,LocalAlloc,CryptGetDefaultProviderW,GetLastError,#357,#357,#357,LocalFree,LocalFree, 7_2_00007FF7C2688C58
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2650C3C NCryptExportKey,#205,#359,#359,#357, 7_2_00007FF7C2650C3C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25B6C4C CryptFindOIDInfo,#357,#357,#359,CryptFindOIDInfo,#357,LocalFree, 7_2_00007FF7C25B6C4C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25ECC24 CryptDecodeObjectEx,#359,BCryptSetProperty,BCryptGetProperty,#357,BCryptDestroyKey,BCryptCloseAlgorithmProvider, 7_2_00007FF7C25ECC24
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2686C30 NCryptOpenStorageProvider,#360, 7_2_00007FF7C2686C30
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2650D14 NCryptFinalizeKey,#205,#357,#357, 7_2_00007FF7C2650D14
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2652CFC CryptDestroyKey,#205,GetLastError,#357,SetLastError, 7_2_00007FF7C2652CFC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2642CF8 memset,#358,#357,CryptAcquireContextW,GetLastError,#357,#357,#358,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,DeleteFileW,LocalFree,#357,#357,#359,#359,LocalFree,LocalFree,#357,#357,#357,#357,#357,#359,#359,#359,#359,LocalFree,#359,#359,#357, 7_2_00007FF7C2642CF8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26A8CF4 GetLastError,#360,CryptGetProvParam,GetLastError,#360,#359,LocalAlloc,CryptGetProvParam,GetLastError,#357,LocalFree,CryptReleaseContext,GetLastError,LocalAlloc,CryptGetProvParam,GetLastError,#358,LocalFree,LocalFree,#357,CryptReleaseContext,LocalFree, 7_2_00007FF7C26A8CF4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2686CE0 NCryptEnumStorageProviders,#360, 7_2_00007FF7C2686CE0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2614CC0 #357,lstrcmpW,CryptEnumKeyIdentifierProperties,GetLastError,#357,LocalFree,#357,#359,LocalFree,LocalFree,free, 7_2_00007FF7C2614CC0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C265ACAC CryptContextAddRef,CryptDuplicateKey,#205,GetLastError,#357,#357,SetLastError,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,_CxxThrowException,??3@YAXPEAX@Z, 7_2_00007FF7C265ACAC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2644CA0 CryptAcquireCertificatePrivateKey,GetLastError,#357,CertGetCRLContextProperty,GetLastError,#357,CryptGetUserKey,GetLastError,GetLastError,#357,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext, 7_2_00007FF7C2644CA0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2682994 CertFreeCertificateContext,CryptSetProvParam,GetLastError,#357,CryptReleaseContext,LocalFree, 7_2_00007FF7C2682994
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25DC960 LocalAlloc,CryptGetKeyIdentifierProperty,GetLastError,#357,LocalFree,LocalFree, 7_2_00007FF7C25DC960
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2658940 BCryptFinishHash,#205,#357,#357,#357,_CxxThrowException,_CxxThrowException, 7_2_00007FF7C2658940
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C265C940 _CxxThrowException,GetLastError,_CxxThrowException,memmove,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,CryptHashData,#205,GetLastError,#357,#357,#357,SetLastError,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException, 7_2_00007FF7C265C940
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C263AA00 memset,memset,#357,#357,#357,#357,CryptEncodeObjectEx,GetLastError,CryptMsgEncodeAndSignCTL,GetLastError,GetLastError,CryptMsgEncodeAndSignCTL,GetLastError,#359,LocalFree,LocalFree, 7_2_00007FF7C263AA00
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C268A9F0 strcmp,GetLastError,CryptFindOIDInfo,#357,#357,LocalFree,#357,#357,NCryptIsAlgSupported,#360,#357,LocalAlloc,memmove,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,LocalFree,LocalFree,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalFree,GetLastError,#357,LocalFree,GetLastError,#357,LocalFree,GetLastError,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z, 7_2_00007FF7C268A9F0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C261E9F0 IsDlgButtonChecked,memset,SendMessageW,LocalFree,GetDlgItemTextW,GetDlgItem,GetDlgItem,EnableWindow,LocalFree,#357,#357,CertFreeCertificateContext,CertFreeCTLContext,GetDlgItem,SendMessageW,SetDlgItemTextW,MessageBoxW,GetDlgItem,SendMessageW,GetDlgItemInt,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,#357,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetDlgItemTextW,SendDlgItemMessageA,CheckDlgButton,GetDlgItem,EnableWindow,SetDlgItemInt,CheckDlgButton,SetDlgItemTextW,SetDlgItemTextW,CertFreeCTLContext,CertFreeCertificateContext,??3@YAXPEAX@Z,memset,SendMessageW,MessageBoxW,memset,CryptUIDlgViewCRLW,memset,CryptUIDlgViewCertificateW, 7_2_00007FF7C261E9F0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C265099C BCryptOpenAlgorithmProvider,#205,#359,#359, 7_2_00007FF7C265099C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26129A0 #357,#357,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CertFreeCertificateContext,CryptReleaseContext,LocalFree,LocalFree,CryptDestroyKey, 7_2_00007FF7C26129A0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25C6A84 LocalAlloc,#357,memmove,CryptHashCertificate2,GetLastError,LocalAlloc,#357,memmove,LocalFree, 7_2_00007FF7C25C6A84
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2682A78 #357,CryptAcquireCertificatePrivateKey,GetLastError,#357,#357,LocalFree,LocalFree,LocalFree,#359,#359, 7_2_00007FF7C2682A78
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C263EA7C #357,#357,LocalAlloc,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptImportKey,GetLastError,CryptSetKeyParam,GetLastError,CryptSetKeyParam,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptSetKeyParam,GetLastError,#357,LocalFree,LocalFree,LocalFree,CryptDestroyHash,CryptDestroyHash, 7_2_00007FF7C263EA7C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2634A34 CertGetCRLContextProperty,CryptEncodeObjectEx,GetLastError,CryptHashCertificate2,CryptEncodeObjectEx,GetLastError,CertGetCRLContextProperty,CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,GetLastError,GetLastError,#357,LocalFree, 7_2_00007FF7C2634A34
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2654A1C NCryptIsKeyHandle,_wcsicmp,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException, 7_2_00007FF7C2654A1C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2650A18 BCryptSetProperty,#205,#359,#357,#357, 7_2_00007FF7C2650A18
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25F2B00 BCryptEnumContexts,#360,BCryptQueryContextConfiguration,#360,#357,BCryptFreeBuffer,#357,BCryptEnumContextFunctions,#360,#360,BCryptFreeBuffer,#358,#358,#357,BCryptFreeBuffer, 7_2_00007FF7C25F2B00
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2648AFC #357,CertCreateCertificateContext,GetLastError,#357,#357,#357,#357,#357,NCryptIsKeyHandle,#357,CertSetCTLContextProperty,GetLastError,#357,#357,CertCloseStore,CertFreeCertificateContext, 7_2_00007FF7C2648AFC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2652AE4 CryptAcquireContextW,#205,GetLastError,#359,#357,#359,SetLastError, 7_2_00007FF7C2652AE4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2650ABC BCryptVerifySignature,#205,#357,#357,#357,#357, 7_2_00007FF7C2650ABC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2658AA0 _CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,BCryptHashData,#205,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException, 7_2_00007FF7C2658AA0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25E4F90 LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,LocalFree,LocalFree,#357,strcmp,GetLastError,#357,CryptMsgGetAndVerifySigner,CryptVerifyDetachedMessageSignature,GetLastError,#357,CertEnumCertificatesInStore,memcmp,#357,CertFreeCertificateContext,#357,#357,CertFreeCertificateContext,strcmp,#357,CryptMsgControl,GetLastError,#357,#357,#357,#357, 7_2_00007FF7C25E4F90
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C267EF74 GetLastError,#357,CryptDecodeObject,GetLastError,GetLastError,GetLastError,LocalAlloc,memmove,LocalFree,LocalFree,LocalFree, 7_2_00007FF7C267EF74
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2640F58 CertAddEncodedCertificateToStore,GetLastError,#357,UuidCreate,StringFromCLSID,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,CertSetCTLContextProperty,GetLastError,CryptDestroyKey,CryptReleaseContext,CoTaskMemFree,CertFreeCertificateContext, 7_2_00007FF7C2640F58
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2634F50 CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,#357,LocalFree, 7_2_00007FF7C2634F50
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2686F2C NCryptExportKey,#360, 7_2_00007FF7C2686F2C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25E8F1C strcmp,LocalFree,strcmp,LocalFree,strcmp,LocalFree,strcmp,CryptDecodeObject,LocalFree,LocalFree,LocalFree,strcmp,strcmp,strcmp,strcmp,LocalFree,GetLastError,#357,GetLastError,GetLastError, 7_2_00007FF7C25E8F1C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C268700C BCryptEnumAlgorithms,#360, 7_2_00007FF7C268700C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2686FAC BCryptOpenAlgorithmProvider,#360, 7_2_00007FF7C2686FAC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2650FB4 NCryptOpenKey,#205,#359,#357,#357, 7_2_00007FF7C2650FB4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25F107C LocalFree,GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,#359,#357,LocalFree, 7_2_00007FF7C25F107C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C268705C BCryptGetProperty,#360, 7_2_00007FF7C268705C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2651058 NCryptOpenStorageProvider,#205,#359,#357, 7_2_00007FF7C2651058
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2649028 #357,#357,CryptMsgClose,CryptMsgClose,CertCloseStore,LocalFree, 7_2_00007FF7C2649028
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C265301C CryptGenKey,#205,GetLastError,#357,#357,#357,SetLastError, 7_2_00007FF7C265301C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25C302F #357,LocalFree,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection, 7_2_00007FF7C25C302F
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25C7034 #357,CertCreateCertificateContext,#357,CertDuplicateCertificateContext,CertCreateCertificateContext,CertCompareCertificateName,CryptVerifyCertificateSignature,GetLastError,#357,#357,CertFreeCertificateContext,LocalFree,CertFreeCertificateContext, 7_2_00007FF7C25C7034
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2657020 NCryptDecrypt,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,NCryptEncrypt,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException, 7_2_00007FF7C2657020
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26510D8 NCryptSetProperty,#205,#359,#357,#359,#357, 7_2_00007FF7C26510D8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26530D8 CryptGetHashParam,#205,GetLastError,#357,#357,#357,#357,SetLastError, 7_2_00007FF7C26530D8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26870C8 BCryptSetProperty,#360, 7_2_00007FF7C26870C8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C261B098 CryptVerifyCertificateSignature,GetLastError,#358,CertVerifyCRLTimeValidity,CertCompareCertificateName,CertCompareCertificateName,#357, 7_2_00007FF7C261B098
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C265B0A0 memmove,CryptDecrypt,#205,GetLastError,#357,#357,SetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,memmove,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException, 7_2_00007FF7C265B0A0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2652D78 CryptEncrypt,#205,GetLastError,#357,#357,#357,#357,SetLastError, 7_2_00007FF7C2652D78
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2686D78 NCryptOpenKey,#360, 7_2_00007FF7C2686D78
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2650D84 NCryptFreeObject,#205,#357, 7_2_00007FF7C2650D84
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2686D2C NCryptFreeBuffer,#360, 7_2_00007FF7C2686D2C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2612D18 #359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,NCryptIsKeyHandle,#357,#357,NCryptIsKeyHandle,#357,#357,LocalFree,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z, 7_2_00007FF7C2612D18
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2634DDC GetLastError,#357,CryptEncodeObjectEx,GetLastError,#357,LocalFree, 7_2_00007FF7C2634DDC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2686DE0 NCryptCreatePersistedKey,#360, 7_2_00007FF7C2686DE0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2650DD4 NCryptGetProperty,#205,#359,#357,#359,#357, 7_2_00007FF7C2650DD4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2678DD0 CertGetCRLContextProperty,GetLastError,#357,memcmp,CertGetCRLContextProperty,GetLastError,#357,memcmp,CertFindExtension,GetLastError,memcmp,CryptHashCertificate,GetLastError,memcmp,CryptHashPublicKeyInfo,GetLastError,memcmp,LocalFree, 7_2_00007FF7C2678DD0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26A0DB8 CryptMsgGetParam,GetLastError,#357,#357,memset,CryptMsgGetParam,GetLastError,#357, 7_2_00007FF7C26A0DB8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2682DAC #357,#357,CryptFindOIDInfo,LocalFree, 7_2_00007FF7C2682DAC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C267EE94 CryptSignMessage,SetLastError, 7_2_00007FF7C267EE94
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25F0E94 GetLastError,#359,CryptGetProvParam,LocalFree,#357,LocalFree,CryptReleaseContext, 7_2_00007FF7C25F0E94
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2622E7C #223,GetLastError,#358,#357,CryptVerifyCertificateSignature,GetLastError,#357,LocalFree,LocalFree, 7_2_00007FF7C2622E7C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2652E6C CryptFindOIDInfo,#205,#357,#357,#357,#359,#359,#357,#357,#359,LocalFree, 7_2_00007FF7C2652E6C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2694E58 NCryptIsKeyHandle,#357,BCryptGenRandom,#360,LocalAlloc,CryptExportPKCS8,GetLastError,LocalAlloc,CryptExportPKCS8,GetLastError,NCryptIsKeyHandle,#359,#359,NCryptFinalizeKey,#360, 7_2_00007FF7C2694E58
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2686E48 NCryptSetProperty,#360, 7_2_00007FF7C2686E48
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25E0E24 #357,#357,CryptDecodeObject,GetLastError,GetLastError,strcmp,GetLastError,#357,#357,#357,GetLastError,GetLastError,GetLastError,CryptDecodeObject,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree, 7_2_00007FF7C25E0E24
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2650EF4 NCryptImportKey,#205,#359,#359,#357, 7_2_00007FF7C2650EF4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26B0ED0 LocalAlloc,LocalReAlloc,#357,#360,CryptFindOIDInfo,CryptFindOIDInfo,LocalAlloc,#357,memmove,_wcsnicmp,#256,#359, 7_2_00007FF7C26B0ED0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2686EA8 NCryptImportKey,#360, 7_2_00007FF7C2686EA8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2653390 CryptGetUserKey,#205,GetLastError,#357,#357,SetLastError, 7_2_00007FF7C2653390
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25DB36C GetLastError,CryptHashCertificate,GetLastError,CryptHashCertificate2,GetLastError,SysAllocStringByteLen,#357,SysFreeString,#357,#357,#357,LocalFree,SysFreeString, 7_2_00007FF7C25DB36C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25E7340 GetModuleHandleW,GetProcAddress,GetLastError,BCryptExportKey,#360,LocalAlloc,CryptHashCertificate2,GetLastError,CryptHashCertificate2,GetLastError,#357,LocalFree, 7_2_00007FF7C25E7340
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C260B350 CryptFindLocalizedName,CertEnumPhysicalStore,GetLastError,#357, 7_2_00007FF7C260B350
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2615338 wcsrchr,#357,#357,LocalAlloc,memmove,wcsrchr,GetLastError,#360,#357,#357,LocalFree,LocalFree,LocalFree,CryptReleaseContext, 7_2_00007FF7C2615338
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25EB324 CryptDecodeObject,GetLastError,#357,#357,LocalFree, 7_2_00007FF7C25EB324
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26353E8 CryptEncodeObjectEx,GetLastError,#357, 7_2_00007FF7C26353E8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26113F0 CryptAcquireContextW,GetLastError,#357,CryptCreateHash,GetLastError,CryptHashData,CryptHashData,GetLastError,CryptImportPublicKeyInfo,CryptVerifySignatureW,CertCreateCertificateContext,#357,LocalFree,GetLastError,GetLastError,GetLastError,GetLastError,#357,LocalFree,LocalFree,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext, 7_2_00007FF7C26113F0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C263B3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357, 7_2_00007FF7C263B3D8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26633B0 CertFindExtension,#357,CryptDecodeObject,GetLastError,#357,#357, 7_2_00007FF7C26633B0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26893A0 CryptGetUserKey,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,LocalFree,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext, 7_2_00007FF7C26893A0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C268739C CryptAcquireContextW,GetLastError,#360,#360,SetLastError, 7_2_00007FF7C268739C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26333A0 CryptVerifyCertificateSignature,CertCompareCertificateName, 7_2_00007FF7C26333A0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C263F488 #357,LocalAlloc,memmove,CryptDuplicateKey,GetLastError,CryptDecrypt,GetLastError,CryptDestroyKey,LocalFree, 7_2_00007FF7C263F488
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2659480 memmove,BCryptDecrypt,#205,#357,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,memmove,BCryptEncrypt,#205,#357,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException, 7_2_00007FF7C2659480
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C266B464 CryptEncodeObjectEx,SetLastError, 7_2_00007FF7C266B464
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25B5438 memset,#246,#357,#357,GetLastError,#357,CertFindExtension,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptReleaseContext,CryptAcquireContextW,LocalFree, 7_2_00007FF7C25B5438
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C265342C CryptImportKey,#205,GetLastError,#357,#357,#357,SetLastError, 7_2_00007FF7C265342C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C268141C GetLastError,CryptDecodeObjectEx,GetLastError,#357,LocalFree, 7_2_00007FF7C268141C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26534F8 CryptImportPublicKeyInfo,#205,GetLastError,#357,#357,SetLastError, 7_2_00007FF7C26534F8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2613504 CreateFileW,GetLastError,#357,GetFileSize,GetLastError,#357,SetFilePointer,GetLastError,#357,CertFreeCertificateContext,CertFreeCertificateContext,CryptDestroyKey,CryptReleaseContext,CloseHandle, 7_2_00007FF7C2613504
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C266B4EC CryptDecodeObjectEx,SetLastError, 7_2_00007FF7C266B4EC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26814F0 GetEnvironmentVariableW,#205,#205,#203,CryptDestroyHash,CryptReleaseContext,CryptAcquireContextW,GetLastError,#357,CryptCreateHash,GetLastError,CryptReleaseContext,GetLastError,#357,#357,#203,#357,#357,#357,#357,#203,LocalFree,#203,#357,#357,#207,#203,#203,LocalFree,#203,#203,CryptDestroyHash,CryptReleaseContext, 7_2_00007FF7C26814F0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C267F4A0 CryptHashPublicKeyInfo,SetLastError, 7_2_00007FF7C267F4A0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2633188 CryptAcquireContextW,GetLastError,#359,#359,CryptAcquireContextW,GetLastError, 7_2_00007FF7C2633188
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2687178 BCryptCloseAlgorithmProvider,#360, 7_2_00007FF7C2687178
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C263F168 CryptDuplicateKey,GetLastError,#357,CryptEncrypt,GetLastError,CryptEncrypt,GetLastError,CryptDestroyKey, 7_2_00007FF7C263F168
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2635164 GetLastError,#357,CryptEncodeObjectEx,GetLastError,#357,LocalFree, 7_2_00007FF7C2635164
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2609134 CryptQueryObject,GetLastError,#357,CertOpenStore,GetLastError,CertOpenStore,GetLastError,CertAddSerializedElementToStore,GetLastError,CertAddEncodedCRLToStore,GetLastError,CertAddEncodedCTLToStore,GetLastError,CertAddEncodedCertificateToStore,GetLastError,#357,CertCloseStore, 7_2_00007FF7C2609134
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C267511C GetSystemInfo,CryptFindOIDInfo,#359,CreateFileW,GetLastError,#357,#359,GetFileSize,#357,CreateFileMappingW,GetLastError,#359,#357,LocalAlloc,BCryptCreateHash,#360,MapViewOfFile,BCryptHashData,#360,UnmapViewOfFile,LocalAlloc,GetLastError,#357,GetLastError,BCryptFinishHash,#360,LocalAlloc,LocalFree,#357,UnmapViewOfFile,CloseHandle,CloseHandle,BCryptDestroyHash,#360,LocalFree,LocalFree, 7_2_00007FF7C267511C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2687124 BCryptGenerateKeyPair,#360, 7_2_00007FF7C2687124
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2687214 NCryptIsKeyHandle,#357,CryptReleaseContext,GetLastError, 7_2_00007FF7C2687214
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26A9208 #357,NCryptEnumKeys,#360,#358, 7_2_00007FF7C26A9208
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26511C8 NCryptVerifySignature,#205,#357,#357,#357,#357, 7_2_00007FF7C26511C8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26871C8 BCryptDestroyKey,#360, 7_2_00007FF7C26871C8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26531C0 CryptGetKeyParam,#205,GetLastError,#357,#357,#357,#357,SetLastError, 7_2_00007FF7C26531C0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26251A4 #360,#357,#359,#207,CryptFindOIDInfo,#357,GetLastError,#357,#207,#360,#254,#358,LocalFree,LocalFree,LocalFree, 7_2_00007FF7C26251A4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C267D28C CryptFindOIDInfo,CryptEnumOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,#358, 7_2_00007FF7C267D28C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2687290 NCryptIsKeyHandle,#359,#360,#357,#358, 7_2_00007FF7C2687290
