Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:740246
MD5:76b726f03046fc48fcc93701c14a3894
SHA1:3f1dec6167f3e52c4a723095bff999aed31c71c3
SHA256:983b19f3d65f37400eeb404fd838e322041fc26335ed14e08d29addbb87fcea9
Tags:exe
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Writes to foreign memory regions
Tries to steal Crypto Currency Wallets
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Contains functionality to inject code into remote processes
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Launches processes in debugging mode, may be used to hinder debugging
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5840 cmdline: C:\Users\user\Desktop\file.exe MD5: 76B726F03046FC48FCC93701C14A3894)
    • conhost.exe (PID: 4720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • AppLaunch.exe (PID: 100032 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)
    • WerFault.exe (PID: 100204 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5840 -s 94748 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 4408 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5840 -s 94748 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["194.110.203.100:32796"], "Bot Id": "711", "Message": "License Not Found", "Authorization Header": "24e3340d853c89cad1e25194559ee778"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.298695211.0000000000A23000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000000.295452062.0000000000A23000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.312912092.0000000000A23000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            00000000.00000003.256237407.0000000000892000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                Click to see the 5 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.file.exe.9f0000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.2.file.exe.9f0000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                  • 0x2529c:$s5: delete[]
                  • 0x529f0:$pat14: , CommandLine:
                  • 0x4a6db:$v2_1: ListOfProcesses
                  • 0x4a46f:$v4_3: base64str
                  • 0x4b4fa:$v4_4: stringKey
                  • 0x48088:$v4_5: BytesToStringConverted
                  • 0x470f0:$v4_6: FromBase64
                  • 0x4885c:$v4_8: procName
                  • 0x48bdf:$v5_1: DownloadAndExecuteUpdate
                  • 0x4a37f:$v5_2: ITaskProcessor
                  • 0x48bcd:$v5_3: CommandLineUpdate
                  • 0x48bbe:$v5_4: DownloadUpdate
                  • 0x49273:$v5_5: FileScanning
                  • 0x483f7:$v5_7: RecordHeaderField
                  • 0x47e16:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
                  0.3.file.exe.890000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    0.3.file.exe.890000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                    • 0x21070:$pat14: , CommandLine:
                    • 0x18d5b:$v2_1: ListOfProcesses
                    • 0x18aef:$v4_3: base64str
                    • 0x19b7a:$v4_4: stringKey
                    • 0x16708:$v4_5: BytesToStringConverted
                    • 0x15770:$v4_6: FromBase64
                    • 0x16edc:$v4_8: procName
                    • 0x1725f:$v5_1: DownloadAndExecuteUpdate
                    • 0x189ff:$v5_2: ITaskProcessor
                    • 0x1724d:$v5_3: CommandLineUpdate
                    • 0x1723e:$v5_4: DownloadUpdate
                    • 0x178f3:$v5_5: FileScanning
                    • 0x16a77:$v5_7: RecordHeaderField
                    • 0x16496:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
                    0.2.file.exe.a22780.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      Click to see the 1 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      Timestamp:192.168.2.6194.110.203.10049721327962850027 11/07/22-20:02:48.733611
                      SID:2850027
                      Source Port:49721
                      Destination Port:32796
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:194.110.203.100192.168.2.632796497212850353 11/07/22-20:02:51.076682
                      SID:2850353
                      Source Port:32796
                      Destination Port:49721
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.6194.110.203.10049721327962850286 11/07/22-20:03:07.287990
                      SID:2850286
                      Source Port:49721
                      Destination Port:32796
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: file.exeVirustotal: Detection: 35%Perma Link
                      Machine Learning detection for sample
                      Source: file.exeJoe Sandbox ML: detected
                      Source: 0.3.file.exe.890000.0.unpackMalware Configuration Extractor: RedLine {"C2 url": ["194.110.203.100:32796"], "Bot Id": "711", "Message": "License Not Found", "Authorization Header": "24e3340d853c89cad1e25194559ee778"}
                      Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A0B794 FindFirstFileExW,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 4x nop then jmp 0A318AC8h
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 4x nop then jmp 0A318AC8h
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 4x nop then jmp 0A314D92h
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 4x nop then jmp 0A315212h
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 4x nop then jmp 0A314113h
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 4x nop then jmp 0A317FFEh
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 4x nop then jmp 0A3130B3h

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2850027 ETPRO TROJAN RedLine Stealer TCP CnC net.tcp Init 192.168.2.6:49721 -> 194.110.203.100:32796
                      Source: TrafficSnort IDS: 2850286 ETPRO TROJAN Redline Stealer TCP CnC Activity 192.168.2.6:49721 -> 194.110.203.100:32796
