Windows Analysis Report
Xirnkxhvuzwepe.cmd

Overview

General Information

Sample name: Xirnkxhvuzwepe.cmd
Analysis ID: 1483432
MD5: 41152edeb64fe66b4bbd10372223d23a
SHA1: bc226681860e303393e335ce81aecb6d13d13d5b
SHA256: cec24e6d4ef5928960be72f7794ee5cbe7ab4df57bd080116434724dc2ff7ebc
Tags: cmdDbatLoader
Infos:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Drops PE files to the user root directory
Drops or copies certutil.exe with a different name (likely to bypass HIPS)
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Registers a new ROOT certificate
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Binary contains a suspicious time stamp
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Xirnkxhvuzwepe.cmd ReversingLabs: Detection: 29%
Source: Xirnkxhvuzwepe.cmd Virustotal: Detection: 12% Perma Link
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7A2F38 ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,InitializeCriticalSection,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,LocalFree,lstrcmpW,#357,CoInitialize,#357,#357,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,RevertToSelf,#356,#357,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection, 7_2_00007FF7FD7A2F38
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7A2C2C CryptFindOIDInfo,memset,CryptRegisterOIDInfo,GetLastError,#357, 7_2_00007FF7FD7A2C2C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7EDEA4 memset,GetSystemTimeAsFileTime,CryptGenRandom,GetLastError,LocalAlloc,GetLastError,#357,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree,CryptReleaseContext,CryptAcquireContextW,LocalFree, 7_2_00007FF7FD7EDEA4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD81DEB0 wcscspn,#357,GetFileAttributesW,GetLastError,#359,CertEnumCertificatesInStore,CertGetCRLContextProperty,CryptBinaryToStringW,wcsstr,CertEnumCertificatesInStore,GetLastError,GetLastError,LocalFree,LocalFree,CertCloseStore,CertFreeCertificateContext, 7_2_00007FF7FD81DEB0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD867EE8 CryptFindOIDInfo,#357,CryptInitOIDFunctionSet,CryptGetOIDFunctionAddress,GetLastError,GetLastError,GetLastError,#357,strcmp,GetLastError,strcmp,GetLastError,CryptFindOIDInfo,CryptFindOIDInfo,#357,LocalFree,LocalFree,CryptFreeOIDFunctionAddress,LocalFree,LocalFree, 7_2_00007FF7FD867EE8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7E7F14 CryptAcquireCertificatePrivateKey,GetLastError,#357,CryptSetProvParam,GetLastError,GetSecurityDescriptorLength,#359,CryptReleaseContext, 7_2_00007FF7FD7E7F14
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD825F04 #357,#357,SysAllocStringByteLen,#357,SysFreeString,#357,#359,#357,lstrcmpW,CryptMsgControl,GetLastError,#357,CertFreeCertificateContext,#359,CertFreeCTLContext,LocalFree,SysFreeString,LocalFree, 7_2_00007FF7FD825F04
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD821E2C CryptAcquireContextW,GetLastError,#357,CryptGenKey,GetLastError,CryptDestroyKey,#357,GetLastError,#357,#357,LocalAlloc,#357,memmove,LocalFree,memset,CryptGenRandom,GetLastError,#357,GetSystemTime,SystemTimeToFileTime,GetLastError,CertCreateCertificateContext,GetLastError,CryptReleaseContext,LocalFree,LocalFree,LocalFree, 7_2_00007FF7FD821E2C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD895E3C CryptDecodeObjectEx,strcmp,strcmp,strcmp, 7_2_00007FF7FD895E3C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD85DE70 NCryptIsKeyHandle,#357,CryptExportKey,GetLastError,#358,LocalAlloc,#357,CryptExportKey,GetLastError,LocalFree, 7_2_00007FF7FD85DE70
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7C5DA1 #358,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree, 7_2_00007FF7FD7C5DA1
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7A1DE8 GetSystemDefaultLangID,wcscspn,LocalFree,LocalFree,CryptEnumOIDInfo,qsort,free, 7_2_00007FF7FD7A1DE8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7C5DF7 GetLastError,#357,#357,#358,#358,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCRLsInStore,CertEnumCRLsInStore,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,#357, 7_2_00007FF7FD7C5DF7
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD85FD2C CryptDecryptMessage,GetLastError,#357, 7_2_00007FF7FD85FD2C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD84DD1C #357,strcmp,GetLastError,CryptHashCertificate,GetLastError,LocalAlloc,memmove,LocalFree, 7_2_00007FF7FD84DD1C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD867D3C #357,CryptFindOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,wcschr,CryptFindOIDInfo,#359,LocalFree, 7_2_00007FF7FD867D3C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD86BD3C NCryptIsKeyHandle,#357,#357,CryptSetProvParam,GetLastError,#357,CryptSetProvParam,GetLastError,LocalFree, 7_2_00007FF7FD86BD3C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD895D74 CryptDecodeObjectEx,strcmp,strcmp, 7_2_00007FF7FD895D74
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7F1D70 #357,LocalAlloc,memmove,#357,CryptSetKeyParam,GetLastError,LocalAlloc,memmove,CryptDecrypt,GetLastError,#357,#357,#358,LocalFree,LocalFree,#357,#357,#357,LocalFree,LocalFree,LocalFree, 7_2_00007FF7FD7F1D70
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD813D60 #359,GetLastError,#357,CryptSetProvParam,GetLastError,#357,CryptSetProvParam,GetLastError,CryptReleaseContext, 7_2_00007FF7FD813D60
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7E9D6C #357,#357,#359,LocalAlloc,#357,#357,wcsrchr,LocalAlloc,memmove,CryptFindLocalizedName,wcsrchr,CryptFindLocalizedName,#357,GetLastError,#359,CertOpenStore,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree, 7_2_00007FF7FD7E9D6C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7EDD80 CertFindExtension,CryptDecodeObject, 7_2_00007FF7FD7EDD80
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD845D80 #357,NCryptIsKeyHandle,GetSecurityDescriptorLength,CryptSetProvParam,GetLastError,LocalFree,#357, 7_2_00007FF7FD845D80
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7C60DA #357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree, 7_2_00007FF7FD7C60DA
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD85E044 NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,LocalAlloc,#359,LocalFree, 7_2_00007FF7FD85E044
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD804070 _wcsnicmp,_wcsnicmp,_wcsnicmp,#357,GetLastError,#359,#357,LocalAlloc,memmove,wcsstr,#223,#357,#359,LocalFree,#359,LocalFree,LocalFree,LocalFree,LocalFree,CryptMemFree, 7_2_00007FF7FD804070
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD835FA8 NCryptIsKeyHandle,wcscmp,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException, 7_2_00007FF7FD835FA8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD895FF0 CryptDecodeObjectEx,CryptDecodeObjectEx, 7_2_00007FF7FD895FF0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7C5FE8 #357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree, 7_2_00007FF7FD7C5FE8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD895F20 CryptDecodeObjectEx, 7_2_00007FF7FD895F20
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD805F54 GetLastError,LocalAlloc,memmove,wcschr,CryptFindOIDInfo,#357,#357,LocalFree,LocalFree, 7_2_00007FF7FD805F54
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7CFF64 NCryptGetProperty,#359,NCryptGetProperty,CertEnumCertificatesInStore,CertFindCertificateInStore,CertFreeCertificateContext,CertEnumCertificatesInStore,CertFreeCertificateContext,CertCloseStore,CertCloseStore,#357, 7_2_00007FF7FD7CFF64
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD839F90 memmove,wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,BCryptSignHash,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,#357,_CxxThrowException,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException, 7_2_00007FF7FD839F90
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD895AA8 CryptDecodeObjectEx, 7_2_00007FF7FD895AA8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7F3B14 NCryptIsKeyHandle,CryptGetUserKey,GetLastError,#357,#357,#357,NCryptIsKeyHandle,#357,#357,LocalFree,CryptDestroyKey, 7_2_00007FF7FD7F3B14
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD829AF8 CertCloseStore,CertCloseStore,CryptMsgClose,LocalFree,LocalFree,NCryptFreeObject, 7_2_00007FF7FD829AF8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7C3A40 LocalFree,LocalFree,strcmp,#357,strcmp,LocalFree,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,LocalFree,strcmp,CryptDecodeObject,strcmp,LocalFree,strcmp,GetLastError,#357,LocalFree,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,GetLastError,#357,strcmp,strcmp,GetLastError,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,GetLastError,strcmp,strcmp,strcmp,strcmp,#357,#357,CryptDecodeObject,GetLastError,GetLastError,strcmp,LocalFree,strcmp,LocalFree,GetLastError,strcmp,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree, 7_2_00007FF7FD7C3A40
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD84BA50 CryptSignCertificate,SetLastError, 7_2_00007FF7FD84BA50
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD831A44 CryptContextAddRef,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException, 7_2_00007FF7FD831A44
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD837A70 wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,NCryptSignHash,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,#357,_CxxThrowException,_CxxThrowException,NCryptSecretAgreement,#205,#357,#357,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,NCryptDeriveKey,#205,#359,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException, 7_2_00007FF7FD837A70
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD849A58 #357,#357,#210,#357,SetWindowTextW,SetFocus,SendMessageW,SendMessageW,LocalAlloc,#357,#357,LocalFree,UpdateWindow,CoInitialize,LoadCursorW,SetCursor,LoadCursorW,SetCursor,SetFocus,SetWindowTextW,SetFocus,#357,SetFocus,SendMessageW,#357,LocalFree,LocalFree,LocalFree,CryptUIDlgFreeCAContext,CoUninitialize, 7_2_00007FF7FD849A58
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD85FA84 LocalAlloc,#357,memmove,CryptDecrypt,GetLastError,#357,LocalFree, 7_2_00007FF7FD85FA84
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD81B9CC I_CryptWalkAllLruCacheEntries,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,I_CryptWalkAllLruCacheEntries,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357, 7_2_00007FF7FD81B9CC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7BF9B8 strcmp,#357,#359,NCryptOpenStorageProvider,#357,NCryptImportKey,#357,NCryptSetProperty,NCryptFinalizeKey,NCryptFreeObject,NCryptFreeObject,#359,CryptImportPKCS8,GetLastError,#357,CryptGetUserKey,GetLastError,#357,CryptGetUserKey,GetLastError,CryptDestroyKey,CryptReleaseContext,LocalFree, 7_2_00007FF7FD7BF9B8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD86BA14 NCryptIsKeyHandle,#357,CryptGetProvParam,GetLastError,NCryptFreeObject, 7_2_00007FF7FD86BA14
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7B3918 #357,#357,#357,#357,CertFindExtension,CryptDecodeObject,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree, 7_2_00007FF7FD7B3918
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD85F918 CryptEncrypt,GetLastError,LocalFree,LocalAlloc,#357,LocalFree, 7_2_00007FF7FD85F918
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD83391C CryptVerifySignatureW,#205,GetLastError,#357,#359,#357,SetLastError, 7_2_00007FF7FD83391C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7EF944 CryptDecodeObject,GetLastError,#357, 7_2_00007FF7FD7EF944
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD81B950 I_CryptGetLruEntryData,#357, 7_2_00007FF7FD81B950
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD859970 LocalAlloc,#357,LocalAlloc,CertGetEnhancedKeyUsage,GetLastError,#358,LocalFree,LocalFree,GetLastError,strcmp,#357,CryptFindOIDInfo,LocalFree, 7_2_00007FF7FD859970
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD88B980 #357,CryptFindOIDInfo,#359,GetLastError,#357,#359,CryptGetProvParam,memset,CryptGetProvParam,CryptFindOIDInfo,#357,GetLastError,#357,CryptReleaseContext,BCryptFreeBuffer, 7_2_00007FF7FD88B980
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD81597C GetLastError,CryptEncodeObjectEx,GetLastError,#357, 7_2_00007FF7FD81597C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7C7988 CryptFindOIDInfo,#357,CryptFindOIDInfo,#357,GetLastError,#357,GetLastError,#357,LocalFree, 7_2_00007FF7FD7C7988
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD825CE8 #357,CertOpenStore,GetLastError,CertFindCertificateInStore,GetLastError,#359,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptVerifyCertificateSignature,GetLastError,#357, 7_2_00007FF7FD825CE8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7CFC20 #359,#357,NCryptOpenStorageProvider,#357,NCryptImportKey,GetLastError,#357,#357,LocalFree,LocalFree,NCryptFreeObject,#357,NCryptFreeObject,#357, 7_2_00007FF7FD7CFC20
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7EFC34 memset,#357,CryptDecodeObject,GetLastError,LocalAlloc,#357,memmove,memset,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree, 7_2_00007FF7FD7EFC34
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD895C54 CryptDecodeObjectEx,CryptDecodeObjectEx, 7_2_00007FF7FD895C54
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7D1C50 BCryptQueryProviderRegistration,#360,#357,BCryptFreeBuffer, 7_2_00007FF7FD7D1C50
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7E3C60 CryptExportPublicKeyInfo,GetLastError,#357,LocalAlloc,CryptExportPublicKeyInfo,GetLastError,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,CertCreateCertificateContext,GetLastError,#357,#357,CertComparePublicKeyInfo,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,CertSetCTLContextProperty,GetLastError,#357,#357,#358,#358,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z, 7_2_00007FF7FD7E3C60
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD821C84 GetLastError,#357,CryptVerifyCertificateSignature,GetLastError,#357,LocalFree,#357,LocalFree, 7_2_00007FF7FD821C84
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD795BA4 #357,NCryptIsKeyHandle,strcmp,GetLastError,strcmp,GetLastError,SysAllocStringByteLen,#357,SysFreeString,#359,LocalAlloc,#357,GetLastError,GetLastError,GetLastError,#357,LocalFree,LocalFree,LocalFree,SysFreeString,CertFreeCertificateContext,LocalFree,LocalFree,CryptReleaseContext, 7_2_00007FF7FD795BA4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7B9BC8 #357,strcmp,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,CryptDecodeObject,GetLastError,strcmp,strcmp,strcmp,strcmp,GetLastError,strcmp,CryptDecodeObject,GetLastError,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,LocalFree,strcmp,SysFreeString,#357,#357,strcmp,SysFreeString,#357,SysFreeString,GetLastError,strcmp,LocalFree,LocalFree,CryptDecodeObject,strcmp,strcmp,strcmp,SysFreeString,LocalFree, 7_2_00007FF7FD7B9BC8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD83BBC0 wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,CryptSignHashW,#205,GetLastError,#357,#359,#357,SetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException, 7_2_00007FF7FD83BBC0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD833BEB _CxxThrowException,_CxxThrowException,_CxxThrowException,CryptExportKey,#205,GetLastError,#357,#357,#357,#357,SetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException, 7_2_00007FF7FD833BEB
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD83FB50 CryptExportPublicKeyInfo,GetLastError,#357,LocalAlloc,#357,CryptExportPublicKeyInfo,GetLastError,GetLastError,#357,#357,CertFindExtension,LocalAlloc,#357,memmove,#357,#357,#357,#357,#357,CAFindCertTypeByName,CAGetCertTypeExtensions,#357,#358,CertFindExtension,#357,LocalAlloc,memmove,memmove,#357,#357,GetLastError,#357,CertFindExtension,#357,GetLastError,#357,CryptSignAndEncodeCertificate,GetLastError,#357,LocalAlloc,CryptSignAndEncodeCertificate,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CAFreeCertTypeExtensions,CACloseCertType, 7_2_00007FF7FD83FB50
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7FBB38 #357,CryptVerifyCertificateSignatureEx,GetLastError,#357,memcmp,GetSystemTimeAsFileTime,CompareFileTime,CompareFileTime,CompareFileTime,#357,#358,LocalFree,LocalFree,LocalFree,LocalFree, 7_2_00007FF7FD7FBB38
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD86BB50 NCryptIsKeyHandle,#359,CertCreateCertificateContext,GetLastError,LocalFree,CryptGetKeyParam,GetLastError,#358,LocalAlloc,#357,CryptGetKeyParam,GetLastError,#357, 7_2_00007FF7FD86BB50
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD865B44 CertFindExtension,#357,CryptDecodeObject,GetLastError, 7_2_00007FF7FD865B44
