Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
K2Z6KZbzFS.exe

Overview

General Information

Sample Name:K2Z6KZbzFS.exe
Analysis ID:679422
MD5:3333e40e61ff33675c26e7a712a7808d
SHA1:7e314834674c7bf514f68790a0e88b014e9115a4
SHA256:a4bac13abfd454b26ddd32a25d87080e7e4bf8b6a9e85e7e91736b3f944565c3
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Detected unpacking (changes PE section rights)
Snort IDS alert for network traffic
Tries to steal Crypto Currency Wallets
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Found evasive API chain (may stop execution after checking a module file name)
Yara detected Credential Stealer
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Enables debug privileges
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • K2Z6KZbzFS.exe (PID: 5724 cmdline: "C:\Users\user\Desktop\K2Z6KZbzFS.exe" MD5: 3333E40E61FF33675C26E7A712A7808D)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["stcontact.top:80"], "Bot Id": "AF2", "Authorization Header": "4d729a2faecb406a0eb1d6fcf30432fa"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.492458153.0000000000698000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
          • 0x1320:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
          00000000.00000002.495750268.00000000022F0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            00000000.00000002.495750268.00000000022F0000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
            • 0x28ec6:$pat14: , CommandLine:
            • 0x1d6a8:$v2_1: ListOfProcesses
            • 0x1ce4b:$v4_3: base64str
            • 0x1ce18:$v4_4: stringKey
            • 0x1ce55:$v4_5: BytesToStringConverted
            • 0x1ce40:$v4_6: FromBase64
            • 0x1d363:$v4_8: procName
            • 0x1afab:$v5_7: RecordHeaderField
            • 0x1aee7:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
            Click to see the 12 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.K2Z6KZbzFS.exe.4a20000.6.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              0.2.K2Z6KZbzFS.exe.4a20000.6.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
              • 0x261de:$pat14: , CommandLine:
              • 0x1a9c0:$v2_1: ListOfProcesses
              • 0x1a163:$v4_3: base64str
              • 0x1a130:$v4_4: stringKey
              • 0x1a16d:$v4_5: BytesToStringConverted
              • 0x1a158:$v4_6: FromBase64
              • 0x1a67b:$v4_8: procName
              • 0x182c3:$v5_7: RecordHeaderField
              • 0x181ff:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
              0.2.K2Z6KZbzFS.exe.2204c9e.2.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                0.2.K2Z6KZbzFS.exe.2204c9e.2.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                • 0x27fde:$pat14: , CommandLine:
                • 0x1c7c0:$v2_1: ListOfProcesses
                • 0x1bf63:$v4_3: base64str
                • 0x1bf30:$v4_4: stringKey
                • 0x1bf6d:$v4_5: BytesToStringConverted
                • 0x1bf58:$v4_6: FromBase64
                • 0x1c47b:$v4_8: procName
                • 0x1a0c3:$v5_7: RecordHeaderField
                • 0x19fff:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
                0.2.K2Z6KZbzFS.exe.4a20000.6.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  Click to see the 27 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  Timestamp:192.168.2.58.8.8.861356532023883 08/05/22-18:42:26.812831
                  SID:2023883
                  Source Port:61356
                  Destination Port:53
                  Protocol:UDP
                  Classtype:Potentially Bad Traffic
                  Timestamp:192.168.2.591.203.192.23349765802850286 08/05/22-18:42:31.139956
                  SID:2850286
                  Source Port:49765
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:91.203.192.233192.168.2.580497652850353 08/05/22-18:42:29.205624
                  SID:2850353
                  Source Port:80
                  Destination Port:49765
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.591.203.192.23349765802850027 08/05/22-18:42:27.425256
                  SID:2850027
                  Source Port:49765
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: K2Z6KZbzFS.exeVirustotal: Detection: 34%Perma Link
                  Source: K2Z6KZbzFS.exeMetadefender: Detection: 42%Perma Link
                  Source: K2Z6KZbzFS.exeReversingLabs: Detection: 69%
                  Machine Learning detection for sample
                  Source: K2Z6KZbzFS.exeJoe Sandbox ML: detected
                  Source: 0.2.K2Z6KZbzFS.exe.2204c9e.2.raw.unpackMalware Configuration Extractor: RedLine {"C2 url": ["stcontact.top:80"], "Bot Id": "AF2", "Authorization Header": "4d729a2faecb406a0eb1d6fcf30432fa"}

                  Compliance

                  barindex
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeUnpacked PE file: 0.2.K2Z6KZbzFS.exe.400000.0.unpack
                  Source: K2Z6KZbzFS.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                  Source: Binary string: _.pdb source: K2Z6KZbzFS.exe, 00000000.00000002.495750268.00000000022F0000.00000004.08000000.00040000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.495256402.00000000021C3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\gepegevosir43-yoz45\vuxa\linagojexagar\n.pdb source: K2Z6KZbzFS.exe
                  Source: Binary string: =C:\gepegevosir43-yoz45\vuxa\linagojexagar\n.pdb source: K2Z6KZbzFS.exe