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25ED240 #357,CryptFindOIDInfo,#357,LocalFree, 7_2_00007FF7C25ED240
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25ED304 #357,CryptFindOIDInfo,#359,LocalAlloc,CryptEncodeObjectEx,GetLastError,LocalFree,LocalFree,LocalFree, 7_2_00007FF7C25ED304
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C263D30C BCryptOpenAlgorithmProvider,#357,BCryptCreateHash,BCryptHashData,BCryptHashData,BCryptHashData,BCryptFinishHash,BCryptDestroyHash, 7_2_00007FF7C263D30C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C264F2F0 BCryptCreateHash,#205,#357,#357,#357,#357,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException, 7_2_00007FF7C264F2F0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26292D8 CertEnumCertificatesInStore,CertGetCRLContextProperty,CertSetCTLContextProperty,GetLastError,#357,#357,CertEnumCertificatesInStore,CryptMsgControl,GetLastError,#357,CryptMsgGetAndVerifySigner,GetLastError,#357,CryptMsgGetAndVerifySigner,#357,CertFreeCertificateContext,CertGetCRLContextProperty,CertEnumCertificatesInStore,#357,#357,#207,LocalFree,#357,#357,CertFreeCertificateContext,CompareFileTime,CertFreeCertificateContext, 7_2_00007FF7C26292D8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26332D0 #359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext, 7_2_00007FF7C26332D0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26192C4 memset,CryptHashCertificate,GetLastError,CryptHashCertificate,GetLastError,GetLastError,GetLastError,#357,#254,LocalAlloc,wcsstr,LocalAlloc,LocalAlloc,#357,memmove,GetLastError,GetProcAddress,GetLastError,GetLastError,#359,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FreeLibrary, 7_2_00007FF7C26192C4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26532A8 CryptGetProvParam,#205,GetLastError,#357,#357,#357,#357,SetLastError, 7_2_00007FF7C26532A8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C261B2B4 #357,CryptHashCertificate,GetLastError,#357,memcmp,#358, 7_2_00007FF7C261B2B4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C266B794 CryptExportPublicKeyInfoEx,SetLastError, 7_2_00007FF7C266B794
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C262577C #360,#358,CryptDecodeObject,GetLastError,#357, 7_2_00007FF7C262577C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25ED790 SslEnumProtocolProviders,#357,SslOpenProvider,SslFreeBuffer,SslFreeObject,SslFreeBuffer,#359,LocalAlloc,BCryptGetProperty,CryptFindOIDInfo,BCryptDestroyKey,BCryptDestroyKey,LocalFree, 7_2_00007FF7C25ED790
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25CB788 #140,iswdigit,CryptDecodeObject,GetLastError,#357,#357,#224, 7_2_00007FF7C25CB788
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2655768 NCryptIsKeyHandle,??_V@YAXPEAX@Z,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException, 7_2_00007FF7C2655768
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C261F774 CertFindExtension,#357,CryptVerifyCertificateSignature,GetLastError,GetLastError,memmove,LocalFree, 7_2_00007FF7C261F774
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C267D750 LocalAlloc,CryptFormatObject,GetLastError,#358,#358,LocalFree,#357, 7_2_00007FF7C267D750
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C263B808 I_CryptFindLruEntry,I_CryptGetLruEntryData,#357,I_CryptReleaseLruEntry, 7_2_00007FF7C263B808
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C267F7FC CryptExportKey,GetLastError,#357,LocalAlloc,CryptExportKey,GetLastError,LocalFree, 7_2_00007FF7C267F7FC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25EF810 #223,CryptDecodeObjectEx,GetLastError,CertFindAttribute,CertFindAttribute,GetLastError,#357,LocalFree,LocalFree, 7_2_00007FF7C25EF810
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26697E4 LoadCursorW,SetCursor,#210,LoadCursorW,SetCursor,#357,EnableWindow,SetWindowLongPtrW,SetWindowLongPtrW,SetWindowLongPtrW,GetDlgItem,SetWindowTextW,GetDlgItem,ShowWindow,CryptUIDlgFreeCAContext,LocalFree, 7_2_00007FF7C26697E4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25F17D4 #357,#359,#357,NCryptFinalizeKey,#360,#359,#359,#357,NCryptDeleteKey,#360,#359,#359,#359,LocalFree,LocalFree, 7_2_00007FF7C25F17D4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26537A4 CryptSetKeyParam,#205,GetLastError,#357,#357,#357,SetLastError, 7_2_00007FF7C26537A4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25E7884 GetLastError,CryptFindOIDInfo,#357,#357,LocalFree, 7_2_00007FF7C25E7884
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2629878 strcmp,strcmp,strcmp,#357,#357,CompareFileTime,LocalFree,CryptMsgClose,CertCloseStore,CompareFileTime,#357,#357, 7_2_00007FF7C2629878
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2653860 CryptSetProvParam,#205,GetLastError,#357,#357,#357,SetLastError, 7_2_00007FF7C2653860
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C264184C CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,memset,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CryptDecrypt,GetLastError,GetLastError,#357,CryptDestroyKey,CryptDestroyHash,LocalFree,CryptDestroyKey,GetLastError,#357,LocalFree, 7_2_00007FF7C264184C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C263D850 #357,Sleep,BCryptCloseAlgorithmProvider,I_CryptFreeLruCache, 7_2_00007FF7C263D850
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25C38FC RevertToSelf,#356,#357,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection, 7_2_00007FF7C25C38FC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26218DC CertFindExtension,CryptDecodeObject,GetLastError,#357, 7_2_00007FF7C26218DC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C263B8D0 I_CryptGetLruEntryData,#357, 7_2_00007FF7C263B8D0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26898B0 #357,CryptImportPublicKeyInfo,GetLastError,#357,CryptGenKey,GetLastError,CryptGenRandom,GetLastError,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,CryptImportKey,GetLastError,#357,memcmp,#357,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,LocalFree,LocalFree,LocalFree,CryptReleaseContext, 7_2_00007FF7C26898B0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2653590 CryptImportPublicKeyInfoEx2,#205,GetLastError,#357,#357,#357,SetLastError, 7_2_00007FF7C2653590
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2689580 memset,#357,CryptCreateHash,GetLastError,#357,CryptGenRandom,GetLastError,CryptHashData,GetLastError,CryptSignHashW,GetLastError,LocalAlloc,CryptSignHashW,GetLastError,CryptImportPublicKeyInfo,GetLastError,CryptVerifySignatureW,GetLastError,#357,CryptDestroyHash,CryptDestroyKey,LocalFree,CryptReleaseContext, 7_2_00007FF7C2689580
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C267F570 CryptHashCertificate,SetLastError, 7_2_00007FF7C267F570
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C261B55C CertFreeCertificateContext,CertCreateCertificateContext,GetLastError,CertDuplicateCertificateContext,#357,#358,CertCompareCertificateName,CryptVerifyCertificateSignatureEx,GetLastError,#357,#357,CertFreeCertificateContext,CertVerifyTimeValidity,#357, 7_2_00007FF7C261B55C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26395FC BCryptOpenAlgorithmProvider,#357,BCryptCreateHash,BCryptHashData,BCryptHashData,CertGetCRLContextProperty,BCryptHashData,BCryptHashData,BCryptFinishHash,BCryptDestroyHash,BCryptCloseAlgorithmProvider, 7_2_00007FF7C26395FC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26155F0 #357,#360,GetLastError,#360,#359,NCryptDeleteKey,#360,#357,LocalFree,LocalFree, 7_2_00007FF7C26155F0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25DD5C2 CertCloseStore,CryptMsgClose,LocalFree,LocalFree,LocalFree,LocalFree, 7_2_00007FF7C25DD5C2
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2679688 CryptFindOIDInfo,#357,#360,#360,#360, 7_2_00007FF7C2679688
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C262366C CryptVerifyCertificateSignature,GetLastError,CryptVerifyCertificateSignatureEx,GetLastError,#357, 7_2_00007FF7C262366C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25DD660 GetDesktopWindow,LocalFree,#357,CertDuplicateCertificateContext,GetLastError,#357,#357,#357,#357,#357,#207,LocalFree,#358,#357,#358,#357,#357,#357,#357,#357,NCryptIsKeyHandle,#357,#357,NCryptIsKeyHandle,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CryptSetProvParam,GetLastError,#357,CryptReleaseContext,LocalFree, 7_2_00007FF7C25DD660
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25C5664 #256,#357,CryptHashCertificate2,GetLastError,#254,#254,#357,#207,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,#359, 7_2_00007FF7C25C5664
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C263B664 I_CryptFindLruEntry,I_CryptGetLruEntryData,I_CryptReleaseLruEntry, 7_2_00007FF7C263B664
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2653654 CryptReleaseContext,#205,GetLastError,#357,#357,SetLastError, 7_2_00007FF7C2653654
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C267F650 CryptHashCertificate2,SetLastError, 7_2_00007FF7C267F650
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C264F644 NCryptDeleteKey,#205,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException, 7_2_00007FF7C264F644
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25DF630 CryptAcquireContextW,GetLastError,#357,SetLastError, 7_2_00007FF7C25DF630
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26536E8 CryptSetHashParam,#205,GetLastError,#357,#357,#357,SetLastError, 7_2_00007FF7C26536E8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C263F6D8 #357,CryptDuplicateKey,GetLastError,CryptEncrypt,GetLastError,LocalAlloc,memmove,CryptEncrypt,GetLastError,LocalAlloc,CryptDestroyKey,LocalFree, 7_2_00007FF7C263F6D8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26076B0 #359,CryptAcquireCertificatePrivateKey,GetLastError,#357,#358,#359,#358,#358,LocalFree,LocalFree,#357,CryptFindCertificateKeyProvInfo,GetLastError,#357,LocalFree,LocalFree,CryptReleaseContext, 7_2_00007FF7C26076B0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C266D6A0 CertOpenStore,GetLastError,#357,CryptMsgOpenToDecode,GetLastError,#357,CryptMsgUpdate,GetLastError,#357,CryptMsgUpdate,GetLastError,#357,#357,LocalFree,LocalAlloc,#357,memmove,CryptMsgGetParam,GetLastError,CryptMsgGetParam,GetLastError,CryptMsgGetParam,GetLastError,CryptMsgClose,CertCloseStore,LocalFree,LocalFree, 7_2_00007FF7C266D6A0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26B5B90 CryptDecodeObjectEx,memmove, 7_2_00007FF7C26B5B90
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25DBB80 #357,NCryptIsKeyHandle,#357,LocalFree,LocalFree, 7_2_00007FF7C25DBB80
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C267FB94 #357,CryptFindOIDInfo,LocalAlloc,CryptEncryptMessage,GetLastError,LocalFree,#357, 7_2_00007FF7C267FB94
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2687B60 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptFindOIDInfo,LocalAlloc,#357,memmove,CryptReleaseContext, 7_2_00007FF7C2687B60
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C268BB50 NCryptIsKeyHandle,#359,CertCreateCertificateContext,GetLastError,LocalFree,CryptGetKeyParam,GetLastError,#358,LocalAlloc,#357,CryptGetKeyParam,GetLastError,#357, 7_2_00007FF7C268BB50
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C265FB50 CryptExportPublicKeyInfo,GetLastError,#357,LocalAlloc,#357,CryptExportPublicKeyInfo,GetLastError,GetLastError,#357,#357,CertFindExtension,LocalAlloc,#357,memmove,#357,#357,#357,#357,#357,CAFindCertTypeByName,CAGetCertTypeExtensions,#357,#358,CertFindExtension,#357,LocalAlloc,memmove,memmove,#357,#357,GetLastError,#357,CertFindExtension,#357,GetLastError,#357,CryptSignAndEncodeCertificate,GetLastError,#357,LocalAlloc,CryptSignAndEncodeCertificate,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CAFreeCertTypeExtensions,CACloseCertType, 7_2_00007FF7C265FB50
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C261BB38 #357,CryptVerifyCertificateSignatureEx,GetLastError,#357,memcmp,GetSystemTimeAsFileTime,CompareFileTime,CompareFileTime,CompareFileTime,#357,#358,LocalFree,LocalFree,LocalFree,LocalFree, 7_2_00007FF7C261BB38
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2685B44 CertFindExtension,#357,CryptDecodeObject,GetLastError, 7_2_00007FF7C2685B44
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2653BEB _CxxThrowException,_CxxThrowException,_CxxThrowException,CryptExportKey,#205,GetLastError,#357,#357,#357,#357,SetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException, 7_2_00007FF7C2653BEB
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25D9BC8 #357,strcmp,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,CryptDecodeObject,GetLastError,strcmp,strcmp,strcmp,strcmp,GetLastError,strcmp,CryptDecodeObject,GetLastError,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,LocalFree,strcmp,SysFreeString,#357,#357,strcmp,SysFreeString,#357,SysFreeString,GetLastError,strcmp,LocalFree,LocalFree,CryptDecodeObject,strcmp,strcmp,strcmp,SysFreeString,LocalFree, 7_2_00007FF7C25D9BC8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C265BBC0 wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,CryptSignHashW,#205,GetLastError,#357,#359,#357,SetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException, 7_2_00007FF7C265BBC0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25B5BA4 #357,NCryptIsKeyHandle,strcmp,GetLastError,strcmp,GetLastError,SysAllocStringByteLen,#357,SysFreeString,#359,LocalAlloc,#357,GetLastError,GetLastError,GetLastError,#357,LocalFree,LocalFree,LocalFree,SysFreeString,CertFreeCertificateContext,LocalFree,LocalFree,CryptReleaseContext, 7_2_00007FF7C25B5BA4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2641C84 GetLastError,#357,CryptVerifyCertificateSignature,GetLastError,#357,LocalFree,#357,LocalFree, 7_2_00007FF7C2641C84
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2603C60 CryptExportPublicKeyInfo,GetLastError,#357,LocalAlloc,CryptExportPublicKeyInfo,GetLastError,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,CertCreateCertificateContext,GetLastError,#357,#357,CertComparePublicKeyInfo,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,CertSetCTLContextProperty,GetLastError,#357,#357,#358,#358,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z, 7_2_00007FF7C2603C60
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26B5C54 CryptDecodeObjectEx,CryptDecodeObjectEx, 7_2_00007FF7C26B5C54
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25F1C50 BCryptQueryProviderRegistration,#360,#357,BCryptFreeBuffer, 7_2_00007FF7C25F1C50
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25EFC20 #359,#357,NCryptOpenStorageProvider,#357,NCryptImportKey,GetLastError,#357,#357,LocalFree,LocalFree,NCryptFreeObject,#357,NCryptFreeObject,#357, 7_2_00007FF7C25EFC20
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C260FC34 memset,#357,CryptDecodeObject,GetLastError,LocalAlloc,#357,memmove,memset,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree, 7_2_00007FF7C260FC34
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2645CE8 #357,CertOpenStore,GetLastError,CertFindCertificateInStore,GetLastError,#359,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptVerifyCertificateSignature,GetLastError,#357, 7_2_00007FF7C2645CE8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26AB980 #357,CryptFindOIDInfo,#359,GetLastError,#357,#359,CryptGetProvParam,memset,CryptGetProvParam,CryptFindOIDInfo,#357,GetLastError,#357,CryptReleaseContext,BCryptFreeBuffer, 7_2_00007FF7C26AB980
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C263597C GetLastError,CryptEncodeObjectEx,GetLastError,#357, 7_2_00007FF7C263597C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25E7988 CryptFindOIDInfo,#357,CryptFindOIDInfo,#357,GetLastError,#357,GetLastError,#357,LocalFree, 7_2_00007FF7C25E7988
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2679970 LocalAlloc,#357,LocalAlloc,CertGetEnhancedKeyUsage,GetLastError,#358,LocalFree,LocalFree,GetLastError,strcmp,#357,CryptFindOIDInfo,LocalFree, 7_2_00007FF7C2679970
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C263B950 I_CryptGetLruEntryData,#357, 7_2_00007FF7C263B950
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C260F944 CryptDecodeObject,GetLastError,#357, 7_2_00007FF7C260F944
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25D3918 #357,#357,#357,#357,CertFindExtension,CryptDecodeObject,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree, 7_2_00007FF7C25D3918
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C265391C CryptVerifySignatureW,#205,GetLastError,#357,#359,#357,SetLastError, 7_2_00007FF7C265391C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C267F918 CryptEncrypt,GetLastError,LocalFree,LocalAlloc,#357,LocalFree, 7_2_00007FF7C267F918
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C268BA14 NCryptIsKeyHandle,#357,CryptGetProvParam,GetLastError,NCryptFreeObject, 7_2_00007FF7C268BA14
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C263B9CC I_CryptWalkAllLruCacheEntries,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,I_CryptWalkAllLruCacheEntries,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357, 7_2_00007FF7C263B9CC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25DF9B8 strcmp,#357,#359,NCryptOpenStorageProvider,#357,NCryptImportKey,#357,NCryptSetProperty,NCryptFinalizeKey,NCryptFreeObject,NCryptFreeObject,#359,CryptImportPKCS8,GetLastError,#357,CryptGetUserKey,GetLastError,#357,CryptGetUserKey,GetLastError,CryptDestroyKey,CryptReleaseContext,LocalFree, 7_2_00007FF7C25DF9B8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C267FA84 LocalAlloc,#357,memmove,CryptDecrypt,GetLastError,#357,LocalFree, 7_2_00007FF7C267FA84
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2657A70 wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,NCryptSignHash,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,#357,_CxxThrowException,_CxxThrowException,NCryptSecretAgreement,#205,#357,#357,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,NCryptDeriveKey,#205,#359,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException, 7_2_00007FF7C2657A70
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2669A58 #357,#357,#210,#357,SetWindowTextW,SetFocus,SendMessageW,SendMessageW,LocalAlloc,#357,#357,LocalFree,UpdateWindow,CoInitialize,LoadCursorW,SetCursor,LoadCursorW,SetCursor,SetFocus,SetWindowTextW,SetFocus,#357,SetFocus,SendMessageW,#357,LocalFree,LocalFree,LocalFree,CryptUIDlgFreeCAContext,CoUninitialize, 7_2_00007FF7C2669A58
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25E3A40 LocalFree,LocalFree,strcmp,#357,strcmp,LocalFree,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,LocalFree,strcmp,CryptDecodeObject,strcmp,LocalFree,strcmp,GetLastError,#357,LocalFree,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,GetLastError,#357,strcmp,strcmp,GetLastError,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,GetLastError,strcmp,strcmp,strcmp,strcmp,#357,#357,CryptDecodeObject,GetLastError,GetLastError,strcmp,LocalFree,strcmp,LocalFree,GetLastError,strcmp,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree, 7_2_00007FF7C25E3A40
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C266BA50 CryptSignCertificate,SetLastError, 7_2_00007FF7C266BA50
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2651A44 CryptContextAddRef,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException, 7_2_00007FF7C2651A44
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2613B14 NCryptIsKeyHandle,CryptGetUserKey,GetLastError,#357,#357,#357,NCryptIsKeyHandle,#357,#357,LocalFree,CryptDestroyKey, 7_2_00007FF7C2613B14
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2649AF8 CertCloseStore,CertCloseStore,CryptMsgClose,LocalFree,LocalFree,NCryptFreeObject, 7_2_00007FF7C2649AF8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26B5AA8 CryptDecodeObjectEx, 7_2_00007FF7C26B5AA8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2659F90 memmove,wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,BCryptSignHash,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,#357,_CxxThrowException,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException, 7_2_00007FF7C2659F90
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25EFF64 NCryptGetProperty,#359,NCryptGetProperty,CertEnumCertificatesInStore,CertFindCertificateInStore,CertFreeCertificateContext,CertEnumCertificatesInStore,CertFreeCertificateContext,CertCloseStore,CertCloseStore,#357, 7_2_00007FF7C25EFF64
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2625F54 GetLastError,LocalAlloc,memmove,wcschr,CryptFindOIDInfo,#357,#357,LocalFree,LocalFree, 7_2_00007FF7C2625F54
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26B5F20 CryptDecodeObjectEx, 7_2_00007FF7C26B5F20
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26B5FF0 CryptDecodeObjectEx,CryptDecodeObjectEx, 7_2_00007FF7C26B5FF0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25E5FE8 #357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree, 7_2_00007FF7C25E5FE8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2655FA8 NCryptIsKeyHandle,wcscmp,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException, 7_2_00007FF7C2655FA8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2624070 _wcsnicmp,_wcsnicmp,_wcsnicmp,#357,GetLastError,#359,#357,LocalAlloc,memmove,wcsstr,#223,#357,#359,LocalFree,#359,LocalFree,LocalFree,LocalFree,LocalFree,CryptMemFree, 7_2_00007FF7C2624070