                      Source: TrafficSnort IDS: 2850353 ETPRO MALWARE Redline Stealer TCP CnC - Id1Response 194.110.203.100:32796 -> 192.168.2.6:49721
                      Connects to many ports of the same IP (likely port scanning)
                      Source: global trafficTCP traffic: 194.110.203.100 ports 2,3,32796,6,7,9
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 194.110.203.100:32796
                      Source: Joe Sandbox ViewASN Name: KMBBANK-ASRU KMBBANK-ASRU
                      Source: Joe Sandbox ViewIP Address: 194.110.203.100 194.110.203.100
                      Source: global trafficTCP traffic: 192.168.2.6:49721 -> 194.110.203.100:32796
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faulth
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                      Source: AppLaunch.exe, 00000002.00000002.360684678.000000000768F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                      Source: AppLaunch.exe, 00000002.00000002.360684678.000000000768F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.363059245.0000000007752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                      Source: AppLaunch.exe, 00000002.00000002.360684678.000000000768F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.363059245.0000000007752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                      Source: AppLaunch.exe, 00000002.00000002.360684678.000000000768F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.363059245.0000000007752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.363059245.0000000007752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.363059245.0000000007752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                      Source: AppLaunch.exe, 00000002.00000002.360684678.000000000768F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.363059245.0000000007752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.363059245.0000000007752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                      Source: AppLaunch.exe, 00000002.00000002.363059245.0000000007752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                      Source: AppLaunch.exe, 00000002.00000002.360684678.000000000768F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                      Source: AppLaunch.exe, 00000002.00000002.360684678.000000000768F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.363059245.0000000007752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                      Source: AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                      Source: AppLaunch.exe, 00000002.00000002.360684678.000000000768F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                      Source: AppLaunch.exe, 00000002.00000002.372551259.00000000085B6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.359831862.00000000075F5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.360602784.0000000007682000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.358674223.00000000074DD000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372032571.000000000851B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: file.exe, file.exe, 00000000.00000000.298695211.0000000000A23000.00000004.00000001.01000000.00000003.sdmp, AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                      Source: AppLaunch.exe, 00000002.00000002.372551259.00000000085B6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.359831862.00000000075F5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.360602784.0000000007682000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.358674223.00000000074DD000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372032571.000000000851B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: AppLaunch.exe, 00000002.00000002.372551259.00000000085B6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.359831862.00000000075F5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.360602784.0000000007682000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.358674223.00000000074DD000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372032571.000000000851B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: AppLaunch.exe, 00000002.00000002.372408978.0000000008599000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372136186.0000000008538000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.371455315.000000000843C000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373051767.0000000008690000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.371778582.00000000084BA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372805407.000000000862F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373188331.00000000086AD000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.371644889.000000000849D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.371355743.000000000841F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372688030.0000000008612000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.359286293.0000000007569000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372551259.00000000085B6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.359831862.00000000075F5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.360602784.0000000007682000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.358674223.00000000074DD000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372032571.000000000851B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: AppLaunch.exe, 00000002.00000002.372551259.00000000085B6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.359831862.00000000075F5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.360602784.0000000007682000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.358674223.00000000074DD000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372032571.000000000851B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: AppLaunch.exe, 00000002.00000002.372408978.0000000008599000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372136186.0000000008538000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.371455315.000000000843C000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373051767.0000000008690000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.371778582.00000000084BA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372805407.000000000862F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373188331.00000000086AD000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.371644889.000000000849D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.371355743.000000000841F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372688030.0000000008612000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.359286293.0000000007569000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372551259.00000000085B6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.359831862.00000000075F5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.360602784.0000000007682000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.358674223.00000000074DD000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372032571.000000000851B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                      Source: AppLaunch.exe, 00000002.00000002.372408978.0000000008599000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372136186.0000000008538000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.371455315.000000000843C000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373051767.0000000008690000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.371778582.00000000084BA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372805407.000000000862F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373188331.00000000086AD000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.371644889.000000000849D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.371355743.000000000841F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372688030.0000000008612000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.359286293.0000000007569000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372551259.00000000085B6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.359831862.00000000075F5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.360602784.0000000007682000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.358674223.00000000074DD000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372032571.000000000851B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
                      Source: AppLaunch.exe, 00000002.00000002.372136186.0000000008538000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.371455315.000000000843C000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.371778582.00000000084BA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372805407.000000000862F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373188331.00000000086AD000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372551259.00000000085B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
                      Source: AppLaunch.exe, 00000002.00000002.372408978.0000000008599000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372136186.0000000008538000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.371455315.000000000843C000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373051767.0000000008690000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.371778582.00000000084BA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372805407.000000000862F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373188331.00000000086AD000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.371644889.000000000849D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.371355743.000000000841F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372688030.0000000008612000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.359286293.0000000007569000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372551259.00000000085B6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.359831862.00000000075F5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.360602784.0000000007682000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.358674223.00000000074DD000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372032571.000000000851B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
                      Source: AppLaunch.exe, 00000002.00000002.372408978.0000000008599000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372136186.0000000008538000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.371455315.000000000843C000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373051767.0000000008690000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.371778582.00000000084BA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372805407.000000000862F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373188331.00000000086AD000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.371644889.000000000849D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.371355743.000000000841F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372688030.0000000008612000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.359286293.0000000007569000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372551259.00000000085B6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.359831862.00000000075F5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.360602784.0000000007682000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.358674223.00000000074DD000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372032571.000000000851B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                      Source: file.exe, 00000000.00000000.295523429.0000000000B7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 0.2.file.exe.9f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 0.3.file.exe.890000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 0.2.file.exe.a22780.1.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 0.2.file.exe.9f0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 0.3.file.exe.890000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 0.2.file.exe.a22780.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5840 -s 94748