                  Networking

                  barindex
                  Snort IDS alert for network traffic
                  Source: TrafficSnort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.5:61356 -> 8.8.8.8:53
                  Source: TrafficSnort IDS: 2850027 ETPRO TROJAN RedLine Stealer TCP CnC net.tcp Init 192.168.2.5:49765 -> 91.203.192.233:80
                  Source: TrafficSnort IDS: 2850286 ETPRO TROJAN Redline Stealer TCP CnC Activity 192.168.2.5:49765 -> 91.203.192.233:80
                  Source: TrafficSnort IDS: 2850353 ETPRO MALWARE Redline Stealer TCP CnC - Id1Response 91.203.192.233:80 -> 192.168.2.5:49765
                  Source: Joe Sandbox ViewASN Name: GARANT-PARK-INTERNETRU GARANT-PARK-INTERNETRU
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.508160004.0000000005800000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496332551.0000000002531000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496332551.0000000002531000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496332551.0000000002531000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496332551.0000000002531000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496332551.0000000002531000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496332551.0000000002531000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496332551.0000000002531000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496332551.0000000002531000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496332551.0000000002531000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496332551.0000000002531000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496332551.0000000002531000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496332551.0000000002531000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496332551.0000000002531000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496332551.0000000002531000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.496332551.0000000002531000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496332551.0000000002531000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.496332551.0000000002531000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496332551.0000000002531000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.496332551.0000000002531000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496332551.0000000002531000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.499299213.000000000287E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.499338268.000000000288A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.498673203.00000000027D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.499611932.00000000028D8000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501186472.0000000002AA5000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501429760.0000000003557000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501087449.0000000002A7F000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.498120552.0000000002755000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.497981876.000000000272D000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.498197742.000000000276B000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.503830670.00000000037CD000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.499502052.00000000028B2000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501317171.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.499769083.00000000028EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.495750268.00000000022F0000.00000004.08000000.00040000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.506987183.0000000004A20000.00000004.08000000.00040000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501455685.000000000355B000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.495256402.00000000021C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.499611932.00000000028D8000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501186472.0000000002AA5000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501429760.0000000003557000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501087449.0000000002A7F000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.498120552.0000000002755000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.497981876.000000000272D000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.498197742.000000000276B000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.503830670.00000000037CD000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.499502052.00000000028B2000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501317171.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.499769083.00000000028EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.499611932.00000000028D8000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501186472.0000000002AA5000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501429760.0000000003557000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501087449.0000000002A7F000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.498120552.0000000002755000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.497981876.000000000272D000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.498197742.000000000276B000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.503830670.00000000037CD000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.499502052.00000000028B2000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501317171.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.499769083.00000000028EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.499611932.00000000028D8000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501186472.0000000002AA5000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501429760.0000000003557000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501087449.0000000002A7F000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.498120552.0000000002755000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.497981876.000000000272D000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.498197742.000000000276B000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.503830670.00000000037CD000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.499502052.00000000028B2000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501317171.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.499769083.00000000028EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.499611932.00000000028D8000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501186472.0000000002AA5000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501429760.0000000003557000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501087449.0000000002A7F000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.498120552.0000000002755000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.497981876.000000000272D000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.498197742.000000000276B000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.503830670.00000000037CD000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.499502052.00000000028B2000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501317171.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.499769083.00000000028EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.499611932.00000000028D8000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501186472.0000000002AA5000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501429760.0000000003557000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501087449.0000000002A7F000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.498120552.0000000002755000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.497981876.000000000272D000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.498197742.000000000276B000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.499502052.00000000028B2000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501317171.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.499769083.00000000028EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.503830670.00000000037CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/search
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.499611932.00000000028D8000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501186472.0000000002AA5000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501429760.0000000003557000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501087449.0000000002A7F000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.498120552.0000000002755000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.497981876.000000000272D000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.498197742.000000000276B000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.503830670.00000000037CD000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.499502052.00000000028B2000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501317171.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.499769083.00000000028EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.499611932.00000000028D8000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501186472.0000000002AA5000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501429760.0000000003557000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501087449.0000000002A7F000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.498120552.0000000002755000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.497981876.000000000272D000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.498197742.000000000276B000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.503830670.00000000037CD000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.499502052.00000000028B2000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501317171.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.499769083.00000000028EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: unknownDNS traffic detected: queries for: stcontact.top

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.K2Z6KZbzFS.exe.4a20000.6.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.K2Z6KZbzFS.exe.2204c9e.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.K2Z6KZbzFS.exe.4a20000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.K2Z6KZbzFS.exe.22f0000.4.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.3.K2Z6KZbzFS.exe.704420.1.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.K2Z6KZbzFS.exe.2203db6.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.K2Z6KZbzFS.exe.2204c9e.2.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.3.K2Z6KZbzFS.exe.2120000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.K2Z6KZbzFS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.K2Z6KZbzFS.exe.610e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.K2Z6KZbzFS.exe.2203db6.3.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.K2Z6KZbzFS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.K2Z6KZbzFS.exe.22f0ee8.5.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.K2Z6KZbzFS.exe.22f0ee8.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.K2Z6KZbzFS.exe.22f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.3.K2Z6KZbzFS.exe.704420.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000000.00000002.492458153.0000000000698000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000002.495750268.00000000022F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000000.00000002.491785643.0000000000610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000002.490903331.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000000.00000002.506987183.0000000004A20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000000.00000003.408078605.0000000002120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: K2Z6KZbzFS.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 0.2.K2Z6KZbzFS.exe.4a20000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.K2Z6KZbzFS.exe.2204c9e.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.K2Z6KZbzFS.exe.4a20000.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.K2Z6KZbzFS.exe.22f0000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.3.K2Z6KZbzFS.exe.704420.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.K2Z6KZbzFS.exe.2203db6.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.K2Z6KZbzFS.exe.2204c9e.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.3.K2Z6KZbzFS.exe.2120000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.K2Z6KZbzFS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.K2Z6KZbzFS.exe.610e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.K2Z6KZbzFS.exe.2203db6.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.K2Z6KZbzFS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.K2Z6KZbzFS.exe.22f0ee8.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.K2Z6KZbzFS.exe.22f0ee8.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.K2Z6KZbzFS.exe.22f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.3.K2Z6KZbzFS.exe.704420.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000000.00000002.492458153.0000000000698000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000002.495750268.00000000022F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000000.00000002.491785643.0000000000610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000002.490903331.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000000.00000002.506987183.0000000004A20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000000.00000003.408078605.0000000002120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_00408C60
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_0040DC11
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_00407C3F
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_00418CCC
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_00406CA0
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_004028B0
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_0041A4BE
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_00418244
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_00401650
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_00402F20
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_004193C4
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_00418788
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_00402F89
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_00402B90
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_004073A0
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_02331AE0
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_02331AD0
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_057B97E0
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_057BD2CF
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_057BB848
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_057BD830
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_057BE990
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_057BDB61
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_057B8AA8
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_059029F8
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_0590EBB0
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_0590F592
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: String function: 0040E1D8 appears 44 times
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.495750268.00000000022F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamePrejudice.exe4 vs K2Z6KZbzFS.exe
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.506987183.0000000004A20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamePrejudice.exe4 vs K2Z6KZbzFS.exe
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.501455685.000000000355B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePrejudice.exe4 vs K2Z6KZbzFS.exe
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.491359599.0000000000439000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePrejudice.exe4 vs K2Z6KZbzFS.exe
                  Source: K2Z6KZbzFS.exe, 00000000.00000003.408078605.0000000002120000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePrejudice.exe4 vs K2Z6KZbzFS.exe
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496332551.0000000002531000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs K2Z6KZbzFS.exe
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.495256402.00000000021C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePrejudice.exe4 vs K2Z6KZbzFS.exe
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.495256402.00000000021C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs K2Z6KZbzFS.exe
                  Source: K2Z6KZbzFS.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: K2Z6KZbzFS.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: K2Z6KZbzFS.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: K2Z6KZbzFS.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: K2Z6KZbzFS.exeVirustotal: Detection: 34%
                  Source: K2Z6KZbzFS.exeMetadefender: Detection: 42%
                  Source: K2Z6KZbzFS.exeReversingLabs: Detection: 69%
                  Source: K2Z6KZbzFS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeFile created: C:\Users\user\AppData\Local\Microsoft\Wind?wsJump to behavior
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/1@3/2
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCommand line argument: 08A
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                  Source: K2Z6KZbzFS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: _.pdb source: K2Z6KZbzFS.exe, 00000000.00000002.495750268.00000000022F0000.00000004.08000000.00040000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.495256402.00000000021C3000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\gepegevosir43-yoz45\vuxa\linagojexagar\n.pdb source: K2Z6KZbzFS.exe
                  Source: Binary string: =C:\gepegevosir43-yoz45\vuxa\linagojexagar\n.pdb source: K2Z6KZbzFS.exe