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C267E044 NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,LocalAlloc,#359,LocalFree, 7_2_00007FF7C267E044
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25E60DA #357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree, 7_2_00007FF7C25E60DA
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C260DD80 CertFindExtension,CryptDecodeObject, 7_2_00007FF7C260DD80
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2665D80 #357,NCryptIsKeyHandle,GetSecurityDescriptorLength,CryptSetProvParam,GetLastError,LocalFree,#357, 7_2_00007FF7C2665D80
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2609D6C #357,#357,#359,LocalAlloc,#357,#357,wcsrchr,LocalAlloc,memmove,CryptFindLocalizedName,wcsrchr,CryptFindLocalizedName,#357,GetLastError,#359,CertOpenStore,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree, 7_2_00007FF7C2609D6C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26B5D74 CryptDecodeObjectEx,strcmp,strcmp, 7_2_00007FF7C26B5D74
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2611D70 #357,LocalAlloc,memmove,#357,CryptSetKeyParam,GetLastError,LocalAlloc,memmove,CryptDecrypt,GetLastError,#357,#357,#358,LocalFree,LocalFree,#357,#357,#357,LocalFree,LocalFree,LocalFree, 7_2_00007FF7C2611D70
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2633D60 #359,GetLastError,#357,CryptSetProvParam,GetLastError,#357,CryptSetProvParam,GetLastError,CryptReleaseContext, 7_2_00007FF7C2633D60
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2687D3C #357,CryptFindOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,wcschr,CryptFindOIDInfo,#359,LocalFree, 7_2_00007FF7C2687D3C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C268BD3C NCryptIsKeyHandle,#357,#357,CryptSetProvParam,GetLastError,#357,CryptSetProvParam,GetLastError,LocalFree, 7_2_00007FF7C268BD3C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C267FD2C CryptDecryptMessage,GetLastError,#357, 7_2_00007FF7C267FD2C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C266DD1C #357,strcmp,GetLastError,CryptHashCertificate,GetLastError,LocalAlloc,memmove,LocalFree, 7_2_00007FF7C266DD1C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25E5DF7 GetLastError,#357,#357,#358,#358,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCRLsInStore,CertEnumCRLsInStore,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,#357, 7_2_00007FF7C25E5DF7
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25C1DE8 GetSystemDefaultLangID,wcscspn,LocalFree,LocalFree,CryptEnumOIDInfo,qsort,free, 7_2_00007FF7C25C1DE8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25E5DA1 #358,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree, 7_2_00007FF7C25E5DA1
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C267DE70 NCryptIsKeyHandle,#357,CryptExportKey,GetLastError,#358,LocalAlloc,#357,CryptExportKey,GetLastError,LocalFree, 7_2_00007FF7C267DE70
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26B5E3C CryptDecodeObjectEx,strcmp,strcmp,strcmp, 7_2_00007FF7C26B5E3C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2641E2C CryptAcquireContextW,GetLastError,#357,CryptGenKey,GetLastError,CryptDestroyKey,#357,GetLastError,#357,#357,LocalAlloc,#357,memmove,LocalFree,memset,CryptGenRandom,GetLastError,#357,GetSystemTime,SystemTimeToFileTime,GetLastError,CertCreateCertificateContext,GetLastError,CryptReleaseContext,LocalFree,LocalFree,LocalFree, 7_2_00007FF7C2641E2C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2607F14 CryptAcquireCertificatePrivateKey,GetLastError,#357,CryptSetProvParam,GetLastError,GetSecurityDescriptorLength,#359,CryptReleaseContext, 7_2_00007FF7C2607F14
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2645F04 #357,#357,SysAllocStringByteLen,#357,SysFreeString,#357,#359,#357,lstrcmpW,CryptMsgControl,GetLastError,#357,CertFreeCertificateContext,#359,CertFreeCTLContext,LocalFree,SysFreeString,LocalFree, 7_2_00007FF7C2645F04
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2687EE8 CryptFindOIDInfo,#357,CryptInitOIDFunctionSet,CryptGetOIDFunctionAddress,GetLastError,GetLastError,GetLastError,#357,strcmp,GetLastError,strcmp,GetLastError,CryptFindOIDInfo,CryptFindOIDInfo,#357,LocalFree,LocalFree,CryptFreeOIDFunctionAddress,LocalFree,LocalFree, 7_2_00007FF7C2687EE8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C263DEB0 wcscspn,#357,GetFileAttributesW,GetLastError,#359,CertEnumCertificatesInStore,CertGetCRLContextProperty,CryptBinaryToStringW,wcsstr,CertEnumCertificatesInStore,GetLastError,GetLastError,LocalFree,LocalFree,CertCloseStore,CertFreeCertificateContext, 7_2_00007FF7C263DEB0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C260DEA4 memset,GetSystemTimeAsFileTime,CryptGenRandom,GetLastError,LocalAlloc,GetLastError,#357,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree,CryptReleaseContext,CryptAcquireContextW,LocalFree, 7_2_00007FF7C260DEA4
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_15403837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 12_2_15403837
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_14583837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 27_2_14583837
Source: sppsvc.pif, 0000000C.00000002.3723959281.000000001543B000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_d041fd55-9

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 27.2.Rwksdoeb.PIF.14550000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.Rwksdoeb.PIF.14550000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001B.00000002.1454883121.0000000014550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.1466656072.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Rwksdoeb.PIF PID: 1652, type: MEMORYSTR

Privilege Escalation
barindex
Contains functionality to bypass UAC (CMSTPLUA)
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_145574FD _wcslen,CoGetObject, 27_2_145574FD
Source: unknown HTTPS traffic detected: 50.7.84.74:443 -> 192.168.2.7:49705 version: TLS 1.2
Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: sppsvc.pif, 0000000C.00000002.3717285102.0000000013B69000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318625246.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318299254.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1469203352.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1454012253.0000000013C03000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdb source: sppsvc.pif, 0000000C.00000002.3717285102.0000000013B69000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318299254.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1469203352.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1454012253.0000000013C03000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.12.dr
Source: Binary string: cmd.pdbUGP source: alpha.exe, 00000004.00000000.1245834008.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.1252345030.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.1258239920.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.1252691548.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.1258683087.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.1266660085.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000D.00000000.1267792748.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000D.00000002.1268999594.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000F.00000000.1269451055.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000F.00000002.1270307434.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.3.dr
Source: Binary string: certutil.pdb source: kn.exe, 00000007.00000000.1253198282.00007FF7C26CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.1257588136.00007FF7C26CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1265532597.00007FF7C26CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1259143912.00007FF7C26CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.dr
Source: Binary string: easinvoker.pdbH source: sppsvc.pif, 0000000C.00000002.3717285102.0000000013B69000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318299254.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318855574.00000000149C1000.00000004.00000020.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1469203352.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1454012253.0000000013C03000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.12.dr
Source: Binary string: cmd.pdb source: alpha.exe, 00000004.00000000.1245834008.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.1252345030.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.1258239920.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.1252691548.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.1258683087.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.1266660085.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000D.00000000.1267792748.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000D.00000002.1268999594.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000F.00000000.1269451055.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000F.00000002.1270307434.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.3.dr
Source: Binary string: certutil.pdbGCTL source: kn.exe, 00000007.00000000.1253198282.00007FF7C26CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.1257588136.00007FF7C26CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1265532597.00007FF7C26CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1259143912.00007FF7C26CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.dr
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D25823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose, 4_2_00007FF75D25823C
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D252978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove, 4_2_00007FF75D252978
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D241560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 4_2_00007FF75D241560
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D2435B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose, 4_2_00007FF75D2435B8
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D267B4C FindFirstFileW,FindNextFileW,FindClose, 4_2_00007FF75D267B4C
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D25823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose, 6_2_00007FF75D25823C
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D252978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove, 6_2_00007FF75D252978
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D241560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 6_2_00007FF75D241560
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D2435B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose, 6_2_00007FF75D2435B8
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D267B4C FindFirstFileW,FindNextFileW,FindClose, 6_2_00007FF75D267B4C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C269234C wcschr,#357,#357,#359,FindFirstFileW,wcsrchr,_wcsnicmp,iswxdigit,wcstoul,FindNextFileW,#359,#359,#357,#357,LocalFree,LocalFree,FindClose, 7_2_00007FF7C269234C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C262C6F8 memset,qsort,#357,FindFirstFileW,GetLastError,bsearch,LocalAlloc,LocalReAlloc,LocalAlloc,FindNextFileW,GetLastError,DeleteFileW,GetLastError,#359,#357,FindClose,LocalFree,LocalFree, 7_2_00007FF7C262C6F8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2696F80 #359,FindFirstFileW,FindNextFileW,FindClose,LocalAlloc,#357, 7_2_00007FF7C2696F80
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2693100 #357,FindFirstFileW,#359,FindNextFileW,FindClose,LocalFree,#357, 7_2_00007FF7C2693100
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26910C4 #357,FindFirstFileW,LocalFree,FindNextFileW,FindClose,LocalFree,#357, 7_2_00007FF7C26910C4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C263B3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357, 7_2_00007FF7C263B3D8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25FD440 GetFileAttributesW,#357,#357,#357,FindFirstFileW,LocalFree,#357,FindNextFileW,#357,LocalFree,FindClose,LocalFree,LocalFree,LocalFree,LocalFree, 7_2_00007FF7C25FD440
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C263D4A4 CreateSemaphoreW,GetLastError,CreateEventW,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,CloseHandle,CloseHandle, 7_2_00007FF7C263D4A4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2673674 #357,LocalAlloc,#357,wcsrchr,FindFirstFileW,GetLastError,#359,lstrcmpW,lstrcmpW,#359,RemoveDirectoryW,GetLastError,#359,#359,FindNextFileW,FindClose,LocalFree,LocalFree,DeleteFileW,GetLastError,#359, 7_2_00007FF7C2673674
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C263DBC0 FindFirstFileW,GetLastError,CertOpenStore,CertAddStoreToCollection,CertCloseStore,FindNextFileW,GetLastError,GetLastError,#357,GetLastError,GetLastError,#357,LocalFree,CertCloseStore,CertCloseStore,FindClose, 7_2_00007FF7C263DBC0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26919F8 #359,FindFirstFileW,FindNextFileW,FindClose, 7_2_00007FF7C26919F8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2691B04 FindFirstFileW,GetLastError,#357,#359,DeleteFileW,FindNextFileW,FindClose,#359, 7_2_00007FF7C2691B04
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2635E58 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose, 7_2_00007FF7C2635E58
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_153DBD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 12_2_153DBD37
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_153D9665 FindFirstFileW,FindNextFileW,FindClose,FindClose, 12_2_153D9665
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_153D783C FindFirstFileW,FindNextFileW, 12_2_153D783C
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_153D880C FindFirstFileW,FindNextFileW,FindClose, 12_2_153D880C
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_153DBB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 12_2_153DBB30
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_153DC34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 12_2_153DC34D
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_153EC291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 12_2_153EC291
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_153E9AF5 FindFirstFileW, 12_2_153E9AF5
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_1541E879 FindFirstFileExA, 12_2_1541E879
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D25823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose, 13_2_00007FF75D25823C
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D252978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove, 13_2_00007FF75D252978
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D241560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 13_2_00007FF75D241560
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D2435B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose, 13_2_00007FF75D2435B8
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D267B4C FindFirstFileW,FindNextFileW,FindClose, 13_2_00007FF75D267B4C
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D25823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose, 15_2_00007FF75D25823C
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D252978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove, 15_2_00007FF75D252978
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D241560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 15_2_00007FF75D241560
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D2435B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose, 15_2_00007FF75D2435B8
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D267B4C FindFirstFileW,FindNextFileW,FindClose, 15_2_00007FF75D267B4C
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_14559665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 27_2_14559665
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_14559253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 27_2_14559253
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_1456C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 27_2_1456C291
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_1455C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 27_2_1455C34D
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_1455BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 27_2_1455BD37
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_1459E879 FindFirstFileExA, 27_2_1459E879
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_1455880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 27_2_1455880C
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_1455783C FindFirstFileW,FindNextFileW, 27_2_1455783C
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_14569AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 27_2_14569AF5
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_1455BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 27_2_1455BB30
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_028F58CC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA, 27_2_028F58CC
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_14557C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 27_2_14557C97

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 127.0.0.1
Uses dynamic DNS services
Source: unknown DNS query: name: officerem.duckdns.org
Contains functionality to check if a connection to the internet is available
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_0289C8AC InternetCheckConnectionA, 12_2_0289C8AC
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49707 -> 23.95.235.29:47212
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 23.95.235.29 23.95.235.29
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /api/file/get?filekey=s0KQZZ20oEdeVIFeHLcUr1cebhH4324o6l6m_6VdXu7F9BC40m659-sZAcG9IQRhtA&pk_vid=4c552cad835b0021171374114500ca33 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 2007.filemail.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_153E662D Sleep,URLDownloadToFileW, 12_2_153E662D
Source: global traffic HTTP traffic detected: GET /api/file/get?filekey=s0KQZZ20oEdeVIFeHLcUr1cebhH4324o6l6m_6VdXu7F9BC40m659-sZAcG9IQRhtA&pk_vid=4c552cad835b0021171374114500ca33 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 2007.filemail.com
Source: unknown DNS traffic detected: queries for: 2007.filemail.com
Source: sppsvc.pif, 0000000C.00000002.3717285102.0000000013B69000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318625246.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318299254.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1469203352.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1454012253.0000000013C03000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: sppsvc.pif, 0000000C.00000002.3717285102.0000000013B69000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318625246.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318299254.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1469203352.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1454012253.0000000013C03000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: sppsvc.pif, 0000000C.00000002.3717285102.0000000013B69000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318625246.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318299254.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1469203352.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1454012253.0000000013C03000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: sppsvc.pif, 0000000C.00000002.3717285102.0000000013B69000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318625246.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318299254.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1469203352.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1454012253.0000000013C03000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: sppsvc.pif, 0000000C.00000002.3717285102.0000000013B69000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318625246.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318299254.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1469203352.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1454012253.0000000013C03000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: sppsvc.pif, 0000000C.00000002.3717285102.0000000013B69000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318625246.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318299254.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1469203352.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1454012253.0000000013C03000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: sppsvc.pif, 0000000C.00000002.3717285102.0000000013B69000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318625246.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318299254.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1469203352.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1454012253.0000000013C03000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: sppsvc.pif, 0000000C.00000002.3717285102.0000000013B69000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318625246.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318299254.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1469203352.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1454012253.0000000013C03000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: sppsvc.pif, 0000000C.00000002.3717285102.0000000013B69000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318625246.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318299254.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1469203352.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1454012253.0000000013C03000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: sppsvc.pif, 0000000C.00000002.3717285102.0000000013B69000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318625246.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318299254.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1469203352.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1454012253.0000000013C03000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: sppsvc.pif, 0000000C.00000002.3717285102.0000000013B69000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318625246.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318299254.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1469203352.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1454012253.0000000013C03000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: kn.exe String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: kn.exe, 00000007.00000000.1253198282.00007FF7C26CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.1257588136.00007FF7C26CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1265532597.00007FF7C26CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1259143912.00007FF7C26CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enDisallowedCertLastSyncTimePinR