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD867B60 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptFindOIDInfo,LocalAlloc,#357,memmove,CryptReleaseContext, 7_2_00007FF7FD867B60
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD895B90 CryptDecodeObjectEx,memmove, 7_2_00007FF7FD895B90
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7BBB80 #357,NCryptIsKeyHandle,#357,LocalFree,LocalFree, 7_2_00007FF7FD7BBB80
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD85FB94 #357,CryptFindOIDInfo,LocalAlloc,CryptEncryptMessage,GetLastError,LocalFree,#357, 7_2_00007FF7FD85FB94
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7E76B0 #359,CryptAcquireCertificatePrivateKey,GetLastError,#357,#358,#359,#358,#358,LocalFree,LocalFree,#357,CryptFindCertificateKeyProvInfo,GetLastError,#357,LocalFree,LocalFree,CryptReleaseContext, 7_2_00007FF7FD7E76B0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD84D6A0 CertOpenStore,GetLastError,#357,CryptMsgOpenToDecode,GetLastError,#357,CryptMsgUpdate,GetLastError,#357,CryptMsgUpdate,GetLastError,#357,#357,LocalFree,LocalAlloc,#357,memmove,CryptMsgGetParam,GetLastError,CryptMsgGetParam,GetLastError,CryptMsgGetParam,GetLastError,CryptMsgClose,CertCloseStore,LocalFree,LocalFree, 7_2_00007FF7FD84D6A0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8336E8 CryptSetHashParam,#205,GetLastError,#357,#357,#357,SetLastError, 7_2_00007FF7FD8336E8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD81F6D8 #357,CryptDuplicateKey,GetLastError,CryptEncrypt,GetLastError,LocalAlloc,memmove,CryptEncrypt,GetLastError,LocalAlloc,CryptDestroyKey,LocalFree, 7_2_00007FF7FD81F6D8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7BF630 CryptAcquireContextW,GetLastError,#357,SetLastError, 7_2_00007FF7FD7BF630
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD85F650 CryptHashCertificate2,SetLastError, 7_2_00007FF7FD85F650
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD833654 CryptReleaseContext,#205,GetLastError,#357,#357,SetLastError, 7_2_00007FF7FD833654
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD82F644 NCryptDeleteKey,#205,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException, 7_2_00007FF7FD82F644
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7BD660 GetDesktopWindow,LocalFree,#357,CertDuplicateCertificateContext,GetLastError,#357,#357,#357,#357,#357,#207,LocalFree,#358,#357,#358,#357,#357,#357,#357,#357,NCryptIsKeyHandle,#357,#357,NCryptIsKeyHandle,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CryptSetProvParam,GetLastError,#357,CryptReleaseContext,LocalFree, 7_2_00007FF7FD7BD660
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7A5664 #256,#357,CryptHashCertificate2,GetLastError,#254,#254,#357,#207,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,#359, 7_2_00007FF7FD7A5664
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD80366C CryptVerifyCertificateSignature,GetLastError,CryptVerifyCertificateSignatureEx,GetLastError,#357, 7_2_00007FF7FD80366C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD81B664 I_CryptFindLruEntry,I_CryptGetLruEntryData,I_CryptReleaseLruEntry, 7_2_00007FF7FD81B664
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD859688 CryptFindOIDInfo,#357,#360,#360,#360, 7_2_00007FF7FD859688
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7BD5C2 CertCloseStore,CryptMsgClose,LocalFree,LocalFree,LocalFree,LocalFree, 7_2_00007FF7FD7BD5C2
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7F55F0 #357,#360,GetLastError,#360,#359,NCryptDeleteKey,#360,#357,LocalFree,LocalFree, 7_2_00007FF7FD7F55F0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8195FC BCryptOpenAlgorithmProvider,#357,BCryptCreateHash,BCryptHashData,BCryptHashData,CertGetCRLContextProperty,BCryptHashData,BCryptHashData,BCryptFinishHash,BCryptDestroyHash,BCryptCloseAlgorithmProvider, 7_2_00007FF7FD8195FC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7FB55C CertFreeCertificateContext,CertCreateCertificateContext,GetLastError,CertDuplicateCertificateContext,#357,#358,CertCompareCertificateName,CryptVerifyCertificateSignatureEx,GetLastError,#357,#357,CertFreeCertificateContext,CertVerifyTimeValidity,#357, 7_2_00007FF7FD7FB55C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD85F570 CryptHashCertificate,SetLastError, 7_2_00007FF7FD85F570
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD833590 CryptImportPublicKeyInfoEx2,#205,GetLastError,#357,#357,#357,SetLastError, 7_2_00007FF7FD833590
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD869580 memset,#357,CryptCreateHash,GetLastError,#357,CryptGenRandom,GetLastError,CryptHashData,GetLastError,CryptSignHashW,GetLastError,LocalAlloc,CryptSignHashW,GetLastError,CryptImportPublicKeyInfo,GetLastError,CryptVerifySignatureW,GetLastError,#357,CryptDestroyHash,CryptDestroyKey,LocalFree,CryptReleaseContext, 7_2_00007FF7FD869580
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8698B0 #357,CryptImportPublicKeyInfo,GetLastError,#357,CryptGenKey,GetLastError,CryptGenRandom,GetLastError,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,CryptImportKey,GetLastError,#357,memcmp,#357,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,LocalFree,LocalFree,LocalFree,CryptReleaseContext, 7_2_00007FF7FD8698B0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD81B8D0 I_CryptGetLruEntryData,#357, 7_2_00007FF7FD81B8D0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8018DC CertFindExtension,CryptDecodeObject,GetLastError,#357, 7_2_00007FF7FD8018DC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7A38FC RevertToSelf,#356,#357,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection, 7_2_00007FF7FD7A38FC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD82184C CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,memset,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CryptDecrypt,GetLastError,GetLastError,#357,CryptDestroyKey,CryptDestroyHash,LocalFree,CryptDestroyKey,GetLastError,#357,LocalFree, 7_2_00007FF7FD82184C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD81D850 #357,Sleep,BCryptCloseAlgorithmProvider,I_CryptFreeLruCache, 7_2_00007FF7FD81D850
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD833860 CryptSetProvParam,#205,GetLastError,#357,#357,#357,SetLastError, 7_2_00007FF7FD833860
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7C7884 GetLastError,CryptFindOIDInfo,#357,#357,LocalFree, 7_2_00007FF7FD7C7884
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD809878 strcmp,strcmp,strcmp,#357,#357,CompareFileTime,LocalFree,CryptMsgClose,CertCloseStore,CompareFileTime,#357,#357, 7_2_00007FF7FD809878
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8337A4 CryptSetKeyParam,#205,GetLastError,#357,#357,#357,SetLastError, 7_2_00007FF7FD8337A4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7D17D4 #357,#359,#357,NCryptFinalizeKey,#360,#359,#359,#357,NCryptDeleteKey,#360,#359,#359,#359,LocalFree,LocalFree, 7_2_00007FF7FD7D17D4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8497E4 LoadCursorW,SetCursor,#210,LoadCursorW,SetCursor,#357,EnableWindow,SetWindowLongPtrW,SetWindowLongPtrW,SetWindowLongPtrW,GetDlgItem,SetWindowTextW,GetDlgItem,ShowWindow,CryptUIDlgFreeCAContext,LocalFree, 7_2_00007FF7FD8497E4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD81B808 I_CryptFindLruEntry,I_CryptGetLruEntryData,#357,I_CryptReleaseLruEntry, 7_2_00007FF7FD81B808
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD85F7FC CryptExportKey,GetLastError,#357,LocalAlloc,CryptExportKey,GetLastError,LocalFree, 7_2_00007FF7FD85F7FC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7CF810 #223,CryptDecodeObjectEx,GetLastError,CertFindAttribute,CertFindAttribute,GetLastError,#357,LocalFree,LocalFree, 7_2_00007FF7FD7CF810
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD85D750 LocalAlloc,CryptFormatObject,GetLastError,#358,#358,LocalFree,#357, 7_2_00007FF7FD85D750
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD835768 NCryptIsKeyHandle,??_V@YAXPEAX@Z,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException, 7_2_00007FF7FD835768
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7FF774 CertFindExtension,#357,CryptVerifyCertificateSignature,GetLastError,GetLastError,memmove,LocalFree, 7_2_00007FF7FD7FF774
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD84B794 CryptExportPublicKeyInfoEx,SetLastError, 7_2_00007FF7FD84B794
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD80577C #360,#358,CryptDecodeObject,GetLastError,#357, 7_2_00007FF7FD80577C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7CD790 SslEnumProtocolProviders,#357,SslOpenProvider,SslFreeBuffer,SslFreeObject,SslFreeBuffer,#359,LocalAlloc,BCryptGetProperty,CryptFindOIDInfo,BCryptDestroyKey,BCryptDestroyKey,LocalFree, 7_2_00007FF7FD7CD790
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7AB788 #140,iswdigit,CryptDecodeObject,GetLastError,#357,#357,#224, 7_2_00007FF7FD7AB788
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8332A8 CryptGetProvParam,#205,GetLastError,#357,#357,#357,#357,SetLastError, 7_2_00007FF7FD8332A8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7FB2B4 #357,CryptHashCertificate,GetLastError,#357,memcmp,#358, 7_2_00007FF7FD7FB2B4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7F92C4 memset,CryptHashCertificate,GetLastError,CryptHashCertificate,GetLastError,GetLastError,GetLastError,#357,#254,LocalAlloc,wcsstr,LocalAlloc,LocalAlloc,#357,memmove,GetLastError,GetProcAddress,GetLastError,GetLastError,#359,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FreeLibrary, 7_2_00007FF7FD7F92C4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8132D0 #359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext, 7_2_00007FF7FD8132D0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD82F2F0 BCryptCreateHash,#205,#357,#357,#357,#357,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException, 7_2_00007FF7FD82F2F0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8092D8 CertEnumCertificatesInStore,CertGetCRLContextProperty,CertSetCTLContextProperty,GetLastError,#357,#357,CertEnumCertificatesInStore,CryptMsgControl,GetLastError,#357,CryptMsgGetAndVerifySigner,GetLastError,#357,CryptMsgGetAndVerifySigner,#357,CertFreeCertificateContext,CertGetCRLContextProperty,CertEnumCertificatesInStore,#357,#357,#207,LocalFree,#357,#357,CertFreeCertificateContext,CompareFileTime,CertFreeCertificateContext, 7_2_00007FF7FD8092D8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7CD304 #357,CryptFindOIDInfo,#359,LocalAlloc,CryptEncodeObjectEx,GetLastError,LocalFree,LocalFree,LocalFree, 7_2_00007FF7FD7CD304
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD81D30C BCryptOpenAlgorithmProvider,#357,BCryptCreateHash,BCryptHashData,BCryptHashData,BCryptHashData,BCryptFinishHash,BCryptDestroyHash, 7_2_00007FF7FD81D30C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7CD240 #357,CryptFindOIDInfo,#357,LocalFree, 7_2_00007FF7FD7CD240
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD85D28C CryptFindOIDInfo,CryptEnumOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,#358, 7_2_00007FF7FD85D28C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD867290 NCryptIsKeyHandle,#359,#360,#357,#358, 7_2_00007FF7FD867290
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8051A4 #360,#357,#359,#207,CryptFindOIDInfo,#357,GetLastError,#357,#207,#360,#254,#358,LocalFree,LocalFree,LocalFree, 7_2_00007FF7FD8051A4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8311C8 NCryptVerifySignature,#205,#357,#357,#357,#357, 7_2_00007FF7FD8311C8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8671C8 BCryptDestroyKey,#360, 7_2_00007FF7FD8671C8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8331C0 CryptGetKeyParam,#205,GetLastError,#357,#357,#357,#357,SetLastError, 7_2_00007FF7FD8331C0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD867214 NCryptIsKeyHandle,#357,CryptReleaseContext,GetLastError, 7_2_00007FF7FD867214
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD889208 #357,NCryptEnumKeys,#360,#358, 7_2_00007FF7FD889208
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD85511C GetSystemInfo,CryptFindOIDInfo,#359,CreateFileW,GetLastError,#357,#359,GetFileSize,#357,CreateFileMappingW,GetLastError,#359,#357,LocalAlloc,BCryptCreateHash,#360,MapViewOfFile,BCryptHashData,#360,UnmapViewOfFile,LocalAlloc,GetLastError,#357,GetLastError,BCryptFinishHash,#360,LocalAlloc,LocalFree,#357,UnmapViewOfFile,CloseHandle,CloseHandle,BCryptDestroyHash,#360,LocalFree,LocalFree, 7_2_00007FF7FD85511C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7E9134 CryptQueryObject,GetLastError,#357,CertOpenStore,GetLastError,CertOpenStore,GetLastError,CertAddSerializedElementToStore,GetLastError,CertAddEncodedCRLToStore,GetLastError,CertAddEncodedCTLToStore,GetLastError,CertAddEncodedCertificateToStore,GetLastError,#357,CertCloseStore, 7_2_00007FF7FD7E9134
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD867124 BCryptGenerateKeyPair,#360, 7_2_00007FF7FD867124
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD81F168 CryptDuplicateKey,GetLastError,#357,CryptEncrypt,GetLastError,CryptEncrypt,GetLastError,CryptDestroyKey, 7_2_00007FF7FD81F168
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD815164 GetLastError,#357,CryptEncodeObjectEx,GetLastError,#357,LocalFree, 7_2_00007FF7FD815164
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD813188 CryptAcquireContextW,GetLastError,#359,#359,CryptAcquireContextW,GetLastError, 7_2_00007FF7FD813188
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD867178 BCryptCloseAlgorithmProvider,#360, 7_2_00007FF7FD867178
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD85F4A0 CryptHashPublicKeyInfo,SetLastError, 7_2_00007FF7FD85F4A0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD84B4EC CryptDecodeObjectEx,SetLastError, 7_2_00007FF7FD84B4EC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8614F0 GetEnvironmentVariableW,#205,#205,#203,CryptDestroyHash,CryptReleaseContext,CryptAcquireContextW,GetLastError,#357,CryptCreateHash,GetLastError,CryptReleaseContext,GetLastError,#357,#357,#203,#357,#357,#357,#357,#203,LocalFree,#203,#357,#357,#207,#203,#203,LocalFree,#203,#203,CryptDestroyHash,CryptReleaseContext, 7_2_00007FF7FD8614F0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7F3504 CreateFileW,GetLastError,#357,GetFileSize,GetLastError,#357,SetFilePointer,GetLastError,#357,CertFreeCertificateContext,CertFreeCertificateContext,CryptDestroyKey,CryptReleaseContext,CloseHandle, 7_2_00007FF7FD7F3504
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8334F8 CryptImportPublicKeyInfo,#205,GetLastError,#357,#357,SetLastError, 7_2_00007FF7FD8334F8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD83342C CryptImportKey,#205,GetLastError,#357,#357,#357,SetLastError, 7_2_00007FF7FD83342C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD86141C GetLastError,CryptDecodeObjectEx,GetLastError,#357,LocalFree, 7_2_00007FF7FD86141C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD795438 memset,#246,#357,#357,GetLastError,#357,CertFindExtension,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptReleaseContext,CryptAcquireContextW,LocalFree, 7_2_00007FF7FD795438
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD84B464 CryptEncodeObjectEx,SetLastError, 7_2_00007FF7FD84B464
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD81F488 #357,LocalAlloc,memmove,CryptDuplicateKey,GetLastError,CryptDecrypt,GetLastError,CryptDestroyKey,LocalFree, 7_2_00007FF7FD81F488
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD839480 memmove,BCryptDecrypt,#205,#357,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,memmove,BCryptEncrypt,#205,#357,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException, 7_2_00007FF7FD839480
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8433B0 CertFindExtension,#357,CryptDecodeObject,GetLastError,#357,#357, 7_2_00007FF7FD8433B0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD86739C CryptAcquireContextW,GetLastError,#360,#360,SetLastError, 7_2_00007FF7FD86739C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8133A0 CryptVerifyCertificateSignature,CertCompareCertificateName, 7_2_00007FF7FD8133A0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8693A0 CryptGetUserKey,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,LocalFree,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext, 7_2_00007FF7FD8693A0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8153E8 CryptEncodeObjectEx,GetLastError,#357, 7_2_00007FF7FD8153E8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD81B3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357, 7_2_00007FF7FD81B3D8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7F13F0 CryptAcquireContextW,GetLastError,#357,CryptCreateHash,GetLastError,CryptHashData,CryptHashData,GetLastError,CryptImportPublicKeyInfo,CryptVerifySignatureW,CertCreateCertificateContext,#357,LocalFree,GetLastError,GetLastError,GetLastError,GetLastError,#357,LocalFree,LocalFree,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext, 7_2_00007FF7FD7F13F0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7CB324 CryptDecodeObject,GetLastError,#357,#357,LocalFree, 7_2_00007FF7FD7CB324