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F3470
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009FD80B
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A0F83A
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A00050
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A09A19
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A11483
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A115A3
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A0DDBE
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A047D9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09CC4B38
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09CC0C08
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09CC30B8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09CC53B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A318268
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A3170C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A319998
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A3161D9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A317700
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A315A7A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A318258
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A310032
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A310818
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A310808
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A310040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A3170B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A31A0E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A314962
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A310F00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A311FD8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A311FC8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A312440
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A315570
                      Source: C:\Users\user\Desktop\file.exeCode function: String function: 009F93D0 appears 48 times
                      Source: file.exeBinary or memory string: OriginalFilename vs file.exe
                      Source: file.exe, 00000000.00000000.298695211.0000000000A23000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameRedeemably.exe4 vs file.exe
                      Source: file.exeVirustotal: Detection: 35%
                      Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5840 -s 94748
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5840 -s 94748
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5840 -s 94748
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile created: C:\Users\user\AppData\Local\YandexJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERE0DB.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/6@0/1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: 0.3.file.exe.890000.0.unpack, BrEx.csBase64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4720:120:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5840
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F8F8B push ecx; ret
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09CCF0C0 push eax; retf
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 100192Thread sleep count: 5323 > 30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 2644Thread sleep time: -7378697629483816s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 100060Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeRegistry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWindow / User API: threadDelayed 5323
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A0B794 FindFirstFileExW,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
                      Source: AppLaunch.exe, 00000002.00000003.355682780.000000000563F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
                      Source: AppLaunch.exe, 00000002.00000002.370893266.000000000789F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dC2eqsxuGxYRssaRPmmVl/QoSW8SSBvJ6kYbaMhbu4btMTVfYPZwTK6PtZbg1oZj78GJYhoeqbVW9kTuwrBarSwAB3HqCi7cq3RW09ZhSE93V6oT2bvypRvTRem5wsNq1RTh9hguLKKXq4add0P4WQUbkdKxjCds5aX1cOlExKGpy3OnL1jyZgKrgX7YuSKYdUMy4pZCx4hGYG6MLUwbJxo1CUEt6+cVMfVo7erKXYgVJm55M/8GLsxil/Od/lwUyscGT1+h5TvTMY8t3z8uBZc+7Yey77EMWbte6VkDGfvaNRP6YvLhoThlFUpz2fOzMNsssvVFpLlMM7sPiYcBRj/xVJvYTv9qVL+Vr5hnjtrlY5L+d9WKrWauZGyqrArSHawC1ZvYkkeg0bj34ABHjsoAwysuoZaO3nvZX2UVdIFe+B0Th1hOwiHjMy47YQxtrgw35CQnS21787O37GgJtnOltjDD1rt5rxW9o2EIVg+tnl5OLaenKXezPp9aVLed09NTt52bqEut8rMrct3WSdmbi3tiprFYBbtt+fwwCkMv66KkCazedCXWRGy8pdZ4Wziy6wINeTLrGg9yQg9hbSycdR2eFN79Dp/PT42y/8ZH+P/HD9svzO3v7T5SZ5tmL11Kn/J5Jfz8q4vk09nM0O9FfXjQD67aLR09Pk6CpWM9yi/Pz9WMtutmUXDwtfNxZbWalsDY6U2BmU5eh5tZ7xy94TeboKUUY5ISk1qy1qx3DQarSOGVjUXonhhgzFbr+jNKB4R9+J0Q68PjPEPmg3RG1L8sOSIbvG8sOt70gs6qkbl5XK7CaN3xmg4kDoUp6ziOmGMNQO/MUKC/dPib2qWsWHMeuqkZrVkwsBYrdFhrleaplFJHdGaSzOLek1PjbVbJj5NmRXdTZ7CCOeiVOOLuFTy/gmIgzgQXkdUeJIUzJYmMrfJGPSigOHUcDC6ETCE8oGxRuMk1CT8M141yktHtJYm0cQRh0M4ZdbhF347Iz47GMACzBvVagpPp2YbuCs5opcNmnYEz5hMaLmj9QWoC+y/nUT0eNErzqNe4dFmxqCDl3ANI3p40jH45bQJSZhZaehn3PcoUqLZrB1dJnkiiesRX8BPnC7SNJ55C2B1yCeMSgVqVseSgy6eh1blGReXoN/4Cs17Acy54j0rau2kgRodmq0ioocgcNjRVQw+QRds1cbdcvZFvaqjrinY9jpyWOUSRxtmVov7gPB6DEqxiovmOQnjjH6+xYtwxKg4vcFOG7Pwm2yt3oKCjC+CoafPiLkbVrcAppM4K/CBdsyoG9ailH8Q0+l6yQT03XRxuDMm9thoPvTpCMwS7GjMBAMZQROcgzy5j4jzehtoYhbgg/uEiV+haxY0Y5AA3t/eWSokxoWm