Source: Rwksdoeb.PIF String found in binary or memory: http://geoplugin.net/json.gp
Source: sppsvc.pif, 0000000C.00000002.3723959281.000000001543B000.00000040.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1454883121.0000000014550000.00000040.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1466656072.000000007E810000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp/C
Source: sppsvc.pif, 0000000C.00000002.3717285102.0000000013B69000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318625246.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318299254.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1469203352.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1454012253.0000000013C03000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: sppsvc.pif, 0000000C.00000002.3717285102.0000000013B69000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318625246.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318299254.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1469203352.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1454012253.0000000013C03000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: sppsvc.pif, 0000000C.00000002.3717285102.0000000013B69000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318625246.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318299254.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1469203352.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1454012253.0000000013C03000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: sppsvc.pif, 0000000C.00000002.3717285102.0000000013B69000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318625246.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318299254.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1469203352.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1454012253.0000000013C03000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: sppsvc.pif, 0000000C.00000002.3717285102.0000000013B69000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318625246.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318299254.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1469203352.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1454012253.0000000013C03000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: sppsvc.pif, 0000000C.00000002.3717285102.0000000013B69000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318625246.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318299254.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1469203352.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1454012253.0000000013C03000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0C
Source: sppsvc.pif, 0000000C.00000003.1270521086.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, Rwksdoeb.PIF, 0000001B.00000002.1444499298.000000000291B000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.pmail.com
Source: kn.exe String found in binary or memory: https://%ws/%ws_%ws_%ws/service.svc/%ws
Source: kn.exe, 00000007.00000000.1253198282.00007FF7C26CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.1257588136.00007FF7C26CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1265532597.00007FF7C26CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1259143912.00007FF7C26CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.dr String found in binary or memory: https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEP
Source: sppsvc.pif, 0000000C.00000002.3701876701.000000000065A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://2007.filemail.com/
Source: sppsvc.pif, 0000000C.00000002.3717285102.0000000013C3D000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://2007.filemail.com/api/fi
Source: sppsvc.pif, 0000000C.00000002.3701876701.0000000000690000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000002.3701876701.00000000006B8000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000002.3717285102.0000000013B69000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000002.3717285102.0000000013C19000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://2007.filemail.com/api/file/get?filekey=s0KQZZ20oEdeVIFeHLcUr1cebhH4324o6l6m_6VdXu7F9BC40m659
Source: sppsvc.pif, 0000000C.00000002.3701876701.00000000006B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://2007.filemail.com:443/api/file/get?filekey=s0KQZZ20oEdeVIFeHLcUr1cebhH4324o6l6m_6VdXu7F9BC40
Source: kn.exe String found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/DeviceEnrollmentWebService.svc
Source: kn.exe String found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/device/
Source: kn.exe String found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/key/
Source: kn.exe String found in binary or memory: https://login.microsoftonline.com/%s/oauth2/authorize
Source: kn.exe, 00000007.00000000.1253198282.00007FF7C26CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.1257588136.00007FF7C26CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1265532597.00007FF7C26CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1259143912.00007FF7C26CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.dr String found in binary or memory: https://login.microsoftonline.com/%s/oauth2/authorizeJoinStatusStorage::SetDefaultDiscoveryMetadatah
Source: kn.exe String found in binary or memory: https://login.microsoftonline.com/%s/oauth2/token
Source: sppsvc.pif, 0000000C.00000002.3717285102.0000000013B69000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318625246.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318299254.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1469203352.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1454012253.0000000013C03000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown HTTPS traffic detected: 50.7.84.74:443 -> 192.168.2.7:49705 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_153DA2B8 SetWindowsHookExA 0000000D,153DA2A4,00000000 12_2_153DA2B8
Installs a global keyboard hook
Source: C:\Users\Public\Libraries\sppsvc.pif Windows user hook set: 0 keyboard low level C:\Users\Public\Libraries\sppsvc.pif Jump to behavior
Contains functionality for read data from the clipboard
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_153DB70E OpenClipboard,GetClipboardData,CloseClipboard, 12_2_153DB70E
Contains functionality to modify clipboard data
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_145668C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 27_2_145668C1
Contains functionality to read the clipboard data
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_153DB70E OpenClipboard,GetClipboardData,CloseClipboard, 12_2_153DB70E
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_153DA3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx, 12_2_153DA3E0
Yara detected Keylogger Generic
Source: Yara match File source: Process Memory Space: Rwksdoeb.PIF PID: 1652, type: MEMORYSTR

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 27.2.Rwksdoeb.PIF.14550000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.Rwksdoeb.PIF.14550000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.3701876701.0000000000708000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3723892699.000000001517F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.1454883121.0000000014550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.1441490327.0000000000711000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.1518969358.0000000000674000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3701876701.00000000006C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.1466656072.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: sppsvc.pif PID: 1104, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Rwksdoeb.PIF PID: 1652, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Rwksdoeb.PIF PID: 1916, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
Registers a new ROOT certificate
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C260B684 CertCompareCertificateName,#357,#357,CertEnumCertificatesInStore,CertCompareCertificateName,CertComparePublicKeyInfo,memcmp,#357,CertEnumCertificatesInStore,#357,CertFreeCertificateContext,CertAddCertificateContextToStore,GetLastError, 7_2_00007FF7C260B684

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_153EC9E2 SystemParametersInfoW, 12_2_153EC9E2
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_1456C9E2 SystemParametersInfoW, 27_2_1456C9E2
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C264E1F8 CertSaveStore,GetLastError,LocalAlloc,#357,CertSaveStore,GetLastError,#357,LocalFree,#357,#357,NCryptOpenStorageProvider,NCryptImportKey,NCryptSetProperty,NCryptFinalizeKey,LocalFree,LocalFree,NCryptFreeObject, 7_2_00007FF7C264E1F8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C268A740 CryptAcquireContextW,GetLastError,#357,CryptImportKey,GetLastError,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,CryptGetUserKey,GetLastError,CryptDestroyKey,#357,CryptDestroyKey,CryptReleaseContext, 7_2_00007FF7C268A740
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26125E8 #357,#357,#357,CryptImportKey,GetLastError,#358,#357,CryptSetKeyParam,LocalFree,GetLastError,#357,#357,#357,CertFreeCertificateContext,CryptDestroyKey, 7_2_00007FF7C26125E8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26129A0 #357,#357,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CertFreeCertificateContext,CryptReleaseContext,LocalFree,LocalFree,CryptDestroyKey, 7_2_00007FF7C26129A0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C263EA7C #357,#357,LocalAlloc,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptImportKey,GetLastError,CryptSetKeyParam,GetLastError,CryptSetKeyParam,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptSetKeyParam,GetLastError,#357,LocalFree,LocalFree,LocalFree,CryptDestroyHash,CryptDestroyHash, 7_2_00007FF7C263EA7C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2640F58 CertAddEncodedCertificateToStore,GetLastError,#357,UuidCreate,StringFromCLSID,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,CertSetCTLContextProperty,GetLastError,CryptDestroyKey,CryptReleaseContext,CoTaskMemFree,CertFreeCertificateContext, 7_2_00007FF7C2640F58
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2650EF4 NCryptImportKey,#205,#359,#359,#357, 7_2_00007FF7C2650EF4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2686EA8 NCryptImportKey,#360, 7_2_00007FF7C2686EA8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26893A0 CryptGetUserKey,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,LocalFree,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext, 7_2_00007FF7C26893A0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C265342C CryptImportKey,#205,GetLastError,#357,#357,#357,SetLastError, 7_2_00007FF7C265342C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C264184C CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,memset,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CryptDecrypt,GetLastError,GetLastError,#357,CryptDestroyKey,CryptDestroyHash,LocalFree,CryptDestroyKey,GetLastError,#357,LocalFree, 7_2_00007FF7C264184C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26898B0 #357,CryptImportPublicKeyInfo,GetLastError,#357,CryptGenKey,GetLastError,CryptGenRandom,GetLastError,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,CryptImportKey,GetLastError,#357,memcmp,#357,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,LocalFree,LocalFree,LocalFree,CryptReleaseContext, 7_2_00007FF7C26898B0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25EFC20 #359,#357,NCryptOpenStorageProvider,#357,NCryptImportKey,GetLastError,#357,#357,LocalFree,LocalFree,NCryptFreeObject,#357,NCryptFreeObject,#357, 7_2_00007FF7C25EFC20
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25DF9B8 strcmp,#357,#359,NCryptOpenStorageProvider,#357,NCryptImportKey,#357,NCryptSetProperty,NCryptFinalizeKey,NCryptFreeObject,NCryptFreeObject,#359,CryptImportPKCS8,GetLastError,#357,CryptGetUserKey,GetLastError,#357,CryptGetUserKey,GetLastError,CryptDestroyKey,CryptReleaseContext,LocalFree, 7_2_00007FF7C25DF9B8

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 27.2.Rwksdoeb.PIF.14550000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 27.2.Rwksdoeb.PIF.14550000.5.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 27.2.Rwksdoeb.PIF.14550000.5.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 27.2.Rwksdoeb.PIF.14550000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 27.2.Rwksdoeb.PIF.14550000.5.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 27.2.Rwksdoeb.PIF.14550000.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000C.00000002.3723959281.000000001543B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000001B.00000002.1454883121.0000000014550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000001B.00000002.1454883121.0000000014550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001B.00000002.1454883121.0000000014550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000001B.00000002.1466656072.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: sppsvc.pif PID: 1104, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: Rwksdoeb.PIF PID: 1652, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\Public\Libraries\RwksdoebO.bat, type: DROPPED Matched rule: Koadic post-exploitation framework BAT payload Author: ditekSHen
Found large BAT file
Source: Enquiry 230424.bat Static file information: 4541520
Abnormal high CPU Usage
Source: C:\Users\Public\Libraries\sppsvc.pif Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D271538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW, 4_2_00007FF75D271538
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D25898C NtQueryInformationToken, 4_2_00007FF75D25898C
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D243D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess, 4_2_00007FF75D243D94
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D2589E4 NtQueryInformationToken,NtQueryInformationToken, 4_2_00007FF75D2589E4
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D2588C0 NtOpenThreadToken,NtOpenProcessToken,NtClose, 4_2_00007FF75D2588C0
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D258114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx, 4_2_00007FF75D258114
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D26BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer, 4_2_00007FF75D26BCF0
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D257FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError, 4_2_00007FF75D257FF8
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D271538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW, 6_2_00007FF75D271538
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D25898C NtQueryInformationToken, 6_2_00007FF75D25898C
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D243D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess, 6_2_00007FF75D243D94
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D2589E4 NtQueryInformationToken,NtQueryInformationToken, 6_2_00007FF75D2589E4
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D2588C0 NtOpenThreadToken,NtOpenProcessToken,NtClose, 6_2_00007FF75D2588C0
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D258114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx, 6_2_00007FF75D258114
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D26BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer, 6_2_00007FF75D26BCF0
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D257FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError, 6_2_00007FF75D257FF8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26AC964 NtQuerySystemTime,RtlTimeToSecondsSince1970, 7_2_00007FF7C26AC964
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_0289C3F8 NtCreateFile,NtWriteFile, 12_2_0289C3F8
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_0289C368 NtDeleteFile, 12_2_0289C368
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_0289C4DC NtOpenFile,NtReadFile, 12_2_0289C4DC
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_02897968 NtAllocateVirtualMemory, 12_2_02897968
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_0289C3F6 NtCreateFile,NtWriteFile, 12_2_0289C3F6
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_02897966 NtAllocateVirtualMemory, 12_2_02897966
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_153ED58F NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA, 12_2_153ED58F
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_153EBB35 OpenProcess,NtResumeProcess,CloseHandle, 12_2_153EBB35
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_153EBB09 OpenProcess,NtSuspendProcess,CloseHandle, 12_2_153EBB09
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_153E32D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile, 12_2_153E32D2
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D258114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx, 13_2_00007FF75D258114
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D257FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,FindCloseChangeNotification,NtSetInformationFile,DeleteFileW,GetLastError, 13_2_00007FF75D257FF8
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D271538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW, 13_2_00007FF75D271538
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D25898C NtQueryInformationToken, 13_2_00007FF75D25898C
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D243D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess, 13_2_00007FF75D243D94
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D2589E4 NtQueryInformationToken,NtQueryInformationToken, 13_2_00007FF75D2589E4
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D2588C0 NtOpenThreadToken,NtOpenProcessToken,NtClose, 13_2_00007FF75D2588C0
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D26BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer, 13_2_00007FF75D26BCF0
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D258114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx, 15_2_00007FF75D258114
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D257FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,FindCloseChangeNotification,NtSetInformationFile,DeleteFileW,GetLastError, 15_2_00007FF75D257FF8
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D271538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW, 15_2_00007FF75D271538
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D25898C NtQueryInformationToken, 15_2_00007FF75D25898C
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D243D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess, 15_2_00007FF75D243D94
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D2589E4 NtQueryInformationToken,NtQueryInformationToken, 15_2_00007FF75D2589E4
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D2588C0 NtOpenThreadToken,NtOpenProcessToken,NtClose, 15_2_00007FF75D2588C0
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D26BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer, 15_2_00007FF75D26BCF0
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_145632D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle, 27_2_145632D2
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_1456BB09 OpenProcess,NtSuspendProcess,CloseHandle, 27_2_1456BB09
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_1456BB35 OpenProcess,NtResumeProcess,CloseHandle, 27_2_1456BB35
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_0290C4DC RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose, 27_2_0290C4DC
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_02907968 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory, 27_2_02907968
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_0290C3F6 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose, 27_2_0290C3F6
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_0290C3F8 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose, 27_2_0290C3F8
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_0290C368 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile, 27_2_0290C368
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_02907AC0 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary, 27_2_02907AC0
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_02907966 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory, 27_2_02907966
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_02907F46 CreateProcessAsUserW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,NtResumeThread, 27_2_02907F46