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7C7340 GetModuleHandleW,GetProcAddress,GetLastError,BCryptExportKey,#360,LocalAlloc,CryptHashCertificate2,GetLastError,CryptHashCertificate2,GetLastError,#357,LocalFree, 7_2_00007FF7FD7C7340
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7F5338 wcsrchr,#357,#357,LocalAlloc,memmove,wcsrchr,GetLastError,#360,#357,#357,LocalFree,LocalFree,LocalFree,CryptReleaseContext, 7_2_00007FF7FD7F5338
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7EB350 CryptFindLocalizedName,CertEnumPhysicalStore,GetLastError,#357, 7_2_00007FF7FD7EB350
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7BB36C GetLastError,CryptHashCertificate,GetLastError,CryptHashCertificate2,GetLastError,SysAllocStringByteLen,#357,SysFreeString,#357,#357,#357,LocalFree,SysFreeString, 7_2_00007FF7FD7BB36C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD833390 CryptGetUserKey,#205,GetLastError,#357,#357,SetLastError, 7_2_00007FF7FD833390
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD866EA8 NCryptImportKey,#360, 7_2_00007FF7FD866EA8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD890ED0 LocalAlloc,LocalReAlloc,#357,#360,CryptFindOIDInfo,CryptFindOIDInfo,LocalAlloc,#357,memmove,_wcsnicmp,#256,#359, 7_2_00007FF7FD890ED0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD830EF4 NCryptImportKey,#205,#359,#359,#357, 7_2_00007FF7FD830EF4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7C0E24 #357,#357,CryptDecodeObject,GetLastError,GetLastError,strcmp,GetLastError,#357,#357,#357,GetLastError,GetLastError,GetLastError,CryptDecodeObject,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree, 7_2_00007FF7FD7C0E24
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD866E48 NCryptSetProperty,#360, 7_2_00007FF7FD866E48
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD832E6C CryptFindOIDInfo,#205,#357,#357,#357,#359,#359,#357,#357,#359,LocalFree, 7_2_00007FF7FD832E6C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD874E58 NCryptIsKeyHandle,#357,BCryptGenRandom,#360,LocalAlloc,CryptExportPKCS8,GetLastError,LocalAlloc,CryptExportPKCS8,GetLastError,NCryptIsKeyHandle,#359,#359,NCryptFinalizeKey,#360, 7_2_00007FF7FD874E58
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD85EE94 CryptSignMessage,SetLastError, 7_2_00007FF7FD85EE94
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD802E7C #223,GetLastError,#358,#357,CryptVerifyCertificateSignature,GetLastError,#357,LocalFree,LocalFree, 7_2_00007FF7FD802E7C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7D0E94 GetLastError,#359,CryptGetProvParam,LocalFree,#357,LocalFree,CryptReleaseContext, 7_2_00007FF7FD7D0E94
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD862DAC #357,#357,CryptFindOIDInfo,LocalFree, 7_2_00007FF7FD862DAC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD858DD0 CertGetCRLContextProperty,GetLastError,#357,memcmp,CertGetCRLContextProperty,GetLastError,#357,memcmp,CertFindExtension,GetLastError,memcmp,CryptHashCertificate,GetLastError,memcmp,CryptHashPublicKeyInfo,GetLastError,memcmp,LocalFree, 7_2_00007FF7FD858DD0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD830DD4 NCryptGetProperty,#205,#359,#357,#359,#357, 7_2_00007FF7FD830DD4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD880DB8 CryptMsgGetParam,GetLastError,#357,#357,memset,CryptMsgGetParam,GetLastError,#357, 7_2_00007FF7FD880DB8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD814DDC GetLastError,#357,CryptEncodeObjectEx,GetLastError,#357,LocalFree, 7_2_00007FF7FD814DDC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD866DE0 NCryptCreatePersistedKey,#360, 7_2_00007FF7FD866DE0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD866D2C NCryptFreeBuffer,#360, 7_2_00007FF7FD866D2C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7F2D18 #359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,NCryptIsKeyHandle,#357,#357,NCryptIsKeyHandle,#357,#357,LocalFree,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z, 7_2_00007FF7FD7F2D18
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD832D78 CryptEncrypt,#205,GetLastError,#357,#357,#357,#357,SetLastError, 7_2_00007FF7FD832D78
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD866D78 NCryptOpenKey,#360, 7_2_00007FF7FD866D78
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD830D84 NCryptFreeObject,#205,#357, 7_2_00007FF7FD830D84
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7FB098 CryptVerifyCertificateSignature,GetLastError,#358,CertVerifyCRLTimeValidity,CertCompareCertificateName,CertCompareCertificateName,#357, 7_2_00007FF7FD7FB098
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD83B0A0 memmove,CryptDecrypt,#205,GetLastError,#357,#357,SetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,memmove,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException, 7_2_00007FF7FD83B0A0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8670C8 BCryptSetProperty,#360, 7_2_00007FF7FD8670C8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8310D8 NCryptSetProperty,#205,#359,#357,#359,#357, 7_2_00007FF7FD8310D8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8330D8 CryptGetHashParam,#205,GetLastError,#357,#357,#357,#357,SetLastError, 7_2_00007FF7FD8330D8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD829028 #357,#357,CryptMsgClose,CryptMsgClose,CertCloseStore,LocalFree, 7_2_00007FF7FD829028
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7A302F #357,LocalFree,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection, 7_2_00007FF7FD7A302F
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7A7034 #357,CertCreateCertificateContext,#357,CertDuplicateCertificateContext,CertCreateCertificateContext,CertCompareCertificateName,CryptVerifyCertificateSignature,GetLastError,#357,#357,CertFreeCertificateContext,LocalFree,CertFreeCertificateContext, 7_2_00007FF7FD7A7034
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD83301C CryptGenKey,#205,GetLastError,#357,#357,#357,SetLastError, 7_2_00007FF7FD83301C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD837020 NCryptDecrypt,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,NCryptEncrypt,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException, 7_2_00007FF7FD837020
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD86705C BCryptGetProperty,#360, 7_2_00007FF7FD86705C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD831058 NCryptOpenStorageProvider,#205,#359,#357, 7_2_00007FF7FD831058
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7D107C LocalFree,GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,#359,#357,LocalFree, 7_2_00007FF7FD7D107C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD866FAC BCryptOpenAlgorithmProvider,#360, 7_2_00007FF7FD866FAC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD830FB4 NCryptOpenKey,#205,#359,#357,#357, 7_2_00007FF7FD830FB4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD86700C BCryptEnumAlgorithms,#360, 7_2_00007FF7FD86700C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD866F2C NCryptExportKey,#360, 7_2_00007FF7FD866F2C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7C8F1C strcmp,LocalFree,strcmp,LocalFree,strcmp,LocalFree,strcmp,CryptDecodeObject,LocalFree,LocalFree,LocalFree,strcmp,strcmp,strcmp,strcmp,LocalFree,GetLastError,#357,GetLastError,GetLastError, 7_2_00007FF7FD7C8F1C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD814F50 CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,#357,LocalFree, 7_2_00007FF7FD814F50
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD85EF74 GetLastError,#357,CryptDecodeObject,GetLastError,GetLastError,GetLastError,LocalAlloc,memmove,LocalFree,LocalFree,LocalFree, 7_2_00007FF7FD85EF74
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD820F58 CertAddEncodedCertificateToStore,GetLastError,#357,UuidCreate,StringFromCLSID,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,CertSetCTLContextProperty,GetLastError,CryptDestroyKey,CryptReleaseContext,CoTaskMemFree,CertFreeCertificateContext, 7_2_00007FF7FD820F58
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7C4F90 LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,LocalFree,LocalFree,#357,strcmp,GetLastError,#357,CryptMsgGetAndVerifySigner,CryptVerifyDetachedMessageSignature,GetLastError,#357,CertEnumCertificatesInStore,memcmp,#357,CertFreeCertificateContext,#357,#357,CertFreeCertificateContext,strcmp,#357,CryptMsgControl,GetLastError,#357,#357,#357,#357, 7_2_00007FF7FD7C4F90
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD838AA0 _CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,BCryptHashData,#205,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException, 7_2_00007FF7FD838AA0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD830ABC BCryptVerifySignature,#205,#357,#357,#357,#357, 7_2_00007FF7FD830ABC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD832AE4 CryptAcquireContextW,#205,GetLastError,#359,#357,#359,SetLastError, 7_2_00007FF7FD832AE4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7D2B00 BCryptEnumContexts,#360,BCryptQueryContextConfiguration,#360,#357,BCryptFreeBuffer,#357,BCryptEnumContextFunctions,#360,#360,BCryptFreeBuffer,#358,#358,#357,BCryptFreeBuffer, 7_2_00007FF7FD7D2B00
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD828AFC #357,CertCreateCertificateContext,GetLastError,#357,#357,#357,#357,#357,NCryptIsKeyHandle,#357,CertSetCTLContextProperty,GetLastError,#357,#357,CertCloseStore,CertFreeCertificateContext, 7_2_00007FF7FD828AFC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD814A34 CertGetCRLContextProperty,CryptEncodeObjectEx,GetLastError,CryptHashCertificate2,CryptEncodeObjectEx,GetLastError,CertGetCRLContextProperty,CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,GetLastError,GetLastError,#357,LocalFree, 7_2_00007FF7FD814A34
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD830A18 BCryptSetProperty,#205,#359,#357,#357, 7_2_00007FF7FD830A18
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD834A1C NCryptIsKeyHandle,_wcsicmp,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException, 7_2_00007FF7FD834A1C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7A6A84 LocalAlloc,#357,memmove,CryptHashCertificate2,GetLastError,LocalAlloc,#357,memmove,LocalFree, 7_2_00007FF7FD7A6A84
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD862A78 #357,CryptAcquireCertificatePrivateKey,GetLastError,#357,#357,LocalFree,LocalFree,LocalFree,#359,#359, 7_2_00007FF7FD862A78
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD81EA7C #357,#357,LocalAlloc,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptImportKey,GetLastError,CryptSetKeyParam,GetLastError,CryptSetKeyParam,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptSetKeyParam,GetLastError,#357,LocalFree,LocalFree,LocalFree,CryptDestroyHash,CryptDestroyHash, 7_2_00007FF7FD81EA7C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7F29A0 #357,#357,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CertFreeCertificateContext,CryptReleaseContext,LocalFree,LocalFree,CryptDestroyKey, 7_2_00007FF7FD7F29A0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD83099C BCryptOpenAlgorithmProvider,#205,#359,#359, 7_2_00007FF7FD83099C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD86A9F0 strcmp,GetLastError,CryptFindOIDInfo,#357,#357,LocalFree,#357,#357,NCryptIsAlgSupported,#360,#357,LocalAlloc,memmove,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,LocalFree,LocalFree,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalFree,GetLastError,#357,LocalFree,GetLastError,#357,LocalFree,GetLastError,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z, 7_2_00007FF7FD86A9F0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7FE9F0 IsDlgButtonChecked,memset,SendMessageW,LocalFree,GetDlgItemTextW,GetDlgItem,GetDlgItem,EnableWindow,LocalFree,#357,#357,CertFreeCertificateContext,CertFreeCTLContext,GetDlgItem,SendMessageW,SetDlgItemTextW,MessageBoxW,GetDlgItem,SendMessageW,GetDlgItemInt,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,#357,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetDlgItemTextW,SendDlgItemMessageA,CheckDlgButton,GetDlgItem,EnableWindow,SetDlgItemInt,CheckDlgButton,SetDlgItemTextW,SetDlgItemTextW,CertFreeCTLContext,CertFreeCertificateContext,??3@YAXPEAX@Z,memset,SendMessageW,MessageBoxW,memset,CryptUIDlgViewCRLW,memset,CryptUIDlgViewCertificateW, 7_2_00007FF7FD7FE9F0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD81AA00 memset,memset,#357,#357,#357,#357,CryptEncodeObjectEx,GetLastError,CryptMsgEncodeAndSignCTL,GetLastError,GetLastError,CryptMsgEncodeAndSignCTL,GetLastError,#359,LocalFree,LocalFree, 7_2_00007FF7FD81AA00
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD838940 BCryptFinishHash,#205,#357,#357,#357,_CxxThrowException,_CxxThrowException, 7_2_00007FF7FD838940
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD83C940 _CxxThrowException,GetLastError,_CxxThrowException,memmove,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,CryptHashData,#205,GetLastError,#357,#357,#357,SetLastError,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException, 7_2_00007FF7FD83C940
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7BC960 LocalAlloc,CryptGetKeyIdentifierProperty,GetLastError,#357,LocalFree,LocalFree, 7_2_00007FF7FD7BC960
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD862994 CertFreeCertificateContext,CryptSetProvParam,GetLastError,#357,CryptReleaseContext,LocalFree, 7_2_00007FF7FD862994
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD83ACAC CryptContextAddRef,CryptDuplicateKey,#205,GetLastError,#357,#357,SetLastError,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,_CxxThrowException,??3@YAXPEAX@Z, 7_2_00007FF7FD83ACAC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD824CA0 CryptAcquireCertificatePrivateKey,GetLastError,#357,CertGetCRLContextProperty,GetLastError,#357,CryptGetUserKey,GetLastError,GetLastError,#357,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext, 7_2_00007FF7FD824CA0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7F4CC0 #357,lstrcmpW,CryptEnumKeyIdentifierProperties,GetLastError,#357,LocalFree,#357,#359,LocalFree,LocalFree,free, 7_2_00007FF7FD7F4CC0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD888CF4 GetLastError,#360,CryptGetProvParam,GetLastError,#360,#359,LocalAlloc,CryptGetProvParam,GetLastError,#357,LocalFree,CryptReleaseContext,GetLastError,LocalAlloc,CryptGetProvParam,GetLastError,#358,LocalFree,LocalFree,#357,CryptReleaseContext,LocalFree, 7_2_00007FF7FD888CF4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD866CE0 NCryptEnumStorageProviders,#360, 7_2_00007FF7FD866CE0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD830D14 NCryptFinalizeKey,#205,#357,#357, 7_2_00007FF7FD830D14
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD822CF8 memset,#358,#357,CryptAcquireContextW,GetLastError,#357,#357,#358,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,DeleteFileW,LocalFree,#357,#357,#359,#359,LocalFree,LocalFree,#357,#357,#357,#357,#357,#359,#359,#359,#359,LocalFree,#359,#359,#357, 7_2_00007FF7FD822CF8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD832CFC CryptDestroyKey,#205,GetLastError,#357,SetLastError, 7_2_00007FF7FD832CFC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7CCC24 CryptDecodeObjectEx,#359,BCryptSetProperty,BCryptGetProperty,#357,BCryptDestroyKey,BCryptCloseAlgorithmProvider, 7_2_00007FF7FD7CCC24
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD866C30 NCryptOpenStorageProvider,#360, 7_2_00007FF7FD866C30
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD830C3C NCryptExportKey,#205,#359,#359,#357, 7_2_00007FF7FD830C3C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD796C4C CryptFindOIDInfo,#357,#357,#359,CryptFindOIDInfo,#357,LocalFree, 7_2_00007FF7FD796C4C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD868C58 #357,LocalAlloc,#357,memmove,memset,BCryptFreeBuffer,#357,#357,#360,#359,#359,#359,LocalAlloc,memmove,LocalAlloc,memmove,#357,#357,CryptGetDefaultProviderW,LocalAlloc,CryptGetDefaultProviderW,GetLastError,#357,#357,#357,LocalFree,LocalFree, 7_2_00007FF7FD868C58
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD866C88 NCryptEnumAlgorithms,#360, 7_2_00007FF7FD866C88
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD832C80 CryptDestroyHash,#205,GetLastError,#357,SetLastError, 7_2_00007FF7FD832C80