                  Data Obfuscation

                  barindex
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeUnpacked PE file: 0.2.K2Z6KZbzFS.exe.400000.0.unpack
                  Detected unpacking (changes PE section rights)
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeUnpacked PE file: 0.2.K2Z6KZbzFS.exe.400000.0.unpack .text:ER;.data:W;.gay:W;.gayeta:W;.kux:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_0041C40C push cs; iretd
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_00423149 push eax; ret
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_0041C50E push cs; iretd
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_004231C8 push eax; ret
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_0040E21D push ecx; ret
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_0041C6BE push ebx; ret
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_057BB848 pushfd ; retn 0578h
                  Source: K2Z6KZbzFS.exeStatic PE information: section name: .gay
                  Source: K2Z6KZbzFS.exeStatic PE information: section name: .gayeta
                  Source: K2Z6KZbzFS.exeStatic PE information: section name: .kux
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                  Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exe TID: 5612Thread sleep time: -4611686018427385s >= -30000s
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exe TID: 5860Thread sleep time: -30000s >= -30000s
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exe TID: 3348Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeRegistry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeWindow / User API: threadDelayed 3607
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeAPI call chain: ExitProcess graph end node
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.508160004.0000000005800000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.508160004.0000000005800000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareW5H7SATUWin32_VideoController_GSNLWG2VideoController120060621000000.000000-0002107.823display.infMSBDA3AYN4V2GPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsWWXONXSB
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.508160004.0000000005800000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_0040ADB0 GetProcessHeap,HeapFree,
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_02330490 LdrInitializeThunk,
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeMemory allocated: page read and write | page guard
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_004123F1 SetUnhandledExceptionFilter,
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: GetLocaleInfoA,
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeCode function: 0_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.511796568.0000000006C50000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.508160004.0000000005800000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.508819622.00000000058BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 0.2.K2Z6KZbzFS.exe.4a20000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.K2Z6KZbzFS.exe.2204c9e.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.K2Z6KZbzFS.exe.4a20000.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.K2Z6KZbzFS.exe.22f0000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.K2Z6KZbzFS.exe.704420.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.K2Z6KZbzFS.exe.2203db6.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.K2Z6KZbzFS.exe.2204c9e.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.K2Z6KZbzFS.exe.2120000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.K2Z6KZbzFS.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.K2Z6KZbzFS.exe.610e67.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.K2Z6KZbzFS.exe.2203db6.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.K2Z6KZbzFS.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.K2Z6KZbzFS.exe.22f0ee8.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.K2Z6KZbzFS.exe.22f0ee8.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.K2Z6KZbzFS.exe.22f0000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.K2Z6KZbzFS.exe.704420.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.495750268.00000000022F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.408726056.0000000000704000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.491785643.0000000000610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.490903331.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.506987183.0000000004A20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.408078605.0000000002120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.495256402.00000000021C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: K2Z6KZbzFS.exe PID: 5724, type: MEMORYSTR
                  Tries to steal Crypto Currency Wallets
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                  Found many strings related to Crypto-Wallets (likely being stolen)
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumE#
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: JaxxE#
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ExodusE#
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: EthereumE#
                  Source: K2Z6KZbzFS.exe, 00000000.00000002.495750268.00000000022F0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: set_UseMachineKeyStore
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                  Source: C:\Users\user\Desktop\K2Z6KZbzFS.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: Yara matchFile source: 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: K2Z6KZbzFS.exe PID: 5724, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 0.2.K2Z6KZbzFS.exe.4a20000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.K2Z6KZbzFS.exe.2204c9e.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.K2Z6KZbzFS.exe.4a20000.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.K2Z6KZbzFS.exe.22f0000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.K2Z6KZbzFS.exe.704420.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.K2Z6KZbzFS.exe.2203db6.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.K2Z6KZbzFS.exe.2204c9e.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.K2Z6KZbzFS.exe.2120000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.K2Z6KZbzFS.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.K2Z6KZbzFS.exe.610e67.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.K2Z6KZbzFS.exe.2203db6.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.K2Z6KZbzFS.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.K2Z6KZbzFS.exe.22f0ee8.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.K2Z6KZbzFS.exe.22f0ee8.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.K2Z6KZbzFS.exe.22f0000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.K2Z6KZbzFS.exe.704420.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.495750268.00000000022F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.408726056.0000000000704000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.491785643.0000000000610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.490903331.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.506987183.0000000004A20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.408078605.0000000002120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.495256402.00000000021C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: K2Z6KZbzFS.exe PID: 5724, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts221
                  Windows Management Instrumentation                  		Path InterceptionPath Interception1
                  Masquerading                  		1
                  OS Credential Dumping                  		1
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		Exfiltration Over Other Network Medium1
                  Encrypted Channel                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default Accounts2
                  Command and Scripting Interpreter                  		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                  Disable or Modify Tools                  		LSASS Memory261
                  Security Software Discovery                  		Remote Desktop Protocol3
                  Data from Local System                  		Exfiltration Over Bluetooth1
                  Non-Application Layer Protocol                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain Accounts2
                  Native API                  		Logon Script (Windows)Logon Script (Windows)231
                  Virtualization/Sandbox Evasion                  		Security Account Manager231
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                  Application Layer Protocol                  		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                  Deobfuscate/Decode Files or Information                  		NTDS12
                  Process Discovery                  		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
                  Obfuscated Files or Information                  		LSA Secrets1
                  Application Window Discovery                  		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common2
                  Software Packing                  		Cached Domain Credentials1
                  Remote System Discovery                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync134
                  System Information Discovery                  		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  K2Z6KZbzFS.exe34%VirustotalBrowse
                  K2Z6KZbzFS.exe43%MetadefenderBrowse
                  K2Z6KZbzFS.exe69%ReversingLabsWin32.Trojan.Generic
                  K2Z6KZbzFS.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  0.2.K2Z6KZbzFS.exe.400000.0.unpack100%AviraHEUR/AGEN.1251498Download File