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_02907F48 CreateProcessAsUserW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,NtResumeThread, 27_2_02907F48
Contains functionality to communicate with device drivers
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D245240: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPEAX@Z,memset,CreateFileW,DeviceIoControl,memmove,CloseHandle,??_V@YAXPEAX@Z,memset,FindClose,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z, 4_2_00007FF75D245240
Contains functionality to launch a process as a different user
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D254224 InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,wcsrchr,lstrcmpW,SetConsoleMode,CreateProcessW,CloseHandle,CreateProcessAsUserW,_local_unwind,GetLastError,_local_unwind,_local_unwind,CloseHandle,DeleteProcThreadAttributeList,GetLastError,GetLastError,DeleteProcThreadAttributeList, 4_2_00007FF75D254224
Contains functionality to shutdown / reboot the system
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_153E67B9 ExitWindowsEx,LoadLibraryA,GetProcAddress, 12_2_153E67B9
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_145667B4 ExitWindowsEx,LoadLibraryA,GetProcAddress, 27_2_145667B4
Detected potential crypto function
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D24AA54 4_2_00007FF75D24AA54
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D254224 4_2_00007FF75D254224
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D250A6C 4_2_00007FF75D250A6C
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D255554 4_2_00007FF75D255554
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D2537D8 4_2_00007FF75D2537D8
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D247650 4_2_00007FF75D247650
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D24D250 4_2_00007FF75D24D250
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D249E50 4_2_00007FF75D249E50
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D245240 4_2_00007FF75D245240
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D244A30 4_2_00007FF75D244A30
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D26AA30 4_2_00007FF75D26AA30
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D242220 4_2_00007FF75D242220
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D26EE88 4_2_00007FF75D26EE88
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D24E680 4_2_00007FF75D24E680
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D267F00 4_2_00007FF75D267F00
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D246EE4 4_2_00007FF75D246EE4
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D271538 4_2_00007FF75D271538
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D247D30 4_2_00007FF75D247D30
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D2481D4 4_2_00007FF75D2481D4
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D26D9D0 4_2_00007FF75D26D9D0
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D24CE10 4_2_00007FF75D24CE10
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D248DF8 4_2_00007FF75D248DF8
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D242C48 4_2_00007FF75D242C48
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D26AC4C 4_2_00007FF75D26AC4C
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D257854 4_2_00007FF75D257854
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D241884 4_2_00007FF75D241884
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D2518D4 4_2_00007FF75D2518D4
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D248510 4_2_00007FF75D248510
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D24B0D8 4_2_00007FF75D24B0D8
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D249B50 4_2_00007FF75D249B50
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D24372C 4_2_00007FF75D24372C
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D243F90 4_2_00007FF75D243F90
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D245B70 4_2_00007FF75D245B70
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D26AFBC 4_2_00007FF75D26AFBC
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D243410 4_2_00007FF75D243410
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D246BE0 4_2_00007FF75D246BE0
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D24AA54 6_2_00007FF75D24AA54
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D254224 6_2_00007FF75D254224
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D250A6C 6_2_00007FF75D250A6C
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D255554 6_2_00007FF75D255554
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D2537D8 6_2_00007FF75D2537D8
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D247650 6_2_00007FF75D247650
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D24D250 6_2_00007FF75D24D250
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D249E50 6_2_00007FF75D249E50
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D245240 6_2_00007FF75D245240
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D244A30 6_2_00007FF75D244A30
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D26AA30 6_2_00007FF75D26AA30
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D242220 6_2_00007FF75D242220
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D26EE88 6_2_00007FF75D26EE88
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D24E680 6_2_00007FF75D24E680
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D267F00 6_2_00007FF75D267F00
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D246EE4 6_2_00007FF75D246EE4
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D271538 6_2_00007FF75D271538
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D247D30 6_2_00007FF75D247D30
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D2481D4 6_2_00007FF75D2481D4
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D26D9D0 6_2_00007FF75D26D9D0
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D24CE10 6_2_00007FF75D24CE10
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D248DF8 6_2_00007FF75D248DF8
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D242C48 6_2_00007FF75D242C48
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D26AC4C 6_2_00007FF75D26AC4C
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D257854 6_2_00007FF75D257854
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D241884 6_2_00007FF75D241884
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D2518D4 6_2_00007FF75D2518D4
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D248510 6_2_00007FF75D248510
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D24B0D8 6_2_00007FF75D24B0D8
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D249B50 6_2_00007FF75D249B50
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D24372C 6_2_00007FF75D24372C
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D243F90 6_2_00007FF75D243F90
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D245B70 6_2_00007FF75D245B70
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D26AFBC 6_2_00007FF75D26AFBC
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D243410 6_2_00007FF75D243410
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D246BE0 6_2_00007FF75D246BE0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C269C120 7_2_00007FF7C269C120
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C269CCB8 7_2_00007FF7C269CCB8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25C2F38 7_2_00007FF7C25C2F38
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C269F020 7_2_00007FF7C269F020
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26C3800 7_2_00007FF7C26C3800
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C269BC10 7_2_00007FF7C269BC10
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2646374 7_2_00007FF7C2646374
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C269234C 7_2_00007FF7C269234C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2638414 7_2_00007FF7C2638414
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25D4410 7_2_00007FF7C25D4410
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26443D0 7_2_00007FF7C26443D0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25FE3A0 7_2_00007FF7C25FE3A0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2610398 7_2_00007FF7C2610398
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2690490 7_2_00007FF7C2690490
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2648488 7_2_00007FF7C2648488
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2608484 7_2_00007FF7C2608484
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C262A450 7_2_00007FF7C262A450
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C262C450 7_2_00007FF7C262C450
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C269E430 7_2_00007FF7C269E430
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26C842F 7_2_00007FF7C26C842F
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25BA424 7_2_00007FF7C25BA424
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25C44E0 7_2_00007FF7C25C44E0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C263E4F0 7_2_00007FF7C263E4F0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26984D8 7_2_00007FF7C26984D8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26224D4 7_2_00007FF7C26224D4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25F64A8 7_2_00007FF7C25F64A8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25B8170 7_2_00007FF7C25B8170
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25D0140 7_2_00007FF7C25D0140
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26C41F8 7_2_00007FF7C26C41F8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C263A1E8 7_2_00007FF7C263A1E8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C260C1D0 7_2_00007FF7C260C1D0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25D227C 7_2_00007FF7C25D227C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2626280 7_2_00007FF7C2626280
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2694274 7_2_00007FF7C2694274
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C267821C 7_2_00007FF7C267821C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C260E29C 7_2_00007FF7C260E29C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26A6750 7_2_00007FF7C26A6750
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C263C7F0 7_2_00007FF7C263C7F0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26327D0 7_2_00007FF7C26327D0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26607D0 7_2_00007FF7C26607D0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26A2854 7_2_00007FF7C26A2854
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C263E844 7_2_00007FF7C263E844
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26908C8 7_2_00007FF7C26908C8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26948C4 7_2_00007FF7C26948C4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2602580 7_2_00007FF7C2602580
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C264E57C 7_2_00007FF7C264E57C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C261655C 7_2_00007FF7C261655C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25E8570 7_2_00007FF7C25E8570
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2684538 7_2_00007FF7C2684538
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25BC520 7_2_00007FF7C25BC520
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25C05E0 7_2_00007FF7C25C05E0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26B85EC 7_2_00007FF7C26B85EC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26A85A8 7_2_00007FF7C26A85A8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2618630 7_2_00007FF7C2618630
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C267C630 7_2_00007FF7C267C630
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C262C6F8 7_2_00007FF7C262C6F8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C261C6D0 7_2_00007FF7C261C6D0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2666B94 7_2_00007FF7C2666B94
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25D4B68 7_2_00007FF7C25D4B68
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2604B30 7_2_00007FF7C2604B30
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25FCBFC 7_2_00007FF7C25FCBFC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25BAC08 7_2_00007FF7C25BAC08
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2628BD4 7_2_00007FF7C2628BD4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26BCC8C 7_2_00007FF7C26BCC8C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C262CC80 7_2_00007FF7C262CC80
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2688C58 7_2_00007FF7C2688C58
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2600C28 7_2_00007FF7C2600C28
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25C8D00 7_2_00007FF7C25C8D00
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C260CD10 7_2_00007FF7C260CD10
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2642CF8 7_2_00007FF7C2642CF8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26A8CF4 7_2_00007FF7C26A8CF4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C264CCA8 7_2_00007FF7C264CCA8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2608990 7_2_00007FF7C2608990
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2616984 7_2_00007FF7C2616984
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25B2940 7_2_00007FF7C25B2940
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C263AA00 7_2_00007FF7C263AA00
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C268A9F0 7_2_00007FF7C268A9F0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26109EC 7_2_00007FF7C26109EC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C261E9F0 7_2_00007FF7C261E9F0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C263EA7C 7_2_00007FF7C263EA7C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2636A84 7_2_00007FF7C2636A84
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C269AA58 7_2_00007FF7C269AA58
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26A4A58 7_2_00007FF7C26A4A58
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2684A40 7_2_00007FF7C2684A40
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2654F94 7_2_00007FF7C2654F94
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25E4F90 7_2_00007FF7C25E4F90
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25D8F1C 7_2_00007FF7C25D8F1C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25F107C 7_2_00007FF7C25F107C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C260D094 7_2_00007FF7C260D094
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25B1030 7_2_00007FF7C25B1030
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25CB09C 7_2_00007FF7C25CB09C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2626D7C 7_2_00007FF7C2626D7C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2692D6C 7_2_00007FF7C2692D6C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2608D2C 7_2_00007FF7C2608D2C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2612D18 7_2_00007FF7C2612D18
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25DEDA4 7_2_00007FF7C25DEDA4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2694E58 7_2_00007FF7C2694E58
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25B6EF4 7_2_00007FF7C25B6EF4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25EEED4 7_2_00007FF7C25EEED4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2698EAC 7_2_00007FF7C2698EAC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25DB36C 7_2_00007FF7C25DB36C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25E7340 7_2_00007FF7C25E7340
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2645318 7_2_00007FF7C2645318
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25B73F8 7_2_00007FF7C25B73F8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C262D410 7_2_00007FF7C262D410
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26A33D0 7_2_00007FF7C26A33D0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26B33D4 7_2_00007FF7C26B33D4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C269B3AC 7_2_00007FF7C269B3AC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2669494 7_2_00007FF7C2669494
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2617478 7_2_00007FF7C2617478
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C265D460 7_2_00007FF7C265D460
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25FD440 7_2_00007FF7C25FD440
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25B5438 7_2_00007FF7C25B5438
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25FF434 7_2_00007FF7C25FF434
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26814F0 7_2_00007FF7C26814F0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25D54A0 7_2_00007FF7C25D54A0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26A94A8 7_2_00007FF7C26A94A8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C263F168 7_2_00007FF7C263F168
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C267511C 7_2_00007FF7C267511C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26031E0 7_2_00007FF7C26031E0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25CD1B8 7_2_00007FF7C25CD1B8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26011C8 7_2_00007FF7C26011C8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2665290 7_2_00007FF7C2665290
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26292D8 7_2_00007FF7C26292D8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25BF2C0 7_2_00007FF7C25BF2C0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C260D2C0 7_2_00007FF7C260D2C0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26192C4 7_2_00007FF7C26192C4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C268D2B4 7_2_00007FF7C268D2B4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2609790 7_2_00007FF7C2609790
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25CB788 7_2_00007FF7C25CB788
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2633760 7_2_00007FF7C2633760
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25CF800 7_2_00007FF7C25CF800
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C261D7F0 7_2_00007FF7C261D7F0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26277C8 7_2_00007FF7C26277C8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25F17D4 7_2_00007FF7C25F17D4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2617890 7_2_00007FF7C2617890
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2683874 7_2_00007FF7C2683874
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C264D858 7_2_00007FF7C264D858
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C264184C 7_2_00007FF7C264184C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25D1830 7_2_00007FF7C25D1830
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2663820 7_2_00007FF7C2663820
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26058CC 7_2_00007FF7C26058CC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2689580 7_2_00007FF7C2689580
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25EB58C 7_2_00007FF7C25EB58C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25E156C 7_2_00007FF7C25E156C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C262F520 7_2_00007FF7C262F520
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25BF610 7_2_00007FF7C25BF610
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26395FC 7_2_00007FF7C26395FC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26155F0 7_2_00007FF7C26155F0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2667678 7_2_00007FF7C2667678
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2697678 7_2_00007FF7C2697678
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25DD660 7_2_00007FF7C25DD660
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2685660 7_2_00007FF7C2685660
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2693638 7_2_00007FF7C2693638
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25F5648 7_2_00007FF7C25F5648
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C263F6D8 7_2_00007FF7C263F6D8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C268D6DC 7_2_00007FF7C268D6DC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26076B0 7_2_00007FF7C26076B0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C266D6A0 7_2_00007FF7C266D6A0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25BFB84 7_2_00007FF7C25BFB84
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2621B84 7_2_00007FF7C2621B84
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2647B74 7_2_00007FF7C2647B74
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C265FB50 7_2_00007FF7C265FB50
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C267BB28 7_2_00007FF7C267BB28
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2663C10 7_2_00007FF7C2663C10
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C261DBF0 7_2_00007FF7C261DBF0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25D9BC8 7_2_00007FF7C25D9BC8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25B5BA4 7_2_00007FF7C25B5BA4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26BFC90 7_2_00007FF7C26BFC90
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2631C90 7_2_00007FF7C2631C90
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2603C60 7_2_00007FF7C2603C60
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25EFC20 7_2_00007FF7C25EFC20
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C260FC34 7_2_00007FF7C260FC34
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25C5D08 7_2_00007FF7C25C5D08
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C260BCE8 7_2_00007FF7C260BCE8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25E9CD0 7_2_00007FF7C25E9CD0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2679CC0 7_2_00007FF7C2679CC0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25CBCA4 7_2_00007FF7C25CBCA4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C263F990 7_2_00007FF7C263F990