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD874C80 CryptAcquireContextW,GetLastError,#357,CryptGenRandom,GetLastError,CryptGenRandom,GetLastError,memset,CryptReleaseContext, 7_2_00007FF7FD874C80
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD85CBB4 CryptGetProvParam,GetLastError,#358,LocalAlloc,#357,CryptGetProvParam,GetLastError,#357,LocalFree, 7_2_00007FF7FD85CBB4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7BCB98 NCryptIsKeyHandle,GetLastError,#358,#360,NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,#359,LocalFree,NCryptIsKeyHandle,CryptGetUserKey,GetLastError,#357,CryptGetKeyParam,GetLastError,#359,CryptDestroyKey,NCryptIsKeyHandle,#359,NCryptIsKeyHandle, 7_2_00007FF7FD7BCB98
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD860B9C CryptHashData,GetLastError,#357, 7_2_00007FF7FD860B9C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD832BC0 CryptCreateHash,#205,GetLastError,#357,#357,#357,SetLastError, 7_2_00007FF7FD832BC0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD860BF4 CryptDuplicateHash,GetLastError,#357,CryptGetHashParam,GetLastError,#203,CryptDestroyHash, 7_2_00007FF7FD860BF4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD89EB38 CryptDecodeObjectEx,GetLastError,??3@YAXPEAX@Z,LocalFree, 7_2_00007FF7FD89EB38
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD830B80 NCryptCreatePersistedKey,#205,#359,#359,#357, 7_2_00007FF7FD830B80
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7D26E0 #357,#357,LocalAlloc,memmove,memset,#357,BCryptFreeBuffer,#357,#357,#357, 7_2_00007FF7FD7D26E0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8666D8 NCryptFreeObject,#360, 7_2_00007FF7FD8666D8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8586D8 CertFindCertificateInStore,CryptAcquireCertificatePrivateKey,GetLastError,#359,CertFindCertificateInStore,GetLastError,#359,#357,CertFreeCertificateContext, 7_2_00007FF7FD8586D8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7C0630 #357,CryptDecodeObject,GetLastError,#357,GetLastError,GetLastError,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree, 7_2_00007FF7FD7C0630
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD866654 NCryptGetProperty,#360, 7_2_00007FF7FD866654
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7FA654 CryptVerifyCertificateSignature,GetLastError,#358,CertVerifyTimeValidity,CertOpenStore,GetLastError,#357,CryptVerifyCertificateSignature,CertVerifyRevocation,GetLastError,#357,CertCloseStore, 7_2_00007FF7FD7FA654
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD804694 CertFindAttribute,CryptHashCertificate2,memcmp,#357, 7_2_00007FF7FD804694
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7C6694 CryptQueryObject,GetLastError,#359,#357,#357,LocalFree,CertCloseStore,CryptMsgClose, 7_2_00007FF7FD7C6694
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8365B4 NCryptIsKeyHandle,_CxxThrowException, 7_2_00007FF7FD8365B4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7BC5D4 NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,#357,#357,#357,#357,LocalFree,LocalFree, 7_2_00007FF7FD7BC5D4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7F25E8 #357,#357,#357,CryptImportKey,GetLastError,#358,#357,CryptSetKeyParam,LocalFree,GetLastError,#357,#357,#357,CertFreeCertificateContext,CryptDestroyKey, 7_2_00007FF7FD7F25E8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7B8600 #357,CryptDecodeObject,GetLastError,LocalFree, 7_2_00007FF7FD7B8600
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD89A58C NCryptOpenStorageProvider,NCryptOpenKey,NCryptGetProperty,GetProcessHeap,HeapAlloc,NCryptGetProperty,NCryptFreeObject,NCryptFreeObject, 7_2_00007FF7FD89A58C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD86A590 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext, 7_2_00007FF7FD86A590
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD82E57C CertOpenStore,GetLastError,#357,CertAddEncodedCertificateToStore,GetLastError,#358,CryptFindCertificateKeyProvInfo,GetLastError,#358,#357,CertSetCTLContextProperty,GetLastError,CryptAcquireCertificatePrivateKey,GetLastError,CertSetCTLContextProperty,GetLastError,LocalFree,CertFreeCertificateContext,CertCloseStore, 7_2_00007FF7FD82E57C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD89E8B0 CryptDecodeObjectEx,GetLastError,CryptBinaryToStringW,GetLastError,memset,CryptBinaryToStringW,??3@YAXPEAX@Z,LocalFree, 7_2_00007FF7FD89E8B0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7AA8CC CryptFindLocalizedName,CertEnumCertificatesInStore,CertFindCertificateInStore,CertGetCRLContextProperty,#357,#357,#357,CertEnumCertificatesInStore, 7_2_00007FF7FD7AA8CC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8308EC BCryptGetProperty,#205,#359,#357,#357, 7_2_00007FF7FD8308EC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD864914 GetLastError,#359,CryptGetUserKey,CryptGetUserKey,GetLastError,#357,CryptDestroyKey,CryptReleaseContext, 7_2_00007FF7FD864914
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD81E914 CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,GetLastError,GetLastError,GetLastError,#357,CryptDestroyHash, 7_2_00007FF7FD81E914
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7B6824 CryptHashCertificate,GetLastError,#357, 7_2_00007FF7FD7B6824
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD830844 BCryptExportKey,#205,#359,#357,#357, 7_2_00007FF7FD830844
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8307A4 BCryptDestroyHash,#205,#357, 7_2_00007FF7FD8307A4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8407D0 memset,#357,#360,#359,#357,#358,LoadCursorW,SetCursor,#360,#358,CertGetPublicKeyLength,GetLastError,#357,strcmp,GetLastError,#357,CryptFindOIDInfo,#357,#357,LocalFree,#357,LocalFree,#358,#358,#357,SetCursor,SetCursor,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,#357,#225,#359,#359,#357,#359,LocalFree,#359,#223,#359,#357,#223,#359,#359,#359,DialogBoxParamW,SysStringByteLen,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,SysFreeString,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z, 7_2_00007FF7FD8407D0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8227BC _strnicmp,#357,#357,#357,#357,CryptDecodeObject,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree, 7_2_00007FF7FD8227BC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7967CC LocalAlloc,#357,GetSystemTimeAsFileTime,LocalAlloc,#357,LocalAlloc,#357,memmove,memcmp,CryptEncodeObjectEx,memmove,LocalFree,GetLastError,#357,#359,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree, 7_2_00007FF7FD7967CC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD81C7F0 GetLastError,#357,CertOpenStore,GetLastError,CertEnumCertificatesInStore,CertCompareCertificateName,CertFindExtension,CryptDecodeObject,GetLastError,#357,CertGetCRLContextProperty,GetLastError,#357,CertSetCTLContextProperty,GetLastError,#357,GetSystemTimeAsFileTime,I_CryptCreateLruEntry,GetLastError,#357,I_CryptInsertLruEntry,I_CryptReleaseLruEntry,GetLastError,#357,CertEnumCertificatesInStore,I_CryptCreateLruEntry,GetLastError,#357,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,CertFreeCertificateChain,GetLastError,I_CryptInsertLruEntry,I_CryptReleaseLruEntry,#357,CertCloseStore,CertFreeCertificateContext, 7_2_00007FF7FD81C7F0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8307F4 BCryptDestroyKey,#205,#357, 7_2_00007FF7FD8307F4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD868814 NCryptIsKeyHandle,NCryptIsKeyHandle,#357,#359,#357,CryptFindOIDInfo,LocalAlloc,#357,LocalAlloc,#357,CryptFindOIDInfo,#359,LocalAlloc,#357,memmove,LocalFree,#357, 7_2_00007FF7FD868814
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD822724 CryptDecodeObject,GetLastError,#357, 7_2_00007FF7FD822724
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD830740 BCryptCloseAlgorithmProvider,#205,#357,#357, 7_2_00007FF7FD830740
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD86A740 CryptAcquireContextW,GetLastError,#357,CryptImportKey,GetLastError,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,CryptGetUserKey,GetLastError,CryptDestroyKey,#357,CryptDestroyKey,CryptReleaseContext, 7_2_00007FF7FD86A740
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD868298 #357,CryptFindOIDInfo,LocalAlloc,#357,memmove, 7_2_00007FF7FD868298
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD89A2E0 NCryptOpenStorageProvider,NCryptOpenKey,NCryptFreeObject, 7_2_00007FF7FD89A2E0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7D0300 NCryptOpenStorageProvider,#357,#357,#357,#357,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,NCryptFreeObject,#357, 7_2_00007FF7FD7D0300
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD85E274 GetLastError,#358,CryptAcquireCertificatePrivateKey,GetLastError,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,LocalFree,NCryptIsKeyHandle,GetLastError,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z, 7_2_00007FF7FD85E274
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD806280 #357,#254,#357,CertGetCRLContextProperty,GetLastError,memcmp,#254,#357,#360,#360,CertGetPublicKeyLength,GetLastError,#359,strcmp,GetLastError,CryptFindOIDInfo,#357,LocalFree,CryptFindOIDInfo,#357,#357,#359,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree, 7_2_00007FF7FD806280
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD852278 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,LocalAlloc,memmove,#357,#357,CryptDestroyHash,CryptReleaseContext, 7_2_00007FF7FD852278
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7D21A4 #360,#359,#357,#357,BCryptFreeBuffer, 7_2_00007FF7FD7D21A4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8561AC SysStringLen,SysStringLen,CryptStringToBinaryW,GetLastError,#357, 7_2_00007FF7FD8561AC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD81A1E8 LocalFree,CryptHashCertificate2,CertGetCRLContextProperty,CertGetNameStringA,memmove,memmove,GetLastError,GetLastError,#357,GetLastError,#357,GetLastError,GetLastError,GetLastError,#357,LocalFree,memmove,GetLastError,#357,GetLastError,#359,LocalFree, 7_2_00007FF7FD81A1E8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD896214 CryptDecodeObjectEx,CryptDecodeObjectEx,SetLastError, 7_2_00007FF7FD896214
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD82E1F8 CertSaveStore,GetLastError,LocalAlloc,#357,CertSaveStore,GetLastError,#357,LocalFree,#357,#357,NCryptOpenStorageProvider,NCryptImportKey,NCryptSetProperty,NCryptFinalizeKey,LocalFree,LocalFree,NCryptFreeObject, 7_2_00007FF7FD82E1F8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD86A1F8 LocalAlloc,CryptEnumProvidersA,GetLastError,#358,LocalFree,#357, 7_2_00007FF7FD86A1F8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD89613C CryptDecodeObjectEx, 7_2_00007FF7FD89613C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7F417C #360,#360,#359,#357,#357,#357,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,LocalFree,LocalFree,LocalFree,CryptDestroyKey, 7_2_00007FF7FD7F417C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD816194 CryptQueryObject,GetLastError,CertEnumCertificatesInStore,CertAddStoreToCollection,GetLastError,#357,CertCloseStore,CertFreeCertificateContext, 7_2_00007FF7FD816194
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8024D4 #357,CertCompareCertificateName,CertCompareCertificateName,GetSystemTime,SystemTimeToFileTime,GetLastError,#357,CompareFileTime,CompareFileTime,CompareFileTime,CompareFileTime,CryptVerifyCertificateSignature,GetLastError,#357,strcmp,strcmp,#357,#357,#357,CertCompareCertificateName,#357,CertCompareCertificateName,#357,CertFreeCTLContext, 7_2_00007FF7FD8024D4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7A44E0 #357,#256,#357,GetLastError,CryptImportPublicKeyInfoEx2,GetLastError,CryptHashCertificate2,GetLastError,#357,LocalAlloc,GetLastError,memmove,BCryptVerifySignature,BCryptVerifySignature,BCryptDestroyKey,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree, 7_2_00007FF7FD7A44E0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD85E516 ??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalFree,NCryptIsKeyHandle,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z, 7_2_00007FF7FD85E516
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7BC514 CryptGetProvParam,SetLastError,LocalAlloc,LocalFree, 7_2_00007FF7FD7BC514
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD80A450 #357,#358,#357,#223,SetLastError,SetLastError,memmove,memmove,#357,#357,GetLastError,#357,#357,strcmp,GetLastError,strcmp,strcmp,strcmp,qsort,#357,CompareFileTime,CompareFileTime,#357,#357,CertFreeCertificateContext,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertCloseStore,CertCloseStore,CertFreeCTLContext,LocalFree,free, 7_2_00007FF7FD80A450
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD80C450 CertOpenStore,GetLastError,#357,CryptQueryObject,CertAddStoreToCollection,GetLastError,#357,CertAddStoreToCollection,GetLastError,CertOpenStore,GetLastError,CertAddStoreToCollection,GetLastError,CertCloseStore,CertCloseStore,CertCloseStore,CertCloseStore, 7_2_00007FF7FD80C450
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD828488 #357,CertGetCertificateChain,GetLastError,LocalAlloc,CertGetCRLContextProperty,GetLastError,GetLastError,GetLastError,CryptAcquireContextW,GetLastError,memset,CryptMsgOpenToEncode,GetLastError,CryptMsgUpdate,GetLastError,#357,#357,CryptReleaseContext,CryptMsgClose,CertCloseStore,CertFreeCertificateChain,LocalFree,LocalFree,LocalFree, 7_2_00007FF7FD828488
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7BE3B0 #357,#357,CryptDecodeObject,LocalFree, 7_2_00007FF7FD7BE3B0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7D23E8 BCryptResolveProviders,#360,#360,BCryptFreeBuffer, 7_2_00007FF7FD7D23E8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7B4410 GetUserDefaultUILanguage,GetSystemDefaultUILanguage,#357,#357,CryptFindOIDInfo,CryptEnumOIDInfo,#360,CryptFindOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,CryptEnumOIDInfo,#258,#358,#357,#357,#357,LocalFree,#224,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree, 7_2_00007FF7FD7B4410
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD868404 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext, 7_2_00007FF7FD868404
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD826374 memset,#358,#357,LocalFree,LocalFree,#357,#357,_strlwr,#357,LocalFree,LocalFree,lstrcmpW,#359,#359,#357,CryptAcquireContextW,GetLastError,#256,CryptGenRandom,GetLastError,#254,#357,fopen,fopen,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,LocalAlloc,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,#357,LocalFree,#357,fprintf,fprintf,CertOpenStore,GetLastError,LocalAlloc,CertSaveStore,GetLastError,#357,CertCloseStore,CertFreeCertificateContext,CertFreeCertificateContext,fclose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,CryptReleaseContext,fprintf,fprintf,fflush,ferror, 7_2_00007FF7FD826374
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD822358 #357,#357,CryptReleaseContext,CryptReleaseContext,CertFreeCertificateContext,CertFreeCertificateContext, 7_2_00007FF7FD822358
Source: Binary string: cmd.pdbUGP source: alpha.exe, 00000004.00000000.1994913771.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.1998130841.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.2005107794.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.2007392598.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000002.2008335788.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000000.2007679556.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000000.2008750907.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000002.2010642748.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.3.dr
Source: Binary string: certutil.pdb source: kn.exe, 00000007.00000000.1998811698.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.2001223105.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.2005831412.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.2006855083.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.dr
Source: Binary string: cmd.pdb source: alpha.exe, 00000004.00000000.1994913771.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.1998130841.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.2005107794.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.2007392598.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000002.2008335788.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000000.2007679556.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000000.2008750907.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000002.2010642748.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.3.dr