                  Domains

                  SourceDetectionScannerLabelLink
                  stcontact.top2%VirustotalBrowse
                  api.ip.sb5%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://tempuri.org/0%URL Reputationsafe
                  http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                  https://api.ip.sb/ip0%URL Reputationsafe
                  http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
                  http://www.w3.o0%URL Reputationsafe
                  https://api.ip.sb0%URL Reputationsafe
                  http://tempuri.org/Entity/Id10%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  stcontact.top
                  		91.203.192.233
                  		truetrueunknown
                  api.ip.sb
                  		unknown
                  		unknowntrueunknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://schemas.xmlsoap.org/ws/2005/02/sc/sctK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://duckduckgo.com/chrome_newtabK2Z6KZbzFS.exe, 00000000.00000002.499611932.00000000028D8000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501186472.0000000002AA5000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501429760.0000000003557000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501087449.0000000002A7F000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.498120552.0000000002755000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.497981876.000000000272D000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.498197742.000000000276B000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.503830670.00000000037CD000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.499502052.00000000028B2000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501317171.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.499769083.00000000028EF000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://duckduckgo.com/ac/?q=K2Z6KZbzFS.exe, 00000000.00000002.499611932.00000000028D8000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501186472.0000000002AA5000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501429760.0000000003557000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501087449.0000000002A7F000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.498120552.0000000002755000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.497981876.000000000272D000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.498197742.000000000276B000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.503830670.00000000037CD000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.499502052.00000000028B2000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501317171.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.499769083.00000000028EF000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://tempuri.org/K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.496332551.0000000002531000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://tempuri.org/Entity/Id2ResponseK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.496332551.0000000002531000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceK2Z6KZbzFS.exe, 00000000.00000002.496332551.0000000002531000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/faultK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2004/10/wsatK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://api.ip.sb/ipK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.495750268.00000000022F0000.00000004.08000000.00040000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.506987183.0000000004A20000.00000004.08000000.00040000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501455685.000000000355B000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.495256402.00000000021C3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2004/04/scK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=K2Z6KZbzFS.exe, 00000000.00000002.499611932.00000000028D8000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501186472.0000000002AA5000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501429760.0000000003557000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501087449.0000000002A7F000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.498120552.0000000002755000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.497981876.000000000272D000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.498197742.000000000276B000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.503830670.00000000037CD000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.499502052.00000000028B2000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501317171.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.499769083.00000000028EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://tempuri.org/Entity/Id1ResponseK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.496332551.0000000002531000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedK2Z6KZbzFS.exe, 00000000.00000002.496332551.0000000002531000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2004/08/addressingK2Z6KZbzFS.exe, 00000000.00000002.496332551.0000000002531000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://search.yahoo.com/searchK2Z6KZbzFS.exe, 00000000.00000002.503830670.00000000037CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/trustK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/NonceK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsK2Z6KZbzFS.exe, 00000000.00000002.496332551.0000000002531000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RenewK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://schemas.xmlsoap.org/ws/2006/02/addressingidentityK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://schemas.xmlsoap.org/soap/envelope/K2Z6KZbzFS.exe, 00000000.00000002.496332551.0000000002531000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trustK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/RollbackK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/06/addressingexK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wscoorK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/NonceK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponseK2Z6KZbzFS.exe, 00000000.00000002.496332551.0000000002531000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/08/addressing/faultK2Z6KZbzFS.exe, 00000000.00000002.496332551.0000000002531000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/RenewK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKeyK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://www.w3.oK2Z6KZbzFS.exe, 00000000.00000002.498673203.00000000027D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      		unknown
                                                                                                                                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/CommittedK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wscoor/faultK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyK2Z6KZbzFS.exe, 00000000.00000002.496332551.0000000002531000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/sc/sctK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponseK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/CancelK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgementK2Z6KZbzFS.exe, 00000000.00000002.496332551.0000000002531000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCTK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://www.google.com/images/branding/product/ico/googleg_lodp.icoK2Z6KZbzFS.exe, 00000000.00000002.499611932.00000000028D8000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501186472.0000000002AA5000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501429760.0000000003557000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501087449.0000000002A7F000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.498120552.0000000002755000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.497981876.000000000272D000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.498197742.000000000276B000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.503830670.00000000037CD000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.499502052.00000000028B2000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501317171.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.499769083.00000000028EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1K2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousK2Z6KZbzFS.exe, 00000000.00000002.496332551.0000000002531000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_WrapK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2002/12/policyK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://api.ip.sbK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/sc/dkK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/IssueK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchK2Z6KZbzFS.exe, 00000000.00000002.499611932.00000000028D8000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501186472.0000000002AA5000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501429760.0000000003557000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501087449.0000000002A7F000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.498120552.0000000002755000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.497981876.000000000272D000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.498197742.000000000276B000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.499502052.00000000028B2000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501317171.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.499769083.00000000028EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/IssueK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/CommitK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/IssueK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCTK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        http://tempuri.org/Entity/Id1K2Z6KZbzFS.exe, 00000000.00000002.496332551.0000000002531000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                        https://ac.ecosia.org/autocomplete?q=K2Z6KZbzFS.exe, 00000000.00000002.499611932.00000000028D8000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501186472.0000000002AA5000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501429760.0000000003557000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501087449.0000000002A7F000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.498120552.0000000002755000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.497981876.000000000272D000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.498197742.000000000276B000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.503830670.00000000037CD000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.499502052.00000000028B2000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.501317171.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, K2Z6KZbzFS.exe, 00000000.00000002.499769083.00000000028EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/spnegoK2Z6KZbzFS.exe, 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high

                                                                                                                                                                                                            World Map of Contacted IPs

                                                                                                                                                                                                            • No. of IPs < 25%
                                                                                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                                                                                            • 75% < No. of IPs

                                                                                                                                                                                                            Public IPs

                                                                                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                            91.203.192.233
                                                                                                                                                                                                            		stcontact.topRussian Federation
                                                                                                                                                                                                            		47196GARANT-PARK-INTERNETRUtrue

                                                                                                                                                                                                            Private

                                                                                                                                                                                                            IP
                                                                                                                                                                                                            192.168.2.1