2a5XjuktGCie5yPQbsKBr3PoLfHgOfk4GNHABPApXYjABIUJlQVeDDAsl1K2C+CUXm+LOU50Dq6ZM0ATVCbqOO3YBGcj0dHhzknOo1FvOXXFKaJiU2MWIBG/LTtFfKuIGxSHYOnjABqgAsHEfu3OrKLnnC7CpAH9CJoEeyY8kAR7ipFJs3VDcHt5Zy0AzvPmk9VEvdFuDYjv5kWm4qr6AaxUEzYcZjPl0mUidilnhGLFYZ3CT0v4A6W4BybOMnyJsXgyZDEBms6nxmAmqFASb2a9cniFd1WShAuTwy4azZ2s7TEdmMYHqp3Q1qriAFImdAb1wPj0LK+XKeiS7aaYX8fxpchpGLJGHWazeezetpfT0VpJr1Q64QgHcMbnwZFQ23TTPL8ycERvYa+v2DGlUmLdRcUa8JvlNv5MnW63qrAoY3MIz4XFdquCuB2O8Saf5uD5XB2XhlSnr7sk3grNdoMQC7oFCiSCM8L5RJ4SH80ehgFST82YbagYP/3soq5XCV103AABO8GWOM9jzUG9pqQ65IP5GPRDu23FkMjK3Gf1kr3Gpm7V9YaGVWMT3DkRpma9uAKjugadVJIYOFY1y+6YRFe2KQ0yHIM1qIYj7zj0oSZW5Slt2VgQs8hx01yo6lDVFhiRuON0sQwcb2qNRei3qWLNNFuLdVjjUrzAJ0FHvbwSyBCVdgqWL7Ek2ZfQH2majYYubCIrUCQ2I0bzay8s4kA+AcPNbK6MV3HX0LSc5ymtbjTawsGRGFd2ulQpExVMmjfsHcEAnyDE6s9/TukwBiopsUBAA6V4PZM0sHF4NzVg/RhrGAPuvFXQq9gEMA1ZA8Toc7o7D6Bnz5z8s4kBsCyk2dh+/YI5Ql1g2oRl70R45AWYOpCIrHyOmTExLB+MVDS93CSkucWzaXeY0DP5Al7hNGcCPm7WdU6YLZycMqwaZj1RF/HiYKopVo1ap/KmxOZyAA10YTTzVoON55LbNU9qKzCFpGA5bFS1lXFYb+GJ26BO9rgqnzEqujmAAnxhsKAvzJgN/qrRqasBO2qjbfiYTSCUteopvYX52cPCAiIMPjcaCjyaS9APl/TZZjXVQd6ZDAcwLjKH7UwdHYrUTfhLM259YzFS9jjzkdsVw7SnXG/aVBu6AqxTNfh3rCwpPaxZRnkaWDCit007OnU0BV0JXUgMCxrwTl2WwFQxU/LnW/UVS0qxq8JJsmcPbrc6XK5VnbK/BnbnGz/DotlsOegmFuoYo8LmOqZDgaBhy/iy2aYdr8Lmusp/26uFlRKlPdxutXC1gAxdDbdqVd2omKChoad8tX0Sej9GwU1Jtq5eNpuONG4sea3az7wTgV0NWyPoP/OE9yx2ZG4G2M96iTcWaTL+AFYe5eM/sAbwq2vcO3FCAfoxrPvjsH0DniIfPu58il0VOhzh5F7XPCI7WuUG3huCjp72MiVzwh42IL0G8xZdVm0asB+DubEB7NDpjPN6xV5ysOu1GwtNraKnnCBTzvIxZcKEoB/DrXEFlwLsG5zEjcQjRhM6HLdpZLJkJkpUwdZpPXeAjoGRZjaPVnlHsl/4BfHxuQLsQm6gRTFE6HDmr7Nas9ZuSBy2jQrTR
                      Source: AppLaunch.exe, 00000002.00000003.355682780.000000000563F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareL55CMH73Win32_VideoController3PO6M_HGVideoController120060621000000.000000-00071796460display.infMSBDAM_Y8M7HFPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colors_TDYZFA7gP%^
                      Source: AppLaunch.exe, 00000002.00000003.355682780.000000000563F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F91A4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A0EED0 GetProcessHeap,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A0C8CA mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A2214C mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A016F9 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5840 -s 94748
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory allocated: page read and write | page guard
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F9307 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F91A4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009FCA23 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F95F2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 53A2008
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A
                      Contains functionality to inject code into remote processes
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A22181 CreateProcessW,GetThreadContext,ReadProcessMemory,VirtualAlloc,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,VirtualFree,WriteProcessMemory,SetThreadContext,
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5840 -s 94748
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                      Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
                      Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,
                      Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                      Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,
                      Source: C:\Users\user\Desktop\file.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
                      Source: C:\Users\user\Desktop\file.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
                      Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
                      Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,
                      Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
                      Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F9415 cpuid
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F909E GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.file.exe.9f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.file.exe.890000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.a22780.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.298695211.0000000000A23000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.295452062.0000000000A23000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.312912092.0000000000A23000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.256237407.0000000000892000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: file.exe PID: 5840, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 100032, type: MEMORYSTR
                      Tries to steal Crypto Currency Wallets
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                      Found many strings related to Crypto-Wallets (likely being stolen)
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumE#
                      Source: AppLaunch.exe, 00000002.00000002.363059245.0000000007752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Jl4C:\Users\user\AppData\Roaming\Electrum\wallets\*
                      Source: AppLaunch.exe, 00000002.00000002.360684678.000000000768F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty
                      Source: AppLaunch.exe, 00000002.00000002.376899619.000000000A99C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\*.json
                      Source: AppLaunch.exe, 00000002.00000002.363059245.0000000007752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\wallets
                      Source: AppLaunch.exe, 00000002.00000002.376899619.000000000A99C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\*.json