Source: Binary string: certutil.pdbGCTL source: kn.exe, 00000007.00000000.1998811698.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.2001223105.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.2005831412.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.2006855083.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.dr
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB18823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose, 4_2_00007FF6EB18823C
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB182978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove, 4_2_00007FF6EB182978
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB197B4C FindFirstFileW,FindNextFileW,FindClose, 4_2_00007FF6EB197B4C
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB171560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 4_2_00007FF6EB171560
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB1735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose, 4_2_00007FF6EB1735B8
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB18823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose, 6_2_00007FF6EB18823C
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB182978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove, 6_2_00007FF6EB182978
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB197B4C FindFirstFileW,FindNextFileW,FindClose, 6_2_00007FF6EB197B4C
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB171560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 6_2_00007FF6EB171560
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB1735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose, 6_2_00007FF6EB1735B8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD815E58 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose, 7_2_00007FF7FD815E58
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD871B04 FindFirstFileW,GetLastError,#357,#359,DeleteFileW,FindNextFileW,FindClose,#359, 7_2_00007FF7FD871B04
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8719F8 #359,FindFirstFileW,FindNextFileW,FindClose, 7_2_00007FF7FD8719F8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD81DBC0 FindFirstFileW,GetLastError,CertOpenStore,CertAddStoreToCollection,CertCloseStore,FindNextFileW,GetLastError,GetLastError,#357,GetLastError,GetLastError,#357,LocalFree,CertCloseStore,CertCloseStore,FindClose, 7_2_00007FF7FD81DBC0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD853674 #357,LocalAlloc,#357,wcsrchr,FindFirstFileW,GetLastError,#359,lstrcmpW,lstrcmpW,#359,RemoveDirectoryW,GetLastError,#359,#359,FindNextFileW,FindClose,LocalFree,LocalFree,DeleteFileW,GetLastError,#359, 7_2_00007FF7FD853674
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD81D4A4 CreateSemaphoreW,GetLastError,CreateEventW,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,CloseHandle,CloseHandle, 7_2_00007FF7FD81D4A4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7DD440 GetFileAttributesW,#357,#357,#357,FindFirstFileW,LocalFree,#357,FindNextFileW,#357,LocalFree,FindClose,LocalFree,LocalFree,LocalFree,LocalFree, 7_2_00007FF7FD7DD440
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD81B3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357, 7_2_00007FF7FD81B3D8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8710C4 #357,FindFirstFileW,LocalFree,FindNextFileW,FindClose,LocalFree,#357, 7_2_00007FF7FD8710C4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD873100 #357,FindFirstFileW,#359,FindNextFileW,FindClose,LocalFree,#357, 7_2_00007FF7FD873100
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD876F80 #359,FindFirstFileW,FindNextFileW,FindClose,LocalAlloc,#357, 7_2_00007FF7FD876F80
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD80C6F8 memset,qsort,#357,FindFirstFileW,GetLastError,bsearch,LocalAlloc,LocalReAlloc,LocalAlloc,FindNextFileW,GetLastError,DeleteFileW,GetLastError,#359,#357,FindClose,LocalFree,LocalFree, 7_2_00007FF7FD80C6F8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD87234C wcschr,#357,#357,#359,FindFirstFileW,wcsrchr,_wcsnicmp,iswxdigit,wcstoul,FindNextFileW,#359,#359,#357,#357,LocalFree,LocalFree,FindClose, 7_2_00007FF7FD87234C
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB18823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose, 10_2_00007FF6EB18823C
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB182978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove, 10_2_00007FF6EB182978
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB197B4C FindFirstFileW,FindNextFileW,FindClose, 10_2_00007FF6EB197B4C
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB171560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 10_2_00007FF6EB171560
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB1735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose, 10_2_00007FF6EB1735B8
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB18823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose, 11_2_00007FF6EB18823C
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB182978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove, 11_2_00007FF6EB182978
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB197B4C FindFirstFileW,FindNextFileW,FindClose, 11_2_00007FF6EB197B4C
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB171560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 11_2_00007FF6EB171560
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB1735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose, 11_2_00007FF6EB1735B8
Source: kn.exe String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: kn.exe, 00000007.00000000.1998811698.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.2001223105.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.2005831412.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.2006855083.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enDisallowedCertLastSyncTimePinR
Source: kn.exe String found in binary or memory: https://%ws/%ws_%ws_%ws/service.svc/%ws
Source: kn.exe, 00000007.00000000.1998811698.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.2001223105.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.2005831412.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.2006855083.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.dr String found in binary or memory: https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEP
Source: kn.exe String found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/DeviceEnrollmentWebService.svc
Source: kn.exe String found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/device/
Source: kn.exe String found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/key/
Source: kn.exe String found in binary or memory: https://login.microsoftonline.com/%s/oauth2/authorize
Source: kn.exe, 00000007.00000000.1998811698.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.2001223105.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.2005831412.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.2006855083.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.dr String found in binary or memory: https://login.microsoftonline.com/%s/oauth2/authorizeJoinStatusStorage::SetDefaultDiscoveryMetadatah
Source: kn.exe String found in binary or memory: https://login.microsoftonline.com/%s/oauth2/token

E-Banking Fraud
barindex
Registers a new ROOT certificate
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8460BC CertCreateCertificateContext,GetLastError,#357,CertAddCertificateContextToStore,GetLastError,#357,CertCompareCertificateName,CertOpenStore,GetLastError,CertAddCertificateContextToStore,GetLastError,CertFreeCertificateContext,CertCloseStore, 7_2_00007FF7FD8460BC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7BF9B8 strcmp,#357,#359,NCryptOpenStorageProvider,#357,NCryptImportKey,#357,NCryptSetProperty,NCryptFinalizeKey,NCryptFreeObject,NCryptFreeObject,#359,CryptImportPKCS8,GetLastError,#357,CryptGetUserKey,GetLastError,#357,CryptGetUserKey,GetLastError,CryptDestroyKey,CryptReleaseContext,LocalFree, 7_2_00007FF7FD7BF9B8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7CFC20 #359,#357,NCryptOpenStorageProvider,#357,NCryptImportKey,GetLastError,#357,#357,LocalFree,LocalFree,NCryptFreeObject,#357,NCryptFreeObject,#357, 7_2_00007FF7FD7CFC20
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8698B0 #357,CryptImportPublicKeyInfo,GetLastError,#357,CryptGenKey,GetLastError,CryptGenRandom,GetLastError,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,CryptImportKey,GetLastError,#357,memcmp,#357,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,LocalFree,LocalFree,LocalFree,CryptReleaseContext, 7_2_00007FF7FD8698B0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD82184C CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,memset,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CryptDecrypt,GetLastError,GetLastError,#357,CryptDestroyKey,CryptDestroyHash,LocalFree,CryptDestroyKey,GetLastError,#357,LocalFree, 7_2_00007FF7FD82184C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD83342C CryptImportKey,#205,GetLastError,#357,#357,#357,SetLastError, 7_2_00007FF7FD83342C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8693A0 CryptGetUserKey,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,LocalFree,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext, 7_2_00007FF7FD8693A0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD866EA8 NCryptImportKey,#360, 7_2_00007FF7FD866EA8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD830EF4 NCryptImportKey,#205,#359,#359,#357, 7_2_00007FF7FD830EF4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD820F58 CertAddEncodedCertificateToStore,GetLastError,#357,UuidCreate,StringFromCLSID,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,CertSetCTLContextProperty,GetLastError,CryptDestroyKey,CryptReleaseContext,CoTaskMemFree,CertFreeCertificateContext, 7_2_00007FF7FD820F58
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD81EA7C #357,#357,LocalAlloc,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptImportKey,GetLastError,CryptSetKeyParam,GetLastError,CryptSetKeyParam,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptSetKeyParam,GetLastError,#357,LocalFree,LocalFree,LocalFree,CryptDestroyHash,CryptDestroyHash, 7_2_00007FF7FD81EA7C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7F29A0 #357,#357,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CertFreeCertificateContext,CryptReleaseContext,LocalFree,LocalFree,CryptDestroyKey, 7_2_00007FF7FD7F29A0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7F25E8 #357,#357,#357,CryptImportKey,GetLastError,#358,#357,CryptSetKeyParam,LocalFree,GetLastError,#357,#357,#357,CertFreeCertificateContext,CryptDestroyKey, 7_2_00007FF7FD7F25E8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD86A740 CryptAcquireContextW,GetLastError,#357,CryptImportKey,GetLastError,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,CryptGetUserKey,GetLastError,CryptDestroyKey,#357,CryptDestroyKey,CryptReleaseContext, 7_2_00007FF7FD86A740
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD82E1F8 CertSaveStore,GetLastError,LocalAlloc,#357,CertSaveStore,GetLastError,#357,LocalFree,#357,#357,NCryptOpenStorageProvider,NCryptImportKey,NCryptSetProperty,NCryptFinalizeKey,LocalFree,LocalFree,NCryptFreeObject, 7_2_00007FF7FD82E1F8
Contains functionality to call native functions
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB19BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer, 4_2_00007FF6EB19BCF0
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB1888C0 NtOpenThreadToken,NtOpenProcessToken,NtClose, 4_2_00007FF6EB1888C0
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB188114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx, 4_2_00007FF6EB188114
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB187FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError, 4_2_00007FF6EB187FF8
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB1A1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW, 4_2_00007FF6EB1A1538
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB173D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess, 4_2_00007FF6EB173D94
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB18898C NtQueryInformationToken, 4_2_00007FF6EB18898C
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB1889E4 NtQueryInformationToken,NtQueryInformationToken, 4_2_00007FF6EB1889E4
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB19BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer, 6_2_00007FF6EB19BCF0
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB1888C0 NtOpenThreadToken,NtOpenProcessToken,NtClose, 6_2_00007FF6EB1888C0
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB188114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx, 6_2_00007FF6EB188114
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB187FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError, 6_2_00007FF6EB187FF8
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB1A1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW, 6_2_00007FF6EB1A1538
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB173D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess, 6_2_00007FF6EB173D94
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB18898C NtQueryInformationToken, 6_2_00007FF6EB18898C
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB1889E4 NtQueryInformationToken,NtQueryInformationToken, 6_2_00007FF6EB1889E4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD88C964 NtQuerySystemTime,RtlTimeToSecondsSince1970, 7_2_00007FF7FD88C964
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB188114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx, 10_2_00007FF6EB188114
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB187FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,FindCloseChangeNotification,NtSetInformationFile,DeleteFileW,GetLastError, 10_2_00007FF6EB187FF8
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB19BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer, 10_2_00007FF6EB19BCF0
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB1888C0 NtOpenThreadToken,NtOpenProcessToken,NtClose, 10_2_00007FF6EB1888C0
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB1A1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW, 10_2_00007FF6EB1A1538
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB173D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess, 10_2_00007FF6EB173D94
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB18898C NtQueryInformationToken, 10_2_00007FF6EB18898C
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB1889E4 NtQueryInformationToken,NtQueryInformationToken, 10_2_00007FF6EB1889E4
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB188114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx, 11_2_00007FF6EB188114
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB187FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,FindCloseChangeNotification,NtSetInformationFile,DeleteFileW,GetLastError, 11_2_00007FF6EB187FF8
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB19BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer, 11_2_00007FF6EB19BCF0
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB1888C0 NtOpenThreadToken,NtOpenProcessToken,NtClose, 11_2_00007FF6EB1888C0
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB1A1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW, 11_2_00007FF6EB1A1538
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB173D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess, 11_2_00007FF6EB173D94
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB18898C NtQueryInformationToken, 11_2_00007FF6EB18898C
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB1889E4 NtQueryInformationToken,NtQueryInformationToken, 11_2_00007FF6EB1889E4
Contains functionality to communicate with device drivers
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB175240: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPEAX@Z,memset,CreateFileW,DeviceIoControl,memmove,CloseHandle,??_V@YAXPEAX@Z,memset,FindClose,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z, 4_2_00007FF6EB175240
Contains functionality to launch a process as a different user
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB184224 InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,wcsrchr,lstrcmpW,SetConsoleMode,CreateProcessW,CloseHandle,CreateProcessAsUserW,_local_unwind,GetLastError,_local_unwind,_local_unwind,CloseHandle,DeleteProcThreadAttributeList,GetLastError,GetLastError,DeleteProcThreadAttributeList, 4_2_00007FF6EB184224
Detected potential crypto function
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB1837D8 4_2_00007FF6EB1837D8
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB180A6C 4_2_00007FF6EB180A6C