                                                                                                                                                                                                            General Information

                                                                                                                                                                                                            Joe Sandbox Version:35.0.0 Citrine
                                                                                                                                                                                                            Analysis ID:679422
                                                                                                                                                                                                            Start date and time: 05/08/202218:41:062022-08-05 18:41:06 +02:00
                                                                                                                                                                                                            Joe Sandbox Product:CloudBasic
                                                                                                                                                                                                            Overall analysis duration:0h 7m 17s
                                                                                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                                                                                            Report type:light
                                                                                                                                                                                                            Sample file name:K2Z6KZbzFS.exe
                                                                                                                                                                                                            Cookbook file name:default.jbs
                                                                                                                                                                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                                                                            Number of analysed new started processes analysed:22
                                                                                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                                                                                            Technologies:
                                                                                                                                                                                                            • HCA enabled
                                                                                                                                                                                                            • EGA enabled
                                                                                                                                                                                                            • HDC enabled
                                                                                                                                                                                                            • AMSI enabled
                                                                                                                                                                                                            Analysis Mode:default
                                                                                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                                                                                            Detection:MAL
                                                                                                                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@1/1@3/2
                                                                                                                                                                                                            EGA Information:
                                                                                                                                                                                                            • Successful, ratio: 100%
                                                                                                                                                                                                            HDC Information:
                                                                                                                                                                                                            • Successful, ratio: 13.3% (good quality ratio 12.7%)
                                                                                                                                                                                                            • Quality average: 84.9%
                                                                                                                                                                                                            • Quality standard deviation: 24.9%
                                                                                                                                                                                                            HCA Information:
                                                                                                                                                                                                            • Successful, ratio: 89%
                                                                                                                                                                                                            • Number of executed functions: 0
                                                                                                                                                                                                            • Number of non-executed functions: 0
                                                                                                                                                                                                            Cookbook Comments:
                                                                                                                                                                                                            • Found application associated with file extension: .exe
                                                                                                                                                                                                            • Adjust boot time
                                                                                                                                                                                                            • Enable AMSI

                                                                                                                                                                                                            Warnings

                                                                                                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                                                                            • Excluded IPs from analysis (whitelisted): 23.211.6.115, 104.26.13.31, 172.67.75.172, 104.26.12.31
                                                                                                                                                                                                            • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, api.ip.sb.cdn.cloudflare.net, fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, licensing.mp.microsoft.com, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
                                                                                                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                                                                            Simulations

                                                                                                                                                                                                            Behavior and APIs

                                                                                                                                                                                                            TimeTypeDescription
                                                                                                                                                                                                            18:42:43API Interceptor21x Sleep call for process: K2Z6KZbzFS.exe modified

                                                                                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                                                                                            IPs

                                                                                                                                                                                                            No context

                                                                                                                                                                                                            Domains

                                                                                                                                                                                                            No context

                                                                                                                                                                                                            ASNs

                                                                                                                                                                                                            No context

                                                                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                                                                            No context

                                                                                                                                                                                                            Dropped Files

                                                                                                                                                                                                            No context

                                                                                                                                                                                                            Created / dropped Files

                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\K2Z6KZbzFS.exe.log

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Users\user\Desktop\K2Z6KZbzFS.exe
                                                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):2932
                                                                                                                                                                                                            Entropy (8bit):5.334469918014252
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:48:MIHK5HKXeHKlEHU0YHKhQnouHIWUfHK7HKhBHKdHKB1AHKzvQTHmtHoxHImHK1HQ:Pq5qXeqm00YqhQnouOq7qLqdqUqzcGtk
                                                                                                                                                                                                            MD5:E35A7613F21B0D1588DE4D14CF853427
                                                                                                                                                                                                            SHA1:18AE391E9AB0C970849150EE4D7111473EEE2BD3
                                                                                                                                                                                                            SHA-256:2EB260A8675B41093A7696456E8386F5D212A131BB298D9CC1C58D05E3DA8D49
                                                                                                                                                                                                            SHA-512:6E06C59608F8E491D69F66BB1E83DD522A48D1836CA6B03449822E7BD126ACB2EEEB08FA748CF6E2A524EED361738549B48712E3146AE3D3E958CD2ECD73D10E
                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                            Reputation:moderate, very likely benign file
                                                                                                                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Cultu

                                                                                                                                                                                                            Static File Info

                                                                                                                                                                                                            General

                                                                                                                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                            Entropy (8bit):7.022503364619211
                                                                                                                                                                                                            TrID:
                                                                                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                            File name:K2Z6KZbzFS.exe
                                                                                                                                                                                                            File size:409088
                                                                                                                                                                                                            MD5:3333e40e61ff33675c26e7a712a7808d
                                                                                                                                                                                                            SHA1:7e314834674c7bf514f68790a0e88b014e9115a4
                                                                                                                                                                                                            SHA256:a4bac13abfd454b26ddd32a25d87080e7e4bf8b6a9e85e7e91736b3f944565c3
                                                                                                                                                                                                            SHA512:c9774df3adaa867ad7aee060db9451091686725570834eb1a06473d56f051fd40034471c8e76ad9d993b6e43d209bcc3704eed27b9d01a3d208ddd40bead2ec2
                                                                                                                                                                                                            SSDEEP:12288:SAAqMeiD2Fr/cJZtfc9GVM5tQHOBR/F+L412g:xAFDem3EMWPQHOL9X
                                                                                                                                                                                                            TLSH:5294BF01BB90D435E4F752F85A7683A8B52E7EA16B2550CF13D42AEE57386E1EC3130B
                                                                                                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........P3K.>`K.>`K.>`...`J.>`U..`\.>`U..`..>`l.E`L.>`K.?`..>`U..`t.>`U..`J.>`U..`J.>`RichK.>`........................PE..L......a...

                                                                                                                                                                                                            File Icon

                                                                                                                                                                                                            Icon Hash:aed8ae9ecea62aa2

                                                                                                                                                                                                            Static PE Info

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Entrypoint:0x40b2b0
                                                                                                                                                                                                            Entrypoint Section:.text
                                                                                                                                                                                                            Digitally signed:false
                                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                                            Subsystem:windows gui
                                                                                                                                                                                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                            DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                                                                                                            Time Stamp:0x61810712 [Tue Nov 2 09:38:26 2021 UTC]
                                                                                                                                                                                                            TLS Callbacks:
                                                                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                                                                            OS Version Major:5
                                                                                                                                                                                                            OS Version Minor:0
                                                                                                                                                                                                            File Version Major:5
                                                                                                                                                                                                            File Version Minor:0
                                                                                                                                                                                                            Subsystem Version Major:5
                                                                                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                                                                                            Import Hash:dc0513b2e8e866ceee30009dd51093dc