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26A994C 7_2_00007FF7C26A994C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26A7938 7_2_00007FF7C26A7938
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25B1A10 7_2_00007FF7C25B1A10
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25DF9B8 7_2_00007FF7C25DF9B8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26319AC 7_2_00007FF7C26319AC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2601A60 7_2_00007FF7C2601A60
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2669A58 7_2_00007FF7C2669A58
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C262BA48 7_2_00007FF7C262BA48
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25E3A40 7_2_00007FF7C25E3A40
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2617AC8 7_2_00007FF7C2617AC8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25C7AB4 7_2_00007FF7C25C7AB4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25B1F80 7_2_00007FF7C25B1F80
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2669FF8 7_2_00007FF7C2669FF8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25E8080 7_2_00007FF7C25E8080
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2682084 7_2_00007FF7C2682084
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2618018 7_2_00007FF7C2618018
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C261C0B8 7_2_00007FF7C261C0B8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26BDD84 7_2_00007FF7C26BDD84
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2609D6C 7_2_00007FF7C2609D6C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2611D70 7_2_00007FF7C2611D70
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2667D70 7_2_00007FF7C2667D70
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25EDD20 7_2_00007FF7C25EDD20
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25E5DF7 7_2_00007FF7C25E5DF7
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25C1DE8 7_2_00007FF7C25C1DE8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C264BDA0 7_2_00007FF7C264BDA0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C263BE70 7_2_00007FF7C263BE70
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2641E2C 7_2_00007FF7C2641E2C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2645F04 7_2_00007FF7C2645F04
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2639EE4 7_2_00007FF7C2639EE4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2601ED0 7_2_00007FF7C2601ED0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C263DEB0 7_2_00007FF7C263DEB0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C260DEA4 7_2_00007FF7C260DEA4
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_028820C4 12_2_028820C4
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_153EDB62 12_2_153EDB62
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_1540E558 12_2_1540E558
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_154074E6 12_2_154074E6
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_15406FEA 12_2_15406FEA
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_15405E5E 12_2_15405E5E
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_1540DE9D 12_2_1540DE9D
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_15403946 12_2_15403946
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_154161F0 12_2_154161F0
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_1540E0CC 12_2_1540E0CC
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_154078FE 12_2_154078FE
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_1542332B 12_2_1542332B
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_1540E2FB 12_2_1540E2FB
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D24AA54 13_2_00007FF75D24AA54
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D255554 13_2_00007FF75D255554
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D248DF8 13_2_00007FF75D248DF8
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D257854 13_2_00007FF75D257854
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D243410 13_2_00007FF75D243410
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D2537D8 13_2_00007FF75D2537D8
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D247650 13_2_00007FF75D247650
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D24D250 13_2_00007FF75D24D250
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D249E50 13_2_00007FF75D249E50
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D245240 13_2_00007FF75D245240
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D244A30 13_2_00007FF75D244A30
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D26AA30 13_2_00007FF75D26AA30
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D254224 13_2_00007FF75D254224
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D242220 13_2_00007FF75D242220
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D26EE88 13_2_00007FF75D26EE88
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D24E680 13_2_00007FF75D24E680
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D250A6C 13_2_00007FF75D250A6C
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D267F00 13_2_00007FF75D267F00
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D246EE4 13_2_00007FF75D246EE4
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D271538 13_2_00007FF75D271538
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D247D30 13_2_00007FF75D247D30
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D2481D4 13_2_00007FF75D2481D4
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D26D9D0 13_2_00007FF75D26D9D0
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D24CE10 13_2_00007FF75D24CE10
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D242C48 13_2_00007FF75D242C48
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D26AC4C 13_2_00007FF75D26AC4C
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D241884 13_2_00007FF75D241884
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D2518D4 13_2_00007FF75D2518D4
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D248510 13_2_00007FF75D248510
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D24B0D8 13_2_00007FF75D24B0D8
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D249B50 13_2_00007FF75D249B50
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D24372C 13_2_00007FF75D24372C
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D243F90 13_2_00007FF75D243F90
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D245B70 13_2_00007FF75D245B70
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D26AFBC 13_2_00007FF75D26AFBC
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D246BE0 13_2_00007FF75D246BE0
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D24AA54 15_2_00007FF75D24AA54
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D255554 15_2_00007FF75D255554
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D248DF8 15_2_00007FF75D248DF8
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D257854 15_2_00007FF75D257854
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D243410 15_2_00007FF75D243410
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D2537D8 15_2_00007FF75D2537D8
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D247650 15_2_00007FF75D247650
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D24D250 15_2_00007FF75D24D250
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D249E50 15_2_00007FF75D249E50
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D245240 15_2_00007FF75D245240
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D244A30 15_2_00007FF75D244A30
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D26AA30 15_2_00007FF75D26AA30
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D254224 15_2_00007FF75D254224
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D242220 15_2_00007FF75D242220
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D26EE88 15_2_00007FF75D26EE88
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D24E680 15_2_00007FF75D24E680
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D250A6C 15_2_00007FF75D250A6C
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D267F00 15_2_00007FF75D267F00
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D246EE4 15_2_00007FF75D246EE4
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D271538 15_2_00007FF75D271538
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D247D30 15_2_00007FF75D247D30
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D2481D4 15_2_00007FF75D2481D4
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D26D9D0 15_2_00007FF75D26D9D0
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D24CE10 15_2_00007FF75D24CE10
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D242C48 15_2_00007FF75D242C48
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D26AC4C 15_2_00007FF75D26AC4C
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D241884 15_2_00007FF75D241884
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D2518D4 15_2_00007FF75D2518D4
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D248510 15_2_00007FF75D248510
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D24B0D8 15_2_00007FF75D24B0D8
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D249B50 15_2_00007FF75D249B50
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D24372C 15_2_00007FF75D24372C
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D243F90 15_2_00007FF75D243F90
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D245B70 15_2_00007FF75D245B70
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D26AFBC 15_2_00007FF75D26AFBC
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D246BE0 15_2_00007FF75D246BE0
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_145874E6 27_2_145874E6
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_1458E558 27_2_1458E558
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_145886E8 27_2_145886E8
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_14588770 27_2_14588770
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_1458E0CC 27_2_1458E0CC
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_1456F0FA 27_2_1456F0FA
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_145A4159 27_2_145A4159
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_14588168 27_2_14588168
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_145961F0 27_2_145961F0
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_1458E2FB 27_2_1458E2FB
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_145A332B 27_2_145A332B
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_1457739D 27_2_1457739D
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_14587D33 27_2_14587D33
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_14585E5E 27_2_14585E5E
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_14576E0E 27_2_14576E0E
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_1458DE9D 27_2_1458DE9D
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_14563FCA 27_2_14563FCA
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_14586FEA 27_2_14586FEA
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_145878FE 27_2_145878FE
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_14583946 27_2_14583946
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_1459D9C9 27_2_1459D9C9
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_14577A46 27_2_14577A46
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_1456DB62 27_2_1456DB62
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_14577BAF 27_2_14577BAF
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_028F20C4 27_2_028F20C4
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\Public\Libraries\easinvoker.exe 30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96
Source: Joe Sandbox View Dropped File: C:\Users\Public\Libraries\netutils.dll 0007FA57DA2E1DE2E487492D00B99ABAECA7E9F9CAC8A10E24EB569E19F76EE1
Found potential string decryption / allocating functions
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: String function: 14551E65 appears 34 times
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: String function: 028F44A0 appears 67 times
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: String function: 14552093 appears 50 times
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: String function: 028F4824 appears 883 times
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: String function: 028F4698 appears 247 times
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: String function: 14584E10 appears 54 times
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: String function: 028F6658 appears 32 times
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: String function: 14584770 appears 41 times
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: String function: 02907BE8 appears 45 times
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: String function: 02886658 appears 32 times
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: String function: 15404E10 appears 54 times
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: String function: 02884698 appears 156 times
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: String function: 02884824 appears 629 times
Source: C:\Users\Public\alpha.exe Code function: String function: 00007FF75D253448 appears 72 times
Source: C:\Users\Public\alpha.exe Code function: String function: 00007FF75D25498C appears 40 times
Source: C:\Users\Public\alpha.exe Code function: String function: 00007FF75D25081C appears 36 times
Source: C:\Users\Public\kn.exe Code function: String function: 00007FF7C264EB98 appears 93 times
Source: C:\Users\Public\kn.exe Code function: String function: 00007FF7C2677BAC appears 34 times
Source: C:\Users\Public\kn.exe Code function: String function: 00007FF7C26BF1B8 appears 183 times
Source: C:\Users\Public\kn.exe Code function: String function: 00007FF7C26BF11C appears 37 times
Source: C:\Users\Public\kn.exe Code function: String function: 00007FF7C25BD1C8 appears 41 times
Source: C:\Users\Public\kn.exe Code function: String function: 00007FF7C25EBC9C appears 280 times
Source: C:\Users\Public\kn.exe Code function: String function: 00007FF7C2677D70 appears 35 times
Source: C:\Users\Public\kn.exe Code function: String function: 00007FF7C266ABFC appears 818 times
Source: C:\Users\Public\kn.exe Code function: String function: 00007FF7C2670D10 appears 181 times
Source: C:\Users\Public\kn.exe Code function: String function: 00007FF7C26C64A6 appears 173 times
PE file contains more sections than normal
Source: netutils.dll.12.dr Static PE information: Number of sections : 19 > 10
Yara signature match
Source: 27.2.Rwksdoeb.PIF.14550000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 27.2.Rwksdoeb.PIF.14550000.5.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 27.2.Rwksdoeb.PIF.14550000.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 27.2.Rwksdoeb.PIF.14550000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 27.2.Rwksdoeb.PIF.14550000.5.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 27.2.Rwksdoeb.PIF.14550000.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000C.00000002.3723959281.000000001543B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000001B.00000002.1454883121.0000000014550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000001B.00000002.1454883121.0000000014550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001B.00000002.1454883121.0000000014550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000001B.00000002.1466656072.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: sppsvc.pif PID: 1104, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: Rwksdoeb.PIF PID: 1652, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\Public\Libraries\RwksdoebO.bat, type: DROPPED Matched rule: MALWARE_BAT_KoadicBAT author = ditekSHen, description = Koadic post-exploitation framework BAT payload
Source: classification engine Classification label: mal100.rans.bank.troj.spyw.expl.evad.winBAT@30/20@11/3
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D2432B0 _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,wcschr,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,GetLastError,GetLastError, 4_2_00007FF75D2432B0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C269826C GetCurrentThread,GetLastError,#357,OpenThreadToken,GetLastError,GetCurrentProcess,GetLastError,OpenProcessToken,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,CloseHandle, 7_2_00007FF7C269826C
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_153E7952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 12_2_153E7952
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_14567952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 27_2_14567952
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D26FB54 memset,GetDiskFreeSpaceExW,??_V@YAXPEAX@Z, 4_2_00007FF75D26FB54
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_153DF474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle, 12_2_153DF474
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26A04A0 CLSIDFromProgID,CoCreateInstance,#358,#358,#360,#357,#359, 7_2_00007FF7C26A04A0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2676320 FindResourceW,GetLastError,#357,LoadResource,GetLastError,LockResource,GetLastError, 7_2_00007FF7C2676320
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_153EAC78 OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW, 12_2_153EAC78
Source: C:\Windows\System32\extrac32.exe File created: C:\Users\Public\alpha.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6416:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5608:120:WilError_03
Source: C:\Users\Public\Libraries\sppsvc.pif Mutant created: \Sessions\1\BaseNamedObjects\Rmc-I8N3XG
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Enquiry 230424.bat" "
Source: C:\Users\Public\Libraries\sppsvc.pif Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\System32\extrac32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Enquiry 230424.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
Source: C:\Users\Public\alpha.exe Process created: C:\Windows\System32\extrac32.exe extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Enquiry 230424.bat" "C:\\Users\\Public\\sppsvc.rtf" 9
Source: C:\Users\Public\alpha.exe Process created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Enquiry 230424.bat" "C:\\Users\\Public\\sppsvc.rtf" 9
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12
Source: C:\Users\Public\alpha.exe Process created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\Libraries\sppsvc.pif C:\Users\Public\Libraries\sppsvc.pif
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del "C:\Users\Public\sppsvc.rtf" / A / F / Q / S
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S
Source: C:\Users\Public\Libraries\sppsvc.pif Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\RwksdoebO.bat" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Libraries\sppsvc.pif Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\sppsvc.pif C:\\Users\\Public\\Libraries\\Rwksdoeb.PIF
Source: unknown Process created: C:\Users\Public\Libraries\Rwksdoeb.PIF "C:\Users\Public\Libraries\Rwksdoeb.PIF"
Source: unknown Process created: C:\Users\Public\Libraries\Rwksdoeb.PIF "C:\Users\Public\Libraries\Rwksdoeb.PIF"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Enquiry 230424.bat" "C:\\Users\\Public\\sppsvc.rtf" 9 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\Libraries\sppsvc.pif C:\Users\Public\Libraries\sppsvc.pif Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del "C:\Users\Public\sppsvc.rtf" / A / F / Q / S Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S Jump to behavior
Source: C:\Users\Public\alpha.exe Process created: C:\Windows\System32\extrac32.exe extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe Jump to behavior
Source: C:\Users\Public\alpha.exe Process created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Enquiry 230424.bat" "C:\\Users\\Public\\sppsvc.rtf" 9 Jump to behavior
Source: C:\Users\Public\alpha.exe Process created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12 Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\RwksdoebO.bat" " Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\sppsvc.pif C:\\Users\\Public\\Libraries\\Rwksdoeb.PIF Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: certcli.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: cryptui.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: ntdsapi.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: certca.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: certcli.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: cryptui.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: ntdsapi.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: certca.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: version.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: url.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: userenv.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: netutils.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: eamsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: smartscreenps.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: winmm.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: wininet.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: am.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: wldp.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: profapi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ???y.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ???y.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ???y.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ????.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ????.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ????.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ???2.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ???2.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ???2.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ???.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ???.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ???.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??????s.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??????s.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??????s.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: winhttpcom.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: webio.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: schannel.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Section loaded: ??.dll Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Enquiry 230424.bat Static file information: File size 4541520 > 1048576
Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: sppsvc.pif, 0000000C.00000002.3717285102.0000000013B69000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318625246.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318299254.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1469203352.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1454012253.0000000013C03000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdb source: sppsvc.pif, 0000000C.00000002.3717285102.0000000013B69000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318299254.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1469203352.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1454012253.0000000013C03000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.12.dr
Source: Binary string: cmd.pdbUGP source: alpha.exe, 00000004.00000000.1245834008.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.1252345030.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.1258239920.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.1252691548.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.1258683087.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.1266660085.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000D.00000000.1267792748.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000D.00000002.1268999594.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000F.00000000.1269451055.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000F.00000002.1270307434.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.3.dr
Source: Binary string: certutil.pdb source: kn.exe, 00000007.00000000.1253198282.00007FF7C26CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.1257588136.00007FF7C26CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1265532597.00007FF7C26CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1259143912.00007FF7C26CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.dr
Source: Binary string: easinvoker.pdbH source: sppsvc.pif, 0000000C.00000002.3717285102.0000000013B69000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318299254.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318855574.00000000149C1000.00000004.00000020.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1469203352.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1454012253.0000000013C03000.00000004.00001000.00020000.00000000.sdmp, easinvoker.exe.12.dr
Source: Binary string: cmd.pdb source: alpha.exe, 00000004.00000000.1245834008.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.1252345030.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.1258239920.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.1252691548.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.1258683087.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.1266660085.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000D.00000000.1267792748.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000D.00000002.1268999594.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000F.00000000.1269451055.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000F.00000002.1270307434.00007FF75D272000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.3.dr
Source: Binary string: certutil.pdbGCTL source: kn.exe, 00000007.00000000.1253198282.00007FF7C26CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.1257588136.00007FF7C26CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1265532597.00007FF7C26CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1259143912.00007FF7C26CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.dr

Data Obfuscation
barindex
Yara detected DBatLoader
Source: Yara match File source: 27.2.Rwksdoeb.PIF.28f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001C.00000002.1519977306.0000000002871000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.1444334966.00000000028F1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.1442112888.00000000022F5000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3708528741.0000000002881000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1270521086.000000007FBF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Binary contains a suspicious time stamp
Source: alpha.exe.3.dr Static PE information: 0xE1CBFC53 [Mon Jan 16 09:26:43 2090 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_153E4D86 GetSystemDirectoryA,LoadLibraryA,LoadLibraryA,GetProcAddress, 12_2_153E4D86
PE file contains sections with non-standard names
Source: alpha.exe.3.dr Static PE information: section name: .didat
Source: kn.exe.5.dr Static PE information: section name: .didat
Source: easinvoker.exe.12.dr Static PE information: section name: .imrsiv
Source: netutils.dll.12.dr Static PE information: section name: .xdata
Source: netutils.dll.12.dr Static PE information: section name: /4
Source: netutils.dll.12.dr Static PE information: section name: /19
Source: netutils.dll.12.dr Static PE information: section name: /31
Source: netutils.dll.12.dr Static PE information: section name: /45
Source: netutils.dll.12.dr Static PE information: section name: /57
Source: netutils.dll.12.dr Static PE information: section name: /70
Source: netutils.dll.12.dr Static PE information: section name: /81
Source: netutils.dll.12.dr Static PE information: section name: /92
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25E3668 push rsp; ret 7_2_00007FF7C25E3669
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_028832F0 push eax; ret 12_2_0288332C
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_028AA2F4 push 028AA35Fh; ret 12_2_028AA357
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_0289D20C push ecx; mov dword ptr [esp], edx 12_2_0289D211
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_02886372 push 028863CFh; ret 12_2_028863C7
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_02886374 push 028863CFh; ret 12_2_028863C7
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_028AA0AC push 028AA125h; ret 12_2_028AA11D
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_02893028 push 02893075h; ret 12_2_0289306D
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_02893027 push 02893075h; ret 12_2_0289306D
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_028AA1F8 push 028AA288h; ret 12_2_028AA280
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_028AA144 push 028AA1ECh; ret 12_2_028AA1E4
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_0288673E push 02886782h; ret 12_2_0288677A
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_02886740 push 02886782h; ret 12_2_0288677A
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_0288C528 push ecx; mov dword ptr [esp], edx 12_2_0288C52D
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_0288D55C push 0288D588h; ret 12_2_0288D580
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_0288CBA8 push 0288CD2Eh; ret 12_2_0288CD26
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_02899B58 push 02899B90h; ret 12_2_02899B88
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_028A9B70 push 028A9D8Eh; ret 12_2_028A9D86
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_028978C8 push 02897945h; ret 12_2_0289793D
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_0288C8D6 push 0288CD2Eh; ret 12_2_0288CD26
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_02896902 push 028969AFh; ret 12_2_028969A7
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_02896904 push 028969AFh; ret 12_2_028969A7
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_02895E38 push ecx; mov dword ptr [esp], edx 12_2_02895E3A
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_02892F1C push 02892F92h; ret 12_2_02892F8A
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_02897CA8 push 02897CE0h; ret 12_2_02897CD8
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_02897CA6 push 02897CE0h; ret 12_2_02897CD8
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_153D86A6 push E8154364h; iretd 12_2_153D86AB
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_1541DD28 push esp; retf 12_2_1541DD30
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_154087DE push dword ptr [ebx]; iretd 12_2_154087E1
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_15404E56 push ecx; ret 12_2_15404E69
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_15424658 push dword ptr [esp+ecx-75h]; iretd 12_2_1542465C

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Windows\SysWOW64\extrac32.exe File created: C:\Users\Public\Libraries\Rwksdoeb.PIF Jump to dropped file
Source: C:\Users\Public\kn.exe File created: C:\Users\Public\Libraries\sppsvc.pif Jump to dropped file
Contains functionality to download and launch executables
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_14556EB0 ShellExecuteW,URLDownloadToFileW, 27_2_14556EB0
Drops PE files
Source: C:\Windows\SysWOW64\extrac32.exe File created: C:\Users\Public\Libraries\Rwksdoeb.PIF Jump to dropped file
Source: C:\Users\Public\kn.exe File created: C:\Users\Public\Libraries\sppsvc.pif Jump to dropped file
Source: C:\Windows\System32\extrac32.exe File created: C:\Users\Public\alpha.exe Jump to dropped file
Source: C:\Windows\System32\extrac32.exe File created: C:\Users\Public\kn.exe Jump to dropped file
Source: C:\Users\Public\Libraries\sppsvc.pif File created: C:\Users\Public\Libraries\easinvoker.exe Jump to dropped file
Source: C:\Users\Public\Libraries\sppsvc.pif File created: C:\Users\Public\Libraries\netutils.dll Jump to dropped file
Drops PE files to the user directory
Source: C:\Windows\System32\extrac32.exe File created: C:\Users\Public\alpha.exe Jump to dropped file
Source: C:\Windows\System32\extrac32.exe File created: C:\Users\Public\kn.exe Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Windows\System32\extrac32.exe File created: C:\Users\Public\alpha.exe Jump to dropped file
Source: C:\Windows\System32\extrac32.exe File created: C:\Users\Public\kn.exe Jump to dropped file
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_153EAB0D OpenSCManagerW,OpenServiceW,CloseServiceHandle,ControlService,QueryServiceStatus,StartServiceW, 12_2_153EAB0D
Source: C:\Users\Public\Libraries\sppsvc.pif Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rwksdoeb Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rwksdoeb Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_15405E5E GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 12_2_15405E5E
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Delayed program exit found
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_153DF7A7 Sleep,ExitProcess, 12_2_153DF7A7
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_1455F7A7 Sleep,ExitProcess, 27_2_1455F7A7
Contains functionality to enumerate running services
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 12_2_153EA748
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 27_2_1456A748
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\Public\Libraries\sppsvc.pif Window / User API: threadDelayed 6320 Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif Window / User API: foregroundWindowGot 1715 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\Public\Libraries\sppsvc.pif Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found dropped PE file which has not been started or loaded
Source: C:\Users\Public\Libraries\sppsvc.pif Dropped PE file which has not been started: C:\Users\Public\Libraries\easinvoker.exe Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\Public\Libraries\sppsvc.pif Evasive API call chain: GetLocalTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\Public\alpha.exe API coverage: 8.4 %
Source: C:\Users\Public\alpha.exe API coverage: 8.3 %
Source: C:\Users\Public\kn.exe API coverage: 0.8 %
Source: C:\Users\Public\Libraries\sppsvc.pif API coverage: 8.2 %
Source: C:\Users\Public\alpha.exe API coverage: 9.7 %
Source: C:\Users\Public\alpha.exe API coverage: 9.7 %
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF API coverage: 6.2 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\Public\Libraries\sppsvc.pif TID: 6416 Thread sleep time: -139500s >= -30000s Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif TID: 664 Thread sleep time: -666000s >= -30000s Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif TID: 664 Thread sleep time: -18960000s >= -30000s Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif TID: 6416 Thread sleep time: -124000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D25823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose, 4_2_00007FF75D25823C
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D252978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove, 4_2_00007FF75D252978
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D241560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 4_2_00007FF75D241560
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D2435B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose, 4_2_00007FF75D2435B8
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D267B4C FindFirstFileW,FindNextFileW,FindClose, 4_2_00007FF75D267B4C
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D25823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose, 6_2_00007FF75D25823C
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D252978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove, 6_2_00007FF75D252978
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D241560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 6_2_00007FF75D241560
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D2435B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose, 6_2_00007FF75D2435B8
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D267B4C FindFirstFileW,FindNextFileW,FindClose, 6_2_00007FF75D267B4C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C269234C wcschr,#357,#357,#359,FindFirstFileW,wcsrchr,_wcsnicmp,iswxdigit,wcstoul,FindNextFileW,#359,#359,#357,#357,LocalFree,LocalFree,FindClose, 7_2_00007FF7C269234C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C262C6F8 memset,qsort,#357,FindFirstFileW,GetLastError,bsearch,LocalAlloc,LocalReAlloc,LocalAlloc,FindNextFileW,GetLastError,DeleteFileW,GetLastError,#359,#357,FindClose,LocalFree,LocalFree, 7_2_00007FF7C262C6F8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2696F80 #359,FindFirstFileW,FindNextFileW,FindClose,LocalAlloc,#357, 7_2_00007FF7C2696F80
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2693100 #357,FindFirstFileW,#359,FindNextFileW,FindClose,LocalFree,#357, 7_2_00007FF7C2693100
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26910C4 #357,FindFirstFileW,LocalFree,FindNextFileW,FindClose,LocalFree,#357, 7_2_00007FF7C26910C4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C263B3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357, 7_2_00007FF7C263B3D8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25FD440 GetFileAttributesW,#357,#357,#357,FindFirstFileW,LocalFree,#357,FindNextFileW,#357,LocalFree,FindClose,LocalFree,LocalFree,LocalFree,LocalFree, 7_2_00007FF7C25FD440
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C263D4A4 CreateSemaphoreW,GetLastError,CreateEventW,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,CloseHandle,CloseHandle, 7_2_00007FF7C263D4A4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2673674 #357,LocalAlloc,#357,wcsrchr,FindFirstFileW,GetLastError,#359,lstrcmpW,lstrcmpW,#359,RemoveDirectoryW,GetLastError,#359,#359,FindNextFileW,FindClose,LocalFree,LocalFree,DeleteFileW,GetLastError,#359, 7_2_00007FF7C2673674
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C263DBC0 FindFirstFileW,GetLastError,CertOpenStore,CertAddStoreToCollection,CertCloseStore,FindNextFileW,GetLastError,GetLastError,#357,GetLastError,GetLastError,#357,LocalFree,CertCloseStore,CertCloseStore,FindClose, 7_2_00007FF7C263DBC0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26919F8 #359,FindFirstFileW,FindNextFileW,FindClose, 7_2_00007FF7C26919F8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2691B04 FindFirstFileW,GetLastError,#357,#359,DeleteFileW,FindNextFileW,FindClose,#359, 7_2_00007FF7C2691B04
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2635E58 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose, 7_2_00007FF7C2635E58
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_153DBD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 12_2_153DBD37
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_153D9665 FindFirstFileW,FindNextFileW,FindClose,FindClose, 12_2_153D9665
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_153D783C FindFirstFileW,FindNextFileW, 12_2_153D783C
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_153D880C FindFirstFileW,FindNextFileW,FindClose, 12_2_153D880C
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_153DBB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 12_2_153DBB30
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_153DC34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 12_2_153DC34D
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_153EC291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 12_2_153EC291
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_153E9AF5 FindFirstFileW, 12_2_153E9AF5
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_1541E879 FindFirstFileExA, 12_2_1541E879
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D25823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose, 13_2_00007FF75D25823C
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D252978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove, 13_2_00007FF75D252978
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D241560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 13_2_00007FF75D241560
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D2435B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose, 13_2_00007FF75D2435B8
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D267B4C FindFirstFileW,FindNextFileW,FindClose, 13_2_00007FF75D267B4C
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D25823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose, 15_2_00007FF75D25823C
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D252978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove, 15_2_00007FF75D252978
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D241560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 15_2_00007FF75D241560
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D2435B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose, 15_2_00007FF75D2435B8
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D267B4C FindFirstFileW,FindNextFileW,FindClose, 15_2_00007FF75D267B4C
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_14559665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 27_2_14559665
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_14559253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 27_2_14559253
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_1456C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 27_2_1456C291
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_1455C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 27_2_1455C34D
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_1455BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 27_2_1455BD37
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_1459E879 FindFirstFileExA, 27_2_1459E879
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_1455880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 27_2_1455880C
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_1455783C FindFirstFileW,FindNextFileW, 27_2_1455783C
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_14569AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 27_2_14569AF5
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_1455BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 27_2_1455BB30
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_028F58CC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA, 27_2_028F58CC
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_14557C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 27_2_14557C97
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C267511C GetSystemInfo,CryptFindOIDInfo,#359,CreateFileW,GetLastError,#357,#359,GetFileSize,#357,CreateFileMappingW,GetLastError,#359,#357,LocalAlloc,BCryptCreateHash,#360,MapViewOfFile,BCryptHashData,#360,UnmapViewOfFile,LocalAlloc,GetLastError,#357,GetLastError,BCryptFinishHash,#360,LocalAlloc,LocalFree,#357,UnmapViewOfFile,CloseHandle,CloseHandle,BCryptDestroyHash,#360,LocalFree,LocalFree, 7_2_00007FF7C267511C
Source: sppsvc.pif, 0000000C.00000002.3701876701.000000000065A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@Xj%SystemRoot%\system32\mswsock.dll
Source: sppsvc.pif, 0000000C.00000002.3701876701.0000000000690000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Rwksdoeb.PIF, 0000001B.00000002.1441490327.00000000006DA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll?