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB17AA54 4_2_00007FF6EB17AA54
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB185554 4_2_00007FF6EB185554
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB184224 4_2_00007FF6EB184224
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB172C48 4_2_00007FF6EB172C48
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB187854 4_2_00007FF6EB187854
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB19AC4C 4_2_00007FF6EB19AC4C
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB171884 4_2_00007FF6EB171884
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB17B0D8 4_2_00007FF6EB17B0D8
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB1818D4 4_2_00007FF6EB1818D4
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB177D30 4_2_00007FF6EB177D30
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB178510 4_2_00007FF6EB178510
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB175B70 4_2_00007FF6EB175B70
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB179B50 4_2_00007FF6EB179B50
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB173F90 4_2_00007FF6EB173F90
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB176BE0 4_2_00007FF6EB176BE0
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB19AFBC 4_2_00007FF6EB19AFBC
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB173410 4_2_00007FF6EB173410
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB175240 4_2_00007FF6EB175240
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB177650 4_2_00007FF6EB177650
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB17D250 4_2_00007FF6EB17D250
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB179E50 4_2_00007FF6EB179E50
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB17E680 4_2_00007FF6EB17E680
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB19EE88 4_2_00007FF6EB19EE88
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB176EE4 4_2_00007FF6EB176EE4
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB17372C 4_2_00007FF6EB17372C
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB197F00 4_2_00007FF6EB197F00
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB1A1538 4_2_00007FF6EB1A1538
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB19D9D0 4_2_00007FF6EB19D9D0
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB1781D4 4_2_00007FF6EB1781D4
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB172220 4_2_00007FF6EB172220
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB19AA30 4_2_00007FF6EB19AA30
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB174A30 4_2_00007FF6EB174A30
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB178DF8 4_2_00007FF6EB178DF8
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB17CE10 4_2_00007FF6EB17CE10
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB1837D8 6_2_00007FF6EB1837D8
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB180A6C 6_2_00007FF6EB180A6C
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB17AA54 6_2_00007FF6EB17AA54
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB185554 6_2_00007FF6EB185554
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB184224 6_2_00007FF6EB184224
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB172C48 6_2_00007FF6EB172C48
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB187854 6_2_00007FF6EB187854
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB19AC4C 6_2_00007FF6EB19AC4C
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB171884 6_2_00007FF6EB171884
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB17B0D8 6_2_00007FF6EB17B0D8
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB1818D4 6_2_00007FF6EB1818D4
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB177D30 6_2_00007FF6EB177D30
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB178510 6_2_00007FF6EB178510
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB175B70 6_2_00007FF6EB175B70
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB179B50 6_2_00007FF6EB179B50
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB173F90 6_2_00007FF6EB173F90
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB176BE0 6_2_00007FF6EB176BE0
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB19AFBC 6_2_00007FF6EB19AFBC
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB173410 6_2_00007FF6EB173410
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB175240 6_2_00007FF6EB175240
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB177650 6_2_00007FF6EB177650
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB17D250 6_2_00007FF6EB17D250
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB179E50 6_2_00007FF6EB179E50
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB17E680 6_2_00007FF6EB17E680
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB19EE88 6_2_00007FF6EB19EE88
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB176EE4 6_2_00007FF6EB176EE4
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB17372C 6_2_00007FF6EB17372C
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB197F00 6_2_00007FF6EB197F00
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB1A1538 6_2_00007FF6EB1A1538
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB19D9D0 6_2_00007FF6EB19D9D0
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB1781D4 6_2_00007FF6EB1781D4
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB172220 6_2_00007FF6EB172220
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB19AA30 6_2_00007FF6EB19AA30
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB174A30 6_2_00007FF6EB174A30
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB178DF8 6_2_00007FF6EB178DF8
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB17CE10 6_2_00007FF6EB17CE10
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD87BC10 7_2_00007FF7FD87BC10
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8A3800 7_2_00007FF7FD8A3800
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD87F020 7_2_00007FF7FD87F020
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7A2F38 7_2_00007FF7FD7A2F38
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD87CCB8 7_2_00007FF7FD87CCB8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD87C120 7_2_00007FF7FD87C120
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7EDEA4 7_2_00007FF7FD7EDEA4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD81DEB0 7_2_00007FF7FD81DEB0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7E1ED0 7_2_00007FF7FD7E1ED0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD819EE4 7_2_00007FF7FD819EE4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD825F04 7_2_00007FF7FD825F04
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD821E2C 7_2_00007FF7FD821E2C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD81BE70 7_2_00007FF7FD81BE70
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD82BDA0 7_2_00007FF7FD82BDA0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7A1DE8 7_2_00007FF7FD7A1DE8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7C5DF7 7_2_00007FF7FD7C5DF7
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7CDD20 7_2_00007FF7FD7CDD20
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD847D70 7_2_00007FF7FD847D70
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7F1D70 7_2_00007FF7FD7F1D70
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7E9D6C 7_2_00007FF7FD7E9D6C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD89DD84 7_2_00007FF7FD89DD84
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7FC0B8 7_2_00007FF7FD7FC0B8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7F8018 7_2_00007FF7FD7F8018
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7C8080 7_2_00007FF7FD7C8080
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD862084 7_2_00007FF7FD862084
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD849FF8 7_2_00007FF7FD849FF8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD791F80 7_2_00007FF7FD791F80
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7A7AB4 7_2_00007FF7FD7A7AB4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7F7AC8 7_2_00007FF7FD7F7AC8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD80BA48 7_2_00007FF7FD80BA48
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7C3A40 7_2_00007FF7FD7C3A40
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7E1A60 7_2_00007FF7FD7E1A60
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD849A58 7_2_00007FF7FD849A58
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8119AC 7_2_00007FF7FD8119AC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7BF9B8 7_2_00007FF7FD7BF9B8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD791A10 7_2_00007FF7FD791A10
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD88994C 7_2_00007FF7FD88994C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD887938 7_2_00007FF7FD887938
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD81F990 7_2_00007FF7FD81F990
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7ABCA4 7_2_00007FF7FD7ABCA4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7C9CD0 7_2_00007FF7FD7C9CD0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD859CC0 7_2_00007FF7FD859CC0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7EBCE8 7_2_00007FF7FD7EBCE8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7A5D08 7_2_00007FF7FD7A5D08
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7CFC20 7_2_00007FF7FD7CFC20
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7EFC34 7_2_00007FF7FD7EFC34
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7E3C60 7_2_00007FF7FD7E3C60
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD89FC90 7_2_00007FF7FD89FC90
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD811C90 7_2_00007FF7FD811C90
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD795BA4 7_2_00007FF7FD795BA4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7B9BC8 7_2_00007FF7FD7B9BC8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7FDBF0 7_2_00007FF7FD7FDBF0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD843C10 7_2_00007FF7FD843C10
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD85BB28 7_2_00007FF7FD85BB28
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD83FB50 7_2_00007FF7FD83FB50
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD827B74 7_2_00007FF7FD827B74
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD801B84 7_2_00007FF7FD801B84
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD79FB84 7_2_00007FF7FD79FB84
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7E76B0 7_2_00007FF7FD7E76B0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD84D6A0 7_2_00007FF7FD84D6A0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD81F6D8 7_2_00007FF7FD81F6D8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD86D6DC 7_2_00007FF7FD86D6DC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD873638 7_2_00007FF7FD873638
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7D5648 7_2_00007FF7FD7D5648
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7BD660 7_2_00007FF7FD7BD660
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD865660 7_2_00007FF7FD865660
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD847678 7_2_00007FF7FD847678
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD877678 7_2_00007FF7FD877678
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7F55F0 7_2_00007FF7FD7F55F0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD79F610 7_2_00007FF7FD79F610
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8195FC 7_2_00007FF7FD8195FC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD80F520 7_2_00007FF7FD80F520
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7C156C 7_2_00007FF7FD7C156C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7CB58C 7_2_00007FF7FD7CB58C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD869580 7_2_00007FF7FD869580
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7E58CC 7_2_00007FF7FD7E58CC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7B1830 7_2_00007FF7FD7B1830
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD843820 7_2_00007FF7FD843820
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD82184C 7_2_00007FF7FD82184C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD863874 7_2_00007FF7FD863874
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD82D858 7_2_00007FF7FD82D858
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7F7890 7_2_00007FF7FD7F7890
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7D17D4 7_2_00007FF7FD7D17D4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8077C8 7_2_00007FF7FD8077C8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7FD7F0 7_2_00007FF7FD7FD7F0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7AF800 7_2_00007FF7FD7AF800
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD813760 7_2_00007FF7FD813760
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7E9790 7_2_00007FF7FD7E9790
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7AB788 7_2_00007FF7FD7AB788
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD86D2B4 7_2_00007FF7FD86D2B4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD79F2C0 7_2_00007FF7FD79F2C0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7F92C4 7_2_00007FF7FD7F92C4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7ED2C0 7_2_00007FF7FD7ED2C0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8092D8 7_2_00007FF7FD8092D8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD845290 7_2_00007FF7FD845290
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7AD1B8 7_2_00007FF7FD7AD1B8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7E11C8 7_2_00007FF7FD7E11C8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7E31E0 7_2_00007FF7FD7E31E0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD85511C 7_2_00007FF7FD85511C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD81F168 7_2_00007FF7FD81F168
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7B54A0 7_2_00007FF7FD7B54A0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8894A8 7_2_00007FF7FD8894A8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8614F0 7_2_00007FF7FD8614F0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7DF434 7_2_00007FF7FD7DF434
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7DD440 7_2_00007FF7FD7DD440
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD795438 7_2_00007FF7FD795438
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD83D460 7_2_00007FF7FD83D460
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD849494 7_2_00007FF7FD849494
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7F7478 7_2_00007FF7FD7F7478
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD87B3AC 7_2_00007FF7FD87B3AC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8933D4 7_2_00007FF7FD8933D4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8833D0 7_2_00007FF7FD8833D0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7973F8 7_2_00007FF7FD7973F8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD80D410 7_2_00007FF7FD80D410
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD825318 7_2_00007FF7FD825318
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7C7340 7_2_00007FF7FD7C7340
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7BB36C 7_2_00007FF7FD7BB36C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD878EAC 7_2_00007FF7FD878EAC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7CEED4 7_2_00007FF7FD7CEED4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD796EF4 7_2_00007FF7FD796EF4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD874E58 7_2_00007FF7FD874E58
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7BEDA4 7_2_00007FF7FD7BEDA4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7F2D18 7_2_00007FF7FD7F2D18
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7E8D2C 7_2_00007FF7FD7E8D2C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD872D6C 7_2_00007FF7FD872D6C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD806D7C 7_2_00007FF7FD806D7C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7AB09C 7_2_00007FF7FD7AB09C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD791030 7_2_00007FF7FD791030
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7D107C 7_2_00007FF7FD7D107C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7ED094 7_2_00007FF7FD7ED094
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7B8F1C 7_2_00007FF7FD7B8F1C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD834F94 7_2_00007FF7FD834F94
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7C4F90 7_2_00007FF7FD7C4F90
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD864A40 7_2_00007FF7FD864A40
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD87AA58 7_2_00007FF7FD87AA58
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD884A58 7_2_00007FF7FD884A58