                                                                                                                                                                                                            Entrypoint Preview

                                                                                                                                                                                                            Instruction
                                                                                                                                                                                                            mov edi, edi
                                                                                                                                                                                                            push ebp
                                                                                                                                                                                                            mov ebp, esp
                                                                                                                                                                                                            call 00007F3D28CC157Bh
                                                                                                                                                                                                            call 00007F3D28CB6856h
                                                                                                                                                                                                            pop ebp
                                                                                                                                                                                                            ret
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            int3
                                                                                                                                                                                                            mov edi, edi
                                                                                                                                                                                                            push ebp
                                                                                                                                                                                                            mov ebp, esp
                                                                                                                                                                                                            push FFFFFFFEh
                                                                                                                                                                                                            push 00430E70h
                                                                                                                                                                                                            push 0040EE20h
                                                                                                                                                                                                            mov eax, dword ptr fs:[00000000h]
                                                                                                                                                                                                            push eax
                                                                                                                                                                                                            add esp, FFFFFF94h
                                                                                                                                                                                                            push ebx
                                                                                                                                                                                                            push esi
                                                                                                                                                                                                            push edi
                                                                                                                                                                                                            mov eax, dword ptr [0045CB94h]
                                                                                                                                                                                                            xor dword ptr [ebp-08h], eax
                                                                                                                                                                                                            xor eax, ebp
                                                                                                                                                                                                            push eax
                                                                                                                                                                                                            lea eax, dword ptr [ebp-10h]
                                                                                                                                                                                                            mov dword ptr fs:[00000000h], eax
                                                                                                                                                                                                            mov dword ptr [ebp-18h], esp
                                                                                                                                                                                                            mov dword ptr [ebp-70h], 00000000h
                                                                                                                                                                                                            mov dword ptr [ebp-04h], 00000000h
                                                                                                                                                                                                            lea eax, dword ptr [ebp-60h]
                                                                                                                                                                                                            push eax
                                                                                                                                                                                                            call dword ptr [00401208h]
                                                                                                                                                                                                            mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                                                                                                                            jmp 00007F3D28CB6868h
                                                                                                                                                                                                            mov eax, 00000001h
                                                                                                                                                                                                            ret
                                                                                                                                                                                                            mov esp, dword ptr [ebp-18h]
                                                                                                                                                                                                            mov dword ptr [ebp-78h], 000000FFh
                                                                                                                                                                                                            mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                                                                                                                            mov eax, dword ptr [ebp-78h]
                                                                                                                                                                                                            jmp 00007F3D28CB6998h
                                                                                                                                                                                                            mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                                                                                                                            call 00007F3D28CB69D4h
                                                                                                                                                                                                            mov dword ptr [ebp-6Ch], eax
                                                                                                                                                                                                            push 00000001h
                                                                                                                                                                                                            call 00007F3D28CC2CEAh
                                                                                                                                                                                                            add esp, 04h
                                                                                                                                                                                                            test eax, eax
                                                                                                                                                                                                            jne 00007F3D28CB684Ch
                                                                                                                                                                                                            push 0000001Ch
                                                                                                                                                                                                            call 00007F3D28CB698Ch
                                                                                                                                                                                                            add esp, 04h
                                                                                                                                                                                                            call 00007F3D28CBEB84h
                                                                                                                                                                                                            test eax, eax
                                                                                                                                                                                                            jne 00007F3D28CB684Ch
                                                                                                                                                                                                            push 00000010h

                                                                                                                                                                                                            Rich Headers

                                                                                                                                                                                                            Programming Language:
                                                                                                                                                                                                            • [ASM] VS2008 build 21022
                                                                                                                                                                                                            • [ C ] VS2008 build 21022
                                                                                                                                                                                                            • [IMP] VS2005 build 50727
                                                                                                                                                                                                            • [C++] VS2008 build 21022
                                                                                                                                                                                                            • [RES] VS2008 build 21022
                                                                                                                                                                                                            • [LNK] VS2008 build 21022

                                                                                                                                                                                                            Data Directories

                                                                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x315d40x50.text
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x6a0000x69c8.rsrc
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x13500x1c.text
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x8c600x40.text
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x10000x2f4.text
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                            Sections

                                                                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                            .text0x10000x3174c0x31800False0.3750542534722222data5.748787816924977IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                            .data0x330000x33d680x2ae00False0.9716483691690962data7.941676038288415IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                            .gay0x670000x4000x400False0.0166015625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                            .gayeta0x680000x4000x400False0.0166015625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                            .kux0x690000x960x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                            .rsrc0x6a0000x69c80x6a00False0.7162072523584906data6.185660414732063IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                            Resources

                                                                                                                                                                                                            NameRVASizeTypeLanguageCountry
                                                                                                                                                                                                            RT_ICON0x6a3300x6c8dataKoreanNorth Korea
                                                                                                                                                                                                            RT_ICON0x6a3300x6c8dataKoreanSouth Korea
                                                                                                                                                                                                            RT_ICON0x6a9f80x568GLS_BINARY_LSB_FIRSTKoreanNorth Korea
                                                                                                                                                                                                            RT_ICON0x6a9f80x568GLS_BINARY_LSB_FIRSTKoreanSouth Korea
                                                                                                                                                                                                            RT_ICON0x6af600x10a8dataKoreanNorth Korea
                                                                                                                                                                                                            RT_ICON0x6af600x10a8dataKoreanSouth Korea
                                                                                                                                                                                                            RT_ICON0x6c0080x988dBase III DBT, version number 0, next free block index 40KoreanNorth Korea
                                                                                                                                                                                                            RT_ICON0x6c0080x988dBase III DBT, version number 0, next free block index 40KoreanSouth Korea
                                                                                                                                                                                                            RT_ICON0x6c9900x468GLS_BINARY_LSB_FIRSTKoreanNorth Korea
                                                                                                                                                                                                            RT_ICON0x6c9900x468GLS_BINARY_LSB_FIRSTKoreanSouth Korea
                                                                                                                                                                                                            RT_ICON0x6ce480x25a8dataKoreanNorth Korea
                                                                                                                                                                                                            RT_ICON0x6ce480x25a8dataKoreanSouth Korea
                                                                                                                                                                                                            RT_ICON0x6f3f00x10a8dataKoreanNorth Korea
                                                                                                                                                                                                            RT_ICON0x6f3f00x10a8dataKoreanSouth Korea
                                                                                                                                                                                                            RT_STRING0x706d00xacdataKoreanNorth Korea
                                                                                                                                                                                                            RT_STRING0x706d00xacdataKoreanSouth Korea
                                                                                                                                                                                                            RT_STRING0x707800x246dataKoreanNorth Korea
                                                                                                                                                                                                            RT_STRING0x707800x246dataKoreanSouth Korea
                                                                                                                                                                                                            RT_ACCELERATOR0x705300x60dataKoreanNorth Korea
                                                                                                                                                                                                            RT_ACCELERATOR0x705300x60dataKoreanSouth Korea
                                                                                                                                                                                                            RT_ACCELERATOR0x704c00x70dataKoreanNorth Korea
                                                                                                                                                                                                            RT_ACCELERATOR0x704c00x70dataKoreanSouth Korea
                                                                                                                                                                                                            RT_GROUP_ICON0x704980x22dataKoreanNorth Korea
                                                                                                                                                                                                            RT_GROUP_ICON0x704980x22dataKoreanSouth Korea
                                                                                                                                                                                                            RT_GROUP_ICON0x6cdf80x4cdataKoreanNorth Korea
                                                                                                                                                                                                            RT_GROUP_ICON0x6cdf80x4cdataKoreanSouth Korea
                                                                                                                                                                                                            RT_VERSION0x705900x13cdataKoreanNorth Korea
                                                                                                                                                                                                            RT_VERSION0x705900x13cdataKoreanSouth Korea