Source: Rwksdoeb.PIF, 0000001C.00000002.1518969358.0000000000661000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll`
Source: C:\Users\Public\Libraries\sppsvc.pif API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\sppsvc.pif API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\sppsvc.pif API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D2663FC GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW, 4_2_00007FF75D2663FC
Contains functionality to dynamically determine API calls
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_153E4D86 GetSystemDirectoryA,LoadLibraryA,LoadLibraryA,GetProcAddress, 12_2_153E4D86
Contains functionality to read the PEB
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_154132B5 mov eax, dword ptr fs:[00000030h] 12_2_154132B5
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_145932B5 mov eax, dword ptr fs:[00000030h] 27_2_145932B5
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D25823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose, 4_2_00007FF75D25823C
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D2593B0 SetUnhandledExceptionFilter, 4_2_00007FF75D2593B0
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D258FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_00007FF75D258FA4
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D2593B0 SetUnhandledExceptionFilter, 6_2_00007FF75D2593B0
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF75D258FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_00007FF75D258FA4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26C4E18 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_00007FF7C26C4E18
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C26C53E0 SetUnhandledExceptionFilter, 7_2_00007FF7C26C53E0
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_15404FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_15404FDC
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_154049F8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_154049F8
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_154049F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_154049F9
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_15404B47 SetUnhandledExceptionFilter, 12_2_15404B47
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_1540BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_1540BB22
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D2593B0 SetUnhandledExceptionFilter, 13_2_00007FF75D2593B0
Source: C:\Users\Public\alpha.exe Code function: 13_2_00007FF75D258FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 13_2_00007FF75D258FA4
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D2593B0 SetUnhandledExceptionFilter, 15_2_00007FF75D2593B0
Source: C:\Users\Public\alpha.exe Code function: 15_2_00007FF75D258FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 15_2_00007FF75D258FA4
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_14584FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 27_2_14584FDC
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_145849F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 27_2_145849F9
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_14584B47 SetUnhandledExceptionFilter, 27_2_14584B47
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: 27_2_1458BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 27_2_1458BB22

HIPS / PFW / Operating System Protection Evasion
barindex
Drops or copies certutil.exe with a different name (likely to bypass HIPS)
Source: C:\Windows\System32\extrac32.exe File created: C:\Users\Public\kn.exe Jump to dropped file
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Source: C:\Windows\System32\extrac32.exe File created: C:\Users\Public\alpha.exe Jump to dropped file
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 27_2_145620F7
Contains functionality to execute programs as a different user
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2677024 GetModuleHandleW,GetProcAddress,#356,#357,CloseHandle,LocalFree,LocalFree,LocalFree,ImpersonateLoggedOnUser,#356,EqualSid,#357,LogonUserExW,GetLastError,ImpersonateLoggedOnUser,#356,#359,RevertToSelf,#356, 7_2_00007FF7C2677024
Contains functionality to simulate mouse events
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_153E9627 mouse_event, 12_2_153E9627
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Enquiry 230424.bat" "C:\\Users\\Public\\sppsvc.rtf" 9 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\Libraries\sppsvc.pif C:\Users\Public\Libraries\sppsvc.pif Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del "C:\Users\Public\sppsvc.rtf" / A / F / Q / S Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S Jump to behavior
Source: C:\Users\Public\alpha.exe Process created: C:\Windows\System32\extrac32.exe extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe Jump to behavior
Source: C:\Users\Public\alpha.exe Process created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Enquiry 230424.bat" "C:\\Users\\Public\\sppsvc.rtf" 9 Jump to behavior
Source: C:\Users\Public\alpha.exe Process created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12 Jump to behavior
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2664AF4 GetSecurityDescriptorDacl,GetLastError,SetEntriesInAclW,SetSecurityDescriptorDacl,GetLastError,#357,#357,LocalFree,LocalFree,LocalFree, 7_2_00007FF7C2664AF4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2664E88 DsRoleGetPrimaryDomainInformation,#357,AllocateAndInitializeSid,GetLastError,#357,AllocateAndInitializeSid,GetLastError,#357,#357,DsRoleFreeMemory,LocalFree,#357,LocalFree,LocalFree,LocalFree, 7_2_00007FF7C2664E88
Source: sppsvc.pif, 0000000C.00000002.3701876701.00000000006C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerXG\i
Source: sppsvc.pif, 0000000C.00000002.3701876701.00000000006C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerXG\j
Source: sppsvc.pif, 0000000C.00000002.3701876701.00000000006C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: sppsvc.pif, 0000000C.00000002.3701876701.00000000006C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerXG\g
Source: sppsvc.pif, 0000000C.00000002.3701876701.00000000006C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerXG\AD|
Source: sppsvc.pif, 0000000C.00000002.3701876701.00000000006C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerXG\x
Source: sppsvc.pif, 0000000C.00000002.3701876701.00000000006C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerXG\Y
Source: sppsvc.pif, 0000000C.00000002.3701876701.00000000006C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerXG\
Source: sppsvc.pif, 0000000C.00000002.3701876701.00000000006C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerXG\u
Source: sppsvc.pif, 0000000C.00000002.3701876701.00000000006C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager.org
Source: sppsvc.pif, 0000000C.00000002.3701876701.0000000000708000.00000004.00000020.00020000.00000000.sdmp, logs.dat.12.dr Binary or memory string: [Program Manager]
Contains functionality to query CPU information (cpuid)
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_15404C52 cpuid 12_2_15404C52
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\Public\alpha.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale, 4_2_00007FF75D2551EC
Source: C:\Users\Public\alpha.exe Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc, 4_2_00007FF75D246EE4
Source: C:\Users\Public\alpha.exe Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW, 4_2_00007FF75D253140
Source: C:\Users\Public\alpha.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale, 6_2_00007FF75D2551EC
Source: C:\Users\Public\alpha.exe Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc, 6_2_00007FF75D246EE4
Source: C:\Users\Public\alpha.exe Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW, 6_2_00007FF75D253140
Source: C:\Users\Public\kn.exe Code function: LoadLibraryW,SearchPathW,FindResourceExW,GetUserDefaultUILanguage,GetLocaleInfoW,wcsncmp,GetSystemDefaultUILanguage,FreeLibrary,FreeLibrary,LoadLibraryExW,FreeLibrary, 7_2_00007FF7C26C3800
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: CoInitialize,WinExec,EnumSystemLocalesA, 12_2_0289D5D0
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: EnumSystemLocalesA, 12_2_028A5F9F
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: GetLocaleInfoA, 12_2_153DF8D1
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: GetLocaleInfoW, 12_2_15422543
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: EnumSystemLocalesW, 12_2_15418404
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 12_2_1542243C
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 12_2_15421CD8
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: EnumSystemLocalesW, 12_2_15421F50
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: EnumSystemLocalesW, 12_2_15421F9B
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 12_2_15422610
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: EnumSystemLocalesW, 12_2_15422036
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: GetLocaleInfoW, 12_2_154188ED
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: GetLocaleInfoW, 12_2_1542230A
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: GetLocaleInfoW, 12_2_15422313
Source: C:\Users\Public\alpha.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale, 13_2_00007FF75D2551EC
Source: C:\Users\Public\alpha.exe Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc, 13_2_00007FF75D246EE4
Source: C:\Users\Public\alpha.exe Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW, 13_2_00007FF75D253140
Source: C:\Users\Public\alpha.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale, 15_2_00007FF75D2551EC
Source: C:\Users\Public\alpha.exe Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc, 15_2_00007FF75D246EE4
Source: C:\Users\Public\alpha.exe Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW, 15_2_00007FF75D253140
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: EnumSystemLocalesW, 27_2_14598404
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 27_2_145A243C
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: GetLocaleInfoW, 27_2_145A2543
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 27_2_145A2610
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: EnumSystemLocalesW, 27_2_145A2036
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 27_2_145A20C3
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: GetLocaleInfoW, 27_2_145A2313
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 27_2_145A1CD8
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: EnumSystemLocalesW, 27_2_145A1F50
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: EnumSystemLocalesW, 27_2_145A1F9B
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: GetLocaleInfoA, 27_2_1455F8D1
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: GetLocaleInfoW, 27_2_145988ED
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess, 27_2_0290D5D0
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA, 27_2_028F5A90
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: GetLocaleInfoA, 27_2_028FA780
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: GetLocaleInfoA, 27_2_028FA7CC
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA, 27_2_028F5B9C
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess, 27_2_0290D5D0
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: GetCurrentProcess,EnumSystemLocalesA,ExitProcess, 27_2_02915FA0
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\alpha.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\alpha.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D268654 GetSystemTime,SystemTimeToFileTime, 4_2_00007FF75D268654
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C2676CB4 ConvertStringSidToSidW,LookupAccountNameW,GetLastError,#359,LocalAlloc,#357,LocalAlloc,LookupAccountNameW,GetLastError,IsValidSid,LocalFree,LocalFree, 7_2_00007FF7C2676CB4
Source: C:\Users\Public\Libraries\sppsvc.pif Code function: 12_2_15419190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 12_2_15419190
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF75D24586C GetVersion, 4_2_00007FF75D24586C
AV process strings found (often used to terminate AV products)
Source: sppsvc.pif, 0000000C.00000002.3717285102.0000000013B69000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318299254.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1469203352.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1454012253.0000000013C03000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: cmdagent.exe
Source: sppsvc.pif, 0000000C.00000002.3717285102.0000000013B69000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318299254.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1469203352.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1454012253.0000000013C03000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: quhlpsvc.exe
Source: sppsvc.pif, 0000000C.00000002.3717285102.0000000013B69000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318299254.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1469203352.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1454012253.0000000013C03000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: avgamsvr.exe
Source: sppsvc.pif, 0000000C.00000002.3717285102.0000000013B69000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318299254.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1469203352.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1454012253.0000000013C03000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: TMBMSRV.exe
Source: sppsvc.pif, 0000000C.00000002.3717285102.0000000013B69000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318299254.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1469203352.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1454012253.0000000013C03000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Vsserv.exe
Source: sppsvc.pif, 0000000C.00000002.3717285102.0000000013B69000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318299254.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1469203352.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1454012253.0000000013C03000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: avgupsvc.exe
Source: sppsvc.pif, 0000000C.00000002.3717285102.0000000013B69000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318299254.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1469203352.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1454012253.0000000013C03000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: avgemc.exe
Source: sppsvc.pif, 0000000C.00000002.3717285102.0000000013B69000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000000C.00000003.1318299254.000000007E8C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1469203352.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, Rwksdoeb.PIF, 0000001B.00000002.1454012253.0000000013C03000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 27.2.Rwksdoeb.PIF.14550000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.Rwksdoeb.PIF.14550000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.3701876701.0000000000708000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3723892699.000000001517F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.1454883121.0000000014550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.1441490327.0000000000711000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.1518969358.0000000000674000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3701876701.00000000006C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.1466656072.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: sppsvc.pif PID: 1104, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Rwksdoeb.PIF PID: 1652, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Rwksdoeb.PIF PID: 1916, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
Contains functionality to steal Chrome passwords or cookies
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 27_2_1455BA12
Contains functionality to steal Firefox passwords or cookies
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 27_2_1455BB30
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: \key3.db 27_2_1455BB30

Remote Access Functionality
barindex
Detected Remcos RAT
Source: C:\Users\Public\Libraries\sppsvc.pif Mutex created: \Sessions\1\BaseNamedObjects\Rmc-I8N3XG Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Mutex created: \Sessions\1\BaseNamedObjects\Rmc-I8N3XG Jump to behavior
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Mutex created: \Sessions\1\BaseNamedObjects\Rmc-I8N3XG Jump to behavior
Yara detected Remcos RAT
Source: Yara match File source: 27.2.Rwksdoeb.PIF.14550000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.Rwksdoeb.PIF.14550000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.3701876701.0000000000708000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3723892699.000000001517F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.1454883121.0000000014550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.1441490327.0000000000711000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.1518969358.0000000000674000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3701876701.00000000006C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.1466656072.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: sppsvc.pif PID: 1104, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Rwksdoeb.PIF PID: 1652, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Rwksdoeb.PIF PID: 1916, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Users\Public\Libraries\Rwksdoeb.PIF Code function: cmd.exe 27_2_1455569A
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25D227C DsGetDcNameW,#357,DsBindW,DsCrackNamesW,#357,#357,#357,#357,#357,LocalAlloc,#359,DsUnBindW,NetApiBufferFree,DsFreeNameResultW,LocalFree,LocalFree, 7_2_00007FF7C25D227C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25EE568 #357,LookupAccountSidW,GetLastError,#357,DsGetDcNameW,DsBindW,DsGetDomainControllerInfoW,DsGetDomainControllerInfoW,#357,DsUnBindW,NetApiBufferFree,LocalFree, 7_2_00007FF7C25EE568
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25D54A0 wcschr,NetApiBufferFree,DsFreeNameResultW,#13,LocalFree,DsGetDcNameW,#359,#224,#224,DsBindW,#357,DsCrackNamesW,#357,#145,#359,#359,#14,#359,#73,#359,#208,#26,#127,LocalFree,#140,#359,#224,#167,#27,#357,#357,#41,NetApiBufferFree,DsUnBindW,DsFreeNameResultW,#13,LocalFree, 7_2_00007FF7C25D54A0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7C25F5648 #357,#357,DsGetSiteNameW,#359,LocalAlloc,LocalAlloc,GetTickCount,DsGetSiteNameW,GetTickCount,#207,LocalFree,#359,NetApiBufferFree,#357,#357,#207,LocalFree,#359,#359,#359,LocalFree,NetApiBufferFree,NetApiBufferFree,LocalFree,LocalFree,#357,DsUnBindW, 7_2_00007FF7C25F5648
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430840 Sample: Enquiry 230424.bat Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 63 officerem.duckdns.org 2->63 65 ip.2007.filemail.com 2->65 67 2007.filemail.com 2->67 83 Multi AV Scanner detection for domain / URL 2->83 85 Found malware configuration 2->85 87 Malicious sample detected (through community Yara rule) 2->87 91 12 other signatures 2->91 9 cmd.exe 1 2->9         started        11 Rwksdoeb.PIF 2->11         started        14 Rwksdoeb.PIF 2->14         started        signatures3 89 Uses dynamic DNS services 63->89 process4 signatures5 16 sppsvc.pif 4 10 9->16         started        21 extrac32.exe 1 9->21         started        23 alpha.exe 1 9->23         started        25 5 other processes 9->25 93 Multi AV Scanner detection for dropped file 11->93 95 Contains functionality to bypass UAC (CMSTPLUA) 11->95 97 Detected Remcos RAT 11->97 99 5 other signatures 11->99 process6 dnsIp7 57 officerem.duckdns.org 23.95.235.29, 47212 AS-COLOCROSSINGUS United States 16->57 59 127.0.0.1 unknown unknown 16->59 61 ip.2007.filemail.com 50.7.84.74, 443, 49704, 49705 COGENT-174US United States 16->61 41 C:\Users\Public\Libraries\netutils.dll, PE32+ 16->41 dropped 43 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 16->43 dropped 45 C:\Users\Public\Rwksdoeb.url, MS 16->45 dropped 49 2 other malicious files 16->49 dropped 69 Multi AV Scanner detection for dropped file 16->69 71 Detected Remcos RAT 16->71 73 Contains functionalty to change the wallpaper 16->73 81 4 other signatures 16->81 27 extrac32.exe 1 16->27         started        31 cmd.exe 1 16->31         started        47 C:\Users\Public\alpha.exe, PE32+ 21->47 dropped 75 Drops PE files to the user root directory 21->75 77 Drops or copies certutil.exe with a different name (likely to bypass HIPS) 21->77 79 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 21->79 33 kn.exe 3 2 23->33         started        35 kn.exe 2 25->35         started        37 extrac32.exe 1 25->37         started        file8 signatures9 process10 file11 51 C:\Users\Public\Libraries\Rwksdoeb.PIF, PE32 27->51 dropped 39 conhost.exe 31->39         started        101 Registers a new ROOT certificate 33->101 103 Drops PE files with a suspicious file extension 33->103 53 C:\Users\Public\Libraries\sppsvc.pif, PE32 35->53 dropped 55 C:\Users\Public\kn.exe, PE32+ 37->55 dropped signatures12 process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
23.95.235.29
 officerem.duckdns.org United States
36352 AS-COLOCROSSINGUS true
50.7.84.74
 ip.2007.filemail.com United States
174 COGENT-174US false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
ip.2007.filemail.com 50.7.84.74 true
officerem.duckdns.org 23.95.235.29 true
2007.filemail.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://2007.filemail.com/api/file/get?filekey=s0KQZZ20oEdeVIFeHLcUr1cebhH4324o6l6m_6VdXu7F9BC40m659-sZAcG9IQRhtA&pk_vid=4c552cad835b0021171374114500ca33 false
    		high
    127.0.0.1 true
    • 2%, Virustotal, Browse
    • Avira URL Cloud: safe
    		 unknown