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD81EA7C 7_2_00007FF7FD81EA7C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD816A84 7_2_00007FF7FD816A84
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD86A9F0 7_2_00007FF7FD86A9F0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7FE9F0 7_2_00007FF7FD7FE9F0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7F09EC 7_2_00007FF7FD7F09EC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD81AA00 7_2_00007FF7FD81AA00
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD792940 7_2_00007FF7FD792940
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7F6984 7_2_00007FF7FD7F6984
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7E8990 7_2_00007FF7FD7E8990
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD82CCA8 7_2_00007FF7FD82CCA8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD888CF4 7_2_00007FF7FD888CF4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7A8D00 7_2_00007FF7FD7A8D00
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD822CF8 7_2_00007FF7FD822CF8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7ECD10 7_2_00007FF7FD7ECD10
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7E0C28 7_2_00007FF7FD7E0C28
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD868C58 7_2_00007FF7FD868C58
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD89CC8C 7_2_00007FF7FD89CC8C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD80CC80 7_2_00007FF7FD80CC80
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD808BD4 7_2_00007FF7FD808BD4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7DCBFC 7_2_00007FF7FD7DCBFC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD79AC08 7_2_00007FF7FD79AC08
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7E4B30 7_2_00007FF7FD7E4B30
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7B4B68 7_2_00007FF7FD7B4B68
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD846B94 7_2_00007FF7FD846B94
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7FC6D0 7_2_00007FF7FD7FC6D0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD80C6F8 7_2_00007FF7FD80C6F8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD85C630 7_2_00007FF7FD85C630
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7F8630 7_2_00007FF7FD7F8630
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8885A8 7_2_00007FF7FD8885A8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7A05E0 7_2_00007FF7FD7A05E0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8985EC 7_2_00007FF7FD8985EC
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD79C520 7_2_00007FF7FD79C520
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD864538 7_2_00007FF7FD864538
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7F655C 7_2_00007FF7FD7F655C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7C8570 7_2_00007FF7FD7C8570
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7E2580 7_2_00007FF7FD7E2580
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD82E57C 7_2_00007FF7FD82E57C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8708C8 7_2_00007FF7FD8708C8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8748C4 7_2_00007FF7FD8748C4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD882854 7_2_00007FF7FD882854
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD81E844 7_2_00007FF7FD81E844
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8127D0 7_2_00007FF7FD8127D0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8407D0 7_2_00007FF7FD8407D0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD81C7F0 7_2_00007FF7FD81C7F0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD886750 7_2_00007FF7FD886750
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7EE29C 7_2_00007FF7FD7EE29C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD85821C 7_2_00007FF7FD85821C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD874274 7_2_00007FF7FD874274
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD806280 7_2_00007FF7FD806280
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7B227C 7_2_00007FF7FD7B227C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7EC1D0 7_2_00007FF7FD7EC1D0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD81A1E8 7_2_00007FF7FD81A1E8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8A41F8 7_2_00007FF7FD8A41F8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7B0140 7_2_00007FF7FD7B0140
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD798170 7_2_00007FF7FD798170
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7D64A8 7_2_00007FF7FD7D64A8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8024D4 7_2_00007FF7FD8024D4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7A44E0 7_2_00007FF7FD7A44E0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD81E4F0 7_2_00007FF7FD81E4F0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8784D8 7_2_00007FF7FD8784D8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8A842F 7_2_00007FF7FD8A842F
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD79A424 7_2_00007FF7FD79A424
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD87E430 7_2_00007FF7FD87E430
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD80A450 7_2_00007FF7FD80A450
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD80C450 7_2_00007FF7FD80C450
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD828488 7_2_00007FF7FD828488
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7E8484 7_2_00007FF7FD7E8484
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD870490 7_2_00007FF7FD870490
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7DE3A0 7_2_00007FF7FD7DE3A0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7F0398 7_2_00007FF7FD7F0398
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8243D0 7_2_00007FF7FD8243D0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD818414 7_2_00007FF7FD818414
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7B4410 7_2_00007FF7FD7B4410
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD87234C 7_2_00007FF7FD87234C
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD826374 7_2_00007FF7FD826374
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB187854 10_2_00007FF6EB187854
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB1837D8 10_2_00007FF6EB1837D8
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB173410 10_2_00007FF6EB173410
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB17AA54 10_2_00007FF6EB17AA54
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB185554 10_2_00007FF6EB185554
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB178DF8 10_2_00007FF6EB178DF8
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB172C48 10_2_00007FF6EB172C48
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB19AC4C 10_2_00007FF6EB19AC4C
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB171884 10_2_00007FF6EB171884
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB17B0D8 10_2_00007FF6EB17B0D8
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB1818D4 10_2_00007FF6EB1818D4
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB177D30 10_2_00007FF6EB177D30
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB178510 10_2_00007FF6EB178510
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB175B70 10_2_00007FF6EB175B70
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB179B50 10_2_00007FF6EB179B50
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB173F90 10_2_00007FF6EB173F90
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB176BE0 10_2_00007FF6EB176BE0
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB19AFBC 10_2_00007FF6EB19AFBC
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB180A6C 10_2_00007FF6EB180A6C
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB175240 10_2_00007FF6EB175240
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB177650 10_2_00007FF6EB177650
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB17D250 10_2_00007FF6EB17D250
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB179E50 10_2_00007FF6EB179E50
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB17E680 10_2_00007FF6EB17E680
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB19EE88 10_2_00007FF6EB19EE88
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB176EE4 10_2_00007FF6EB176EE4
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB17372C 10_2_00007FF6EB17372C
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB197F00 10_2_00007FF6EB197F00
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB1A1538 10_2_00007FF6EB1A1538
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB19D9D0 10_2_00007FF6EB19D9D0
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB1781D4 10_2_00007FF6EB1781D4
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB184224 10_2_00007FF6EB184224
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB172220 10_2_00007FF6EB172220
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB19AA30 10_2_00007FF6EB19AA30
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB174A30 10_2_00007FF6EB174A30
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB17CE10 10_2_00007FF6EB17CE10
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB187854 11_2_00007FF6EB187854
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB1837D8 11_2_00007FF6EB1837D8
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB173410 11_2_00007FF6EB173410
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB17AA54 11_2_00007FF6EB17AA54
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB185554 11_2_00007FF6EB185554
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB178DF8 11_2_00007FF6EB178DF8
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB172C48 11_2_00007FF6EB172C48
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB19AC4C 11_2_00007FF6EB19AC4C
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB171884 11_2_00007FF6EB171884
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB17B0D8 11_2_00007FF6EB17B0D8
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB1818D4 11_2_00007FF6EB1818D4
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB177D30 11_2_00007FF6EB177D30
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB178510 11_2_00007FF6EB178510
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB175B70 11_2_00007FF6EB175B70
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB179B50 11_2_00007FF6EB179B50
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB173F90 11_2_00007FF6EB173F90
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB176BE0 11_2_00007FF6EB176BE0
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB19AFBC 11_2_00007FF6EB19AFBC
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB180A6C 11_2_00007FF6EB180A6C
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB175240 11_2_00007FF6EB175240
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB177650 11_2_00007FF6EB177650
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB17D250 11_2_00007FF6EB17D250
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB179E50 11_2_00007FF6EB179E50
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB17E680 11_2_00007FF6EB17E680
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB19EE88 11_2_00007FF6EB19EE88
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB176EE4 11_2_00007FF6EB176EE4
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB17372C 11_2_00007FF6EB17372C
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB197F00 11_2_00007FF6EB197F00
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB1A1538 11_2_00007FF6EB1A1538
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB19D9D0 11_2_00007FF6EB19D9D0
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB1781D4 11_2_00007FF6EB1781D4
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB184224 11_2_00007FF6EB184224
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB172220 11_2_00007FF6EB172220
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB19AA30 11_2_00007FF6EB19AA30
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB174A30 11_2_00007FF6EB174A30
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB17CE10 11_2_00007FF6EB17CE10
Found potential string decryption / allocating functions
Source: C:\Users\Public\alpha.exe Code function: String function: 00007FF6EB18498C appears 40 times
Source: C:\Users\Public\alpha.exe Code function: String function: 00007FF6EB18081C appears 36 times
Source: C:\Users\Public\alpha.exe Code function: String function: 00007FF6EB183448 appears 72 times
Source: C:\Users\Public\kn.exe Code function: String function: 00007FF7FD89F11C appears 37 times
Source: C:\Users\Public\kn.exe Code function: String function: 00007FF7FD89F1B8 appears 183 times
Source: C:\Users\Public\kn.exe Code function: String function: 00007FF7FD857BAC appears 34 times
Source: C:\Users\Public\kn.exe Code function: String function: 00007FF7FD82EB98 appears 93 times
Source: C:\Users\Public\kn.exe Code function: String function: 00007FF7FD8A64A6 appears 173 times
Source: C:\Users\Public\kn.exe Code function: String function: 00007FF7FD857D70 appears 35 times
Source: C:\Users\Public\kn.exe Code function: String function: 00007FF7FD79D1C8 appears 41 times
Source: C:\Users\Public\kn.exe Code function: String function: 00007FF7FD850D10 appears 181 times
Source: C:\Users\Public\kn.exe Code function: String function: 00007FF7FD7CBC9C appears 280 times
Source: C:\Users\Public\kn.exe Code function: String function: 00007FF7FD84ABFC appears 818 times
Source: classification engine Classification label: mal72.bank.evad.winCMD@20/10@0/0
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB1732B0 _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,wcschr,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,GetLastError,GetLastError, 4_2_00007FF6EB1732B0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD87826C GetCurrentThread,GetLastError,#357,OpenThreadToken,GetLastError,GetCurrentProcess,GetLastError,OpenProcessToken,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,CloseHandle, 7_2_00007FF7FD87826C
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB19FB54 memset,GetDiskFreeSpaceExW,??_V@YAXPEAX@Z, 4_2_00007FF6EB19FB54
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7D7EC0 CoCreateInstance,#357,#207,LocalFree,LocalFree, 7_2_00007FF7FD7D7EC0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8A3148 FindResourceExW,LoadResource, 7_2_00007FF7FD8A3148
Source: C:\Windows\System32\extrac32.exe File created: C:\Users\Public\alpha.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5768:120:WilError_03
Source: C:\Windows\System32\extrac32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Xirnkxhvuzwepe.cmd ReversingLabs: Detection: 29%
Source: Xirnkxhvuzwepe.cmd Virustotal: Detection: 12%
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Xirnkxhvuzwepe.cmd" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
Source: C:\Users\Public\alpha.exe Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Xirnkxhvuzwepe.cmd" "C:\\Users\\Public\\CLEAN.GIF" 3
Source: C:\Users\Public\alpha.exe Process created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Xirnkxhvuzwepe.cmd" "C:\\Users\\Public\\CLEAN.GIF" 3
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 10
Source: C:\Users\Public\alpha.exe Process created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\CLEAN.GIF" / A / F / Q / S
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Xirnkxhvuzwepe.cmd" "C:\\Users\\Public\\CLEAN.GIF" 3 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 10 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\CLEAN.GIF" / A / F / Q / S Jump to behavior
Source: C:\Users\Public\alpha.exe Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe Jump to behavior
Source: C:\Users\Public\alpha.exe Process created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Xirnkxhvuzwepe.cmd" "C:\\Users\\Public\\CLEAN.GIF" 3 Jump to behavior
Source: C:\Users\Public\alpha.exe Process created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 10 Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: certcli.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: cryptui.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: ntdsapi.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: certca.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: certcli.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: cryptui.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: ntdsapi.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: certca.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\Public\kn.exe Section loaded: uxtheme.dll Jump to behavior
Source: Xirnkxhvuzwepe.cmd Static file information: File size 3228698 > 1048576