                                                                                                                                                                                                            Imports

                                                                                                                                                                                                            DLLImport
                                                                                                                                                                                                            KERNEL32.dllVerifyVersionInfoW, WriteConsoleInputA, EnumDateFormatsW, CopyFileExW, DnsHostnameToComputerNameW, FindNextFileW, ReadConsoleOutputCharacterW, SetConsoleActiveScreenBuffer, LockFile, GetProfileSectionA, QueryDosDeviceW, RequestWakeupLatency, GetProcessPriorityBoost, GetDriveTypeW, GlobalGetAtomNameA, DeleteFileW, FindNextVolumeMountPointW, TlsSetValue, SizeofResource, WriteConsoleInputW, GetConsoleTitleW, GetComputerNameExW, OpenEventA, CallNamedPipeA, GetModuleHandleW, GetSystemDirectoryA, GetDriveTypeA, BuildCommDCBAndTimeoutsA, GetProcAddress, GetModuleHandleA, GetShortPathNameA, DeleteFileA, GetCommandLineW, InterlockedIncrement, InterlockedExchange, CopyFileW, CreateActCtxW, FormatMessageW, EnterCriticalSection, FindNextVolumeA, CreateIoCompletionPort, LoadLibraryA, CreateNamedPipeW, GetSystemDefaultLangID, GetConsoleAliasesLengthA, WriteProfileSectionW, AddAtomW, InterlockedDecrement, HeapFree, _hwrite, InterlockedCompareExchange, GetStartupInfoW, CreateMailslotW, GetCPInfoExW, GetSystemWow64DirectoryW, GetLastError, GetPrivateProfileIntW, GetConsoleAliasExesLengthW, WaitForDebugEvent, SetLastError, LoadLibraryW, VerifyVersionInfoA, VirtualAlloc, GetACP, lstrcpyA, GetConsoleAliasA, GetDiskFreeSpaceExA, TerminateProcess, EnumResourceLanguagesA, SetConsoleTextAttribute, GlobalGetAtomNameW, CreateJobSet, MoveFileW, lstrcpynA, EnumSystemLocalesA, GetPrivateProfileSectionNamesW, GetFileAttributesW, FileTimeToSystemTime, GetTapeParameters, lstrcmpW, SetEvent, MoveFileA, CreateMutexA, FindResourceW, GetCommState, FormatMessageA, CreateFiber, GetConsoleFontSize, LocalAlloc, SetFileShortNameA, lstrcpyW, HeapLock, GetFileAttributesA, SetCalendarInfoW, GetSystemWindowsDirectoryW, GetConsoleAliasesW, EnumDateFormatsExW, GetComputerNameW, GetPrivateProfileStructW, _hread, LocalFlags, OpenWaitableTimerA, EnumResourceNamesW, CreateFileMappingW, SetProcessShutdownParameters, lstrcpynW, GetFullPathNameW, WriteConsoleW, FreeUserPhysicalPages, WriteConsoleOutputCharacterW, OpenJobObjectW, CreateFileW, SetCurrentDirectoryA, GlobalWire, GetFileInformationByHandle, GetProfileSectionW, CommConfigDialogW, CreateFileA, GetDefaultCommConfigA, LocalFree, Sleep, InitializeCriticalSection, DeleteCriticalSection, LeaveCriticalSection, RaiseException, RtlUnwind, WideCharToMultiByte, GetCommandLineA, GetStartupInfoA, HeapValidate, IsBadReadPtr, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleFileNameW, GetCurrentProcess, IsDebuggerPresent, TlsGetValue, TlsAlloc, GetCurrentThreadId, TlsFree, GetOEMCP, GetCPInfo, IsValidCodePage, SetFilePointer, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, ExitProcess, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, HeapDestroy, HeapCreate, VirtualFree, WriteFile, HeapAlloc, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleCP, GetConsoleMode, DebugBreak, OutputDebugStringA, OutputDebugStringW, InitializeCriticalSectionAndSpinCount, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, CloseHandle
                                                                                                                                                                                                            USER32.dllCharToOemBuffW, CharUpperW, GetMessageTime, LoadMenuA
                                                                                                                                                                                                            ADVAPI32.dllAbortSystemShutdownW

                                                                                                                                                                                                            Possible Origin

                                                                                                                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                            KoreanNorth Korea
                                                                                                                                                                                                            KoreanSouth Korea

                                                                                                                                                                                                            Network Behavior

                                                                                                                                                                                                            Snort IDS Alerts

                                                                                                                                                                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                                                            192.168.2.58.8.8.861356532023883 08/05/22-18:42:26.812831UDP2023883ET DNS Query to a *.top domain - Likely Hostile6135653192.168.2.58.8.8.8
                                                                                                                                                                                                            192.168.2.591.203.192.23349765802850286 08/05/22-18:42:31.139956TCP2850286ETPRO TROJAN Redline Stealer TCP CnC Activity4976580192.168.2.591.203.192.233
                                                                                                                                                                                                            91.203.192.233192.168.2.580497652850353 08/05/22-18:42:29.205624TCP2850353ETPRO MALWARE Redline Stealer TCP CnC - Id1Response804976591.203.192.233192.168.2.5
                                                                                                                                                                                                            192.168.2.591.203.192.23349765802850027 08/05/22-18:42:27.425256TCP2850027ETPRO TROJAN RedLine Stealer TCP CnC net.tcp Init4976580192.168.2.591.203.192.233

                                                                                                                                                                                                            Network Port Distribution

                                                                                                                                                                                                            TCP Packets

                                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                            Aug 5, 2022 18:42:27.021713018 CEST4976580192.168.2.591.203.192.233
                                                                                                                                                                                                            Aug 5, 2022 18:42:27.116420031 CEST804976591.203.192.233192.168.2.5
                                                                                                                                                                                                            Aug 5, 2022 18:42:27.116735935 CEST4976580192.168.2.591.203.192.233
                                                                                                                                                                                                            Aug 5, 2022 18:42:27.425256014 CEST4976580192.168.2.591.203.192.233
                                                                                                                                                                                                            Aug 5, 2022 18:42:27.499471903 CEST804976591.203.192.233192.168.2.5
                                                                                                                                                                                                            Aug 5, 2022 18:42:27.673376083 CEST804976591.203.192.233192.168.2.5
                                                                                                                                                                                                            Aug 5, 2022 18:42:27.770121098 CEST4976580192.168.2.591.203.192.233
                                                                                                                                                                                                            Aug 5, 2022 18:42:29.052510023 CEST4976580192.168.2.591.203.192.233
                                                                                                                                                                                                            Aug 5, 2022 18:42:29.138519049 CEST804976591.203.192.233192.168.2.5
                                                                                                                                                                                                            Aug 5, 2022 18:42:29.205624104 CEST804976591.203.192.233192.168.2.5
                                                                                                                                                                                                            Aug 5, 2022 18:42:29.270282030 CEST4976580192.168.2.591.203.192.233
                                                                                                                                                                                                            Aug 5, 2022 18:42:31.139955997 CEST4976580192.168.2.591.203.192.233
                                                                                                                                                                                                            Aug 5, 2022 18:42:31.202965021 CEST804976591.203.192.233192.168.2.5
                                                                                                                                                                                                            Aug 5, 2022 18:42:31.275098085 CEST804976591.203.192.233192.168.2.5
                                                                                                                                                                                                            Aug 5, 2022 18:42:31.275167942 CEST804976591.203.192.233192.168.2.5
                                                                                                                                                                                                            Aug 5, 2022 18:42:31.275218964 CEST804976591.203.192.233192.168.2.5
                                                                                                                                                                                                            Aug 5, 2022 18:42:31.275249958 CEST4976580192.168.2.591.203.192.233
                                                                                                                                                                                                            Aug 5, 2022 18:42:31.275278091 CEST804976591.203.192.233192.168.2.5
                                                                                                                                                                                                            Aug 5, 2022 18:42:31.275337934 CEST804976591.203.192.233192.168.2.5
                                                                                                                                                                                                            Aug 5, 2022 18:42:31.275342941 CEST4976580192.168.2.591.203.192.233
                                                                                                                                                                                                            Aug 5, 2022 18:42:31.275413990 CEST804976591.203.192.233192.168.2.5
                                                                                                                                                                                                            Aug 5, 2022 18:42:31.275490046 CEST4976580192.168.2.591.203.192.233
                                                                                                                                                                                                            Aug 5, 2022 18:42:47.214340925 CEST4976580192.168.2.591.203.192.233
                                                                                                                                                                                                            Aug 5, 2022 18:42:47.309964895 CEST804976591.203.192.233192.168.2.5
                                                                                                                                                                                                            Aug 5, 2022 18:42:47.310009956 CEST804976591.203.192.233192.168.2.5
                                                                                                                                                                                                            Aug 5, 2022 18:42:47.310075045 CEST4976580192.168.2.591.203.192.233
                                                                                                                                                                                                            Aug 5, 2022 18:42:47.310091019 CEST804976591.203.192.233192.168.2.5
                                                                                                                                                                                                            Aug 5, 2022 18:42:47.310291052 CEST804976591.203.192.233192.168.2.5
                                                                                                                                                                                                            Aug 5, 2022 18:42:47.310446978 CEST804976591.203.192.233192.168.2.5
                                                                                                                                                                                                            Aug 5, 2022 18:42:47.310657024 CEST804976591.203.192.233192.168.2.5
                                                                                                                                                                                                            Aug 5, 2022 18:42:47.310667992 CEST804976591.203.192.233192.168.2.5
                                                                                                                                                                                                            Aug 5, 2022 18:42:47.310811043 CEST804976591.203.192.233192.168.2.5
                                                                                                                                                                                                            Aug 5, 2022 18:42:47.310852051 CEST804976591.203.192.233192.168.2.5
                                                                                                                                                                                                            Aug 5, 2022 18:42:47.402631998 CEST804976591.203.192.233192.168.2.5
                                                                                                                                                                                                            Aug 5, 2022 18:42:47.402652979 CEST804976591.203.192.233192.168.2.5
                                                                                                                                                                                                            Aug 5, 2022 18:42:47.474572897 CEST804976591.203.192.233192.168.2.5
                                                                                                                                                                                                            Aug 5, 2022 18:42:47.584464073 CEST4976580192.168.2.591.203.192.233
                                                                                                                                                                                                            Aug 5, 2022 18:42:47.780308962 CEST4976580192.168.2.591.203.192.233

                                                                                                                                                                                                            UDP Packets

                                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                            Aug 5, 2022 18:42:26.812830925 CEST6135653192.168.2.58.8.8.8
                                                                                                                                                                                                            Aug 5, 2022 18:42:27.002224922 CEST53613568.8.8.8192.168.2.5
                                                                                                                                                                                                            Aug 5, 2022 18:42:32.649317026 CEST5966153192.168.2.58.8.8.8
                                                                                                                                                                                                            Aug 5, 2022 18:42:32.677098036 CEST5727853192.168.2.58.8.8.8

                                                                                                                                                                                                            DNS Queries

                                                                                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                                                            Aug 5, 2022 18:42:26.812830925 CEST192.168.2.58.8.8.80xb2acStandard query (0)stcontact.topA (IP address)IN (0x0001)
                                                                                                                                                                                                            Aug 5, 2022 18:42:32.649317026 CEST192.168.2.58.8.8.80x83cbStandard query (0)api.ip.sbA (IP address)IN (0x0001)
                                                                                                                                                                                                            Aug 5, 2022 18:42:32.677098036 CEST192.168.2.58.8.8.80x1080Standard query (0)api.ip.sbA (IP address)IN (0x0001)

                                                                                                                                                                                                            DNS Answers

                                                                                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                                                            Aug 5, 2022 18:42:27.002224922 CEST8.8.8.8192.168.2.50xb2acNo error (0)stcontact.top91.203.192.233A (IP address)IN (0x0001)
                                                                                                                                                                                                            Aug 5, 2022 18:42:32.670217991 CEST8.8.8.8192.168.2.50x83cbNo error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                            Aug 5, 2022 18:42:32.699858904 CEST8.8.8.8192.168.2.50x1080No error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)

                                                                                                                                                                                                            Statistics

                                                                                                                                                                                                            No statistics

                                                                                                                                                                                                            System Behavior

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Target ID:0
                                                                                                                                                                                                            Start time:18:42:05
                                                                                                                                                                                                            Start date:05/08/2022
                                                                                                                                                                                                            Path:C:\Users\user\Desktop\K2Z6KZbzFS.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\K2Z6KZbzFS.exe"
                                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                                            File size:409088 bytes
                                                                                                                                                                                                            MD5 hash:3333E40E61FF33675C26E7A712A7808D
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.496646256.0000000002595000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                            • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.492458153.0000000000698000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.495750268.00000000022F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                            • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.495750268.00000000022F0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.408726056.0000000000704000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.491785643.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                            • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.491785643.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.490903331.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                                                            • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.490903331.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.506987183.0000000004A20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                            • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.506987183.0000000004A20000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.408078605.0000000002120000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                            • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000003.408078605.0000000002120000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.495256402.00000000021C3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                            Reputation:low

                                                                                                                                                                                                            Disassembly

                                                                                                                                                                                                            No disassembly