Source: Binary string: cmd.pdbUGP source: alpha.exe, 00000004.00000000.1994913771.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.1998130841.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.2005107794.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.2007392598.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000002.2008335788.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000000.2007679556.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000000.2008750907.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000002.2010642748.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.3.dr
Source: Binary string: certutil.pdb source: kn.exe, 00000007.00000000.1998811698.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.2001223105.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.2005831412.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.2006855083.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.dr
Source: Binary string: cmd.pdb source: alpha.exe, 00000004.00000000.1994913771.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.1998130841.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.2005107794.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.2007392598.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000002.2008335788.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000000.2007679556.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000000.2008750907.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000002.2010642748.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.3.dr
Source: Binary string: certutil.pdbGCTL source: kn.exe, 00000007.00000000.1998811698.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.2001223105.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.2005831412.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.2006855083.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.dr
Binary contains a suspicious time stamp
Source: alpha.exe.3.dr Static PE information: 0xE1CBFC53 [Mon Jan 16 09:26:43 2090 UTC]
PE file contains sections with non-standard names
Source: alpha.exe.3.dr Static PE information: section name: .didat
Source: kn.exe.5.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7C3668 push rsp; ret 7_2_00007FF7FD7C3669
Drops PE files
Source: C:\Windows\System32\extrac32.exe File created: C:\Users\Public\alpha.exe Jump to dropped file
Source: C:\Windows\System32\extrac32.exe File created: C:\Users\Public\kn.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Windows\System32\extrac32.exe File created: C:\Users\Public\alpha.exe Jump to dropped file
Source: C:\Windows\System32\extrac32.exe File created: C:\Users\Public\kn.exe Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Windows\System32\extrac32.exe File created: C:\Users\Public\alpha.exe Jump to dropped file
Source: C:\Windows\System32\extrac32.exe File created: C:\Users\Public\kn.exe Jump to dropped file
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\Public\alpha.exe API coverage: 7.9 %
Source: C:\Users\Public\alpha.exe API coverage: 8.4 %
Source: C:\Users\Public\kn.exe API coverage: 0.8 %
Source: C:\Users\Public\alpha.exe API coverage: 9.6 %
Source: C:\Users\Public\alpha.exe API coverage: 9.7 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB18823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose, 4_2_00007FF6EB18823C
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB182978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove, 4_2_00007FF6EB182978
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB197B4C FindFirstFileW,FindNextFileW,FindClose, 4_2_00007FF6EB197B4C
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB171560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 4_2_00007FF6EB171560
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB1735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose, 4_2_00007FF6EB1735B8
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB18823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose, 6_2_00007FF6EB18823C
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB182978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove, 6_2_00007FF6EB182978
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB197B4C FindFirstFileW,FindNextFileW,FindClose, 6_2_00007FF6EB197B4C
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB171560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 6_2_00007FF6EB171560
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB1735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose, 6_2_00007FF6EB1735B8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD815E58 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose, 7_2_00007FF7FD815E58
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD871B04 FindFirstFileW,GetLastError,#357,#359,DeleteFileW,FindNextFileW,FindClose,#359, 7_2_00007FF7FD871B04
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8719F8 #359,FindFirstFileW,FindNextFileW,FindClose, 7_2_00007FF7FD8719F8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD81DBC0 FindFirstFileW,GetLastError,CertOpenStore,CertAddStoreToCollection,CertCloseStore,FindNextFileW,GetLastError,GetLastError,#357,GetLastError,GetLastError,#357,LocalFree,CertCloseStore,CertCloseStore,FindClose, 7_2_00007FF7FD81DBC0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD853674 #357,LocalAlloc,#357,wcsrchr,FindFirstFileW,GetLastError,#359,lstrcmpW,lstrcmpW,#359,RemoveDirectoryW,GetLastError,#359,#359,FindNextFileW,FindClose,LocalFree,LocalFree,DeleteFileW,GetLastError,#359, 7_2_00007FF7FD853674
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD81D4A4 CreateSemaphoreW,GetLastError,CreateEventW,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,CloseHandle,CloseHandle, 7_2_00007FF7FD81D4A4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7DD440 GetFileAttributesW,#357,#357,#357,FindFirstFileW,LocalFree,#357,FindNextFileW,#357,LocalFree,FindClose,LocalFree,LocalFree,LocalFree,LocalFree, 7_2_00007FF7FD7DD440
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD81B3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357, 7_2_00007FF7FD81B3D8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8710C4 #357,FindFirstFileW,LocalFree,FindNextFileW,FindClose,LocalFree,#357, 7_2_00007FF7FD8710C4
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD873100 #357,FindFirstFileW,#359,FindNextFileW,FindClose,LocalFree,#357, 7_2_00007FF7FD873100
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD876F80 #359,FindFirstFileW,FindNextFileW,FindClose,LocalAlloc,#357, 7_2_00007FF7FD876F80
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD80C6F8 memset,qsort,#357,FindFirstFileW,GetLastError,bsearch,LocalAlloc,LocalReAlloc,LocalAlloc,FindNextFileW,GetLastError,DeleteFileW,GetLastError,#359,#357,FindClose,LocalFree,LocalFree, 7_2_00007FF7FD80C6F8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD87234C wcschr,#357,#357,#359,FindFirstFileW,wcsrchr,_wcsnicmp,iswxdigit,wcstoul,FindNextFileW,#359,#359,#357,#357,LocalFree,LocalFree,FindClose, 7_2_00007FF7FD87234C
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB18823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose, 10_2_00007FF6EB18823C
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB182978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove, 10_2_00007FF6EB182978
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB197B4C FindFirstFileW,FindNextFileW,FindClose, 10_2_00007FF6EB197B4C
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB171560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 10_2_00007FF6EB171560
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB1735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose, 10_2_00007FF6EB1735B8
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB18823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose, 11_2_00007FF6EB18823C
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB182978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove, 11_2_00007FF6EB182978
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB197B4C FindFirstFileW,FindNextFileW,FindClose, 11_2_00007FF6EB197B4C
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB171560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 11_2_00007FF6EB171560
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB1735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose, 11_2_00007FF6EB1735B8
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD85511C GetSystemInfo,CryptFindOIDInfo,#359,CreateFileW,GetLastError,#357,#359,GetFileSize,#357,CreateFileMappingW,GetLastError,#359,#357,LocalAlloc,BCryptCreateHash,#360,MapViewOfFile,BCryptHashData,#360,UnmapViewOfFile,LocalAlloc,GetLastError,#357,GetLastError,BCryptFinishHash,#360,LocalAlloc,LocalFree,#357,UnmapViewOfFile,CloseHandle,CloseHandle,BCryptDestroyHash,#360,LocalFree,LocalFree, 7_2_00007FF7FD85511C
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB1963FC GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW, 4_2_00007FF6EB1963FC
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB18823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose, 4_2_00007FF6EB18823C
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB188FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_00007FF6EB188FA4
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB1893B0 SetUnhandledExceptionFilter, 4_2_00007FF6EB1893B0
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB188FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_00007FF6EB188FA4
Source: C:\Users\Public\alpha.exe Code function: 6_2_00007FF6EB1893B0 SetUnhandledExceptionFilter, 6_2_00007FF6EB1893B0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8A53E0 SetUnhandledExceptionFilter, 7_2_00007FF7FD8A53E0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8A4E18 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_00007FF7FD8A4E18
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB188FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_00007FF6EB188FA4
Source: C:\Users\Public\alpha.exe Code function: 10_2_00007FF6EB1893B0 SetUnhandledExceptionFilter, 10_2_00007FF6EB1893B0
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB188FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_00007FF6EB188FA4
Source: C:\Users\Public\alpha.exe Code function: 11_2_00007FF6EB1893B0 SetUnhandledExceptionFilter, 11_2_00007FF6EB1893B0

HIPS / PFW / Operating System Protection Evasion
barindex
Drops or copies certutil.exe with a different name (likely to bypass HIPS)
Source: C:\Windows\System32\extrac32.exe File created: C:\Users\Public\kn.exe Jump to dropped file
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Source: C:\Windows\System32\extrac32.exe File created: C:\Users\Public\alpha.exe Jump to dropped file
Contains functionality to execute programs as a different user
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD857024 GetModuleHandleW,GetProcAddress,#356,#357,CloseHandle,LocalFree,LocalFree,LocalFree,ImpersonateLoggedOnUser,#356,EqualSid,#357,LogonUserExW,GetLastError,ImpersonateLoggedOnUser,#356,#359,RevertToSelf,#356, 7_2_00007FF7FD857024
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Xirnkxhvuzwepe.cmd" "C:\\Users\\Public\\CLEAN.GIF" 3 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 10 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\CLEAN.GIF" / A / F / Q / S Jump to behavior
Source: C:\Users\Public\alpha.exe Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe Jump to behavior
Source: C:\Users\Public\alpha.exe Process created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Xirnkxhvuzwepe.cmd" "C:\\Users\\Public\\CLEAN.GIF" 3 Jump to behavior
Source: C:\Users\Public\alpha.exe Process created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 10 Jump to behavior
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD8872B0 CAFindByName,#359,LocalAlloc,InitializeSecurityDescriptor,GetLastError,SetSecurityDescriptorDacl,GetLastError,GetSecurityDescriptorLength,LocalAlloc,MakeSelfRelativeSD,GetLastError,CASetCASecurity,CAUpdateCAEx,#357,LocalFree,LocalFree,LocalFree,CACloseCA, 7_2_00007FF7FD8872B0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD854E98 AllocateAndInitializeSid,GetLastError,#357,GetCurrentThread,GetLastError,OpenThreadToken,GetLastError,GetCurrentProcess,GetLastError,OpenProcessToken,GetLastError,DuplicateToken,GetLastError,CheckTokenMembership,GetLastError,CloseHandle,CloseHandle,FreeSid, 7_2_00007FF7FD854E98
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\Public\alpha.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale, 4_2_00007FF6EB1851EC
Source: C:\Users\Public\alpha.exe Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc, 4_2_00007FF6EB176EE4
Source: C:\Users\Public\alpha.exe Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW, 4_2_00007FF6EB183140
Source: C:\Users\Public\alpha.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale, 6_2_00007FF6EB1851EC
Source: C:\Users\Public\alpha.exe Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc, 6_2_00007FF6EB176EE4
Source: C:\Users\Public\alpha.exe Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW, 6_2_00007FF6EB183140
Source: C:\Users\Public\kn.exe Code function: LoadLibraryW,SearchPathW,FindResourceExW,GetUserDefaultUILanguage,GetLocaleInfoW,wcsncmp,GetSystemDefaultUILanguage,FreeLibrary,FreeLibrary,LoadLibraryExW,FreeLibrary, 7_2_00007FF7FD8A3800
Source: C:\Users\Public\alpha.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale, 10_2_00007FF6EB1851EC
Source: C:\Users\Public\alpha.exe Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc, 10_2_00007FF6EB176EE4
Source: C:\Users\Public\alpha.exe Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW, 10_2_00007FF6EB183140
Source: C:\Users\Public\alpha.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale, 11_2_00007FF6EB1851EC
Source: C:\Users\Public\alpha.exe Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc, 11_2_00007FF6EB176EE4
Source: C:\Users\Public\alpha.exe Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW, 11_2_00007FF6EB183140
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\alpha.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\alpha.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB198654 GetSystemTime,SystemTimeToFileTime, 4_2_00007FF6EB198654
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD88BEE8 LookupAccountNameW,GetLastError,GetLastError,#357,LocalAlloc,LocalAlloc,#357,LookupAccountNameW,GetLastError,#357,LocalFree,LocalFree, 7_2_00007FF7FD88BEE8
Source: C:\Users\Public\alpha.exe Code function: 4_2_00007FF6EB17586C GetVersion, 4_2_00007FF6EB17586C
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7D5648 #357,#357,DsGetSiteNameW,#359,LocalAlloc,LocalAlloc,GetTickCount,DsGetSiteNameW,GetTickCount,#207,LocalFree,#359,NetApiBufferFree,#357,#357,#207,LocalFree,#359,#359,#359,LocalFree,NetApiBufferFree,NetApiBufferFree,LocalFree,LocalFree,#357,DsUnBindW, 7_2_00007FF7FD7D5648
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7B54A0 wcschr,NetApiBufferFree,DsFreeNameResultW,#13,LocalFree,DsGetDcNameW,#359,#224,#224,DsBindW,#357,DsCrackNamesW,#357,#145,#359,#359,#14,#359,#73,#359,#208,#26,#127,LocalFree,#140,#359,#224,#167,#27,#357,#357,#41,NetApiBufferFree,DsUnBindW,DsFreeNameResultW,#13,LocalFree, 7_2_00007FF7FD7B54A0
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7CE568 #357,LookupAccountSidW,GetLastError,#357,DsGetDcNameW,DsBindW,DsGetDomainControllerInfoW,DsGetDomainControllerInfoW,#357,DsUnBindW,NetApiBufferFree,LocalFree, 7_2_00007FF7FD7CE568
Source: C:\Users\Public\kn.exe Code function: 7_2_00007FF7FD7B227C DsGetDcNameW,#357,DsBindW,DsCrackNamesW,#357,#357,#357,#357,#357,LocalAlloc,#359,DsUnBindW,NetApiBufferFree,DsFreeNameResultW,LocalFree,LocalFree, 7_2_00007FF7FD7B227C
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1483432 Sample: Xirnkxhvuzwepe.cmd Startdate: 27/07/2024 Architecture: WINDOWS Score: 72 31 Multi AV Scanner detection for submitted file 2->31 33 Sigma detected: Execution from Suspicious Folder 2->33 35 Sigma detected: Parent in Public Folder Suspicious Process 2->35 7 cmd.exe 1 2->7         started        process3 process4 9 extrac32.exe 1 7->9         started        13 alpha.exe 1 7->13         started        15 alpha.exe 1 7->15         started        17 4 other processes 7->17 file5 29 C:\Users\Public\alpha.exe, PE32+ 9->29 dropped 39 Drops PE files to the user root directory 9->39 41 Drops or copies certutil.exe with a different name (likely to bypass HIPS) 9->41 43 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 9->43 19 kn.exe 3 2 13->19         started        22 extrac32.exe 1 15->22         started        25 kn.exe 1 17->25         started        signatures6 process7 file8 37 Registers a new ROOT certificate 19->37 27 C:\Users\Public\kn.exe, PE32+ 22->27 dropped signatures9
No contacted IP infos