                      Source: AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: EthereumE#
                      Source: AppLaunch.exe, 00000002.00000002.363059245.0000000007752000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Jl8C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                      Source: Yara matchFile source: 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.363059245.0000000007752000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 100032, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.file.exe.9f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.file.exe.890000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.a22780.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.298695211.0000000000A23000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.295452062.0000000000A23000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.312912092.0000000000A23000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.256237407.0000000000892000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: file.exe PID: 5840, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 100032, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts221
                      Windows Management Instrumentation                      		Path Interception411
                      Process Injection                      		1
                      Masquerading                      		1
                      OS Credential Dumping                      		1
                      System Time Discovery                      		Remote Services1
                      Input Capture                      		Exfiltration Over Other Network Medium1
                      Encrypted Channel                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts11
                      Disable or Modify Tools                      		1
                      Input Capture                      		251
                      Security Software Discovery                      		Remote Desktop Protocol1
                      Archive Collected Data                      		Exfiltration Over Bluetooth1
                      Non-Standard Port                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)241
                      Virtualization/Sandbox Evasion                      		Security Account Manager11
                      Process Discovery                      		SMB/Windows Admin Shares3
                      Data from Local System                      		Automated Exfiltration1
                      Application Layer Protocol                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)411
                      Process Injection                      		NTDS241
                      Virtualization/Sandbox Evasion                      		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets1
                      Application Window Discovery                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common31
                      Obfuscated Files or Information                      		Cached Domain Credentials1
                      Remote System Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                      File and Directory Discovery                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem144
                      System Information Discovery                      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      file.exe35%VirustotalBrowse
                      file.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
                      http://tempuri.org/0%URL Reputationsafe
                      http://tempuri.org/0%URL Reputationsafe
                      http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id90%URL Reputationsafe
                      http://tempuri.org/Entity/Id80%URL Reputationsafe
                      http://tempuri.org/Entity/Id50%URL Reputationsafe
                      http://tempuri.org/Entity/Id40%URL Reputationsafe
                      http://tempuri.org/Entity/Id70%URL Reputationsafe
                      http://tempuri.org/Entity/Id60%URL Reputationsafe
                      http://tempuri.org/Entity/Id19Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
                      https://api.ip.sb/ip0%URL Reputationsafe
                      http://tempuri.org/Entity/Id9Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id200%URL Reputationsafe
                      http://tempuri.org/Entity/Id210%URL Reputationsafe
                      http://tempuri.org/Entity/Id220%URL Reputationsafe
                      http://tempuri.org/Entity/Id230%URL Reputationsafe
                      http://tempuri.org/Entity/Id240%URL Reputationsafe
                      http://tempuri.org/Entity/Id24Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id100%URL Reputationsafe
                      http://tempuri.org/Entity/Id110%URL Reputationsafe
                      http://tempuri.org/Entity/Id120%URL Reputationsafe
                      http://tempuri.org/Entity/Id120%URL Reputationsafe
                      http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id130%URL Reputationsafe
                      http://tempuri.org/Entity/Id130%URL Reputationsafe
                      http://tempuri.org/Entity/Id140%URL Reputationsafe
                      http://tempuri.org/Entity/Id150%URL Reputationsafe
                      http://tempuri.org/Entity/Id160%URL Reputationsafe
                      http://tempuri.org/Entity/Id170%URL Reputationsafe
                      http://tempuri.org/Entity/Id180%URL Reputationsafe
                      http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id190%URL Reputationsafe
                      http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id8Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id23Response0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/02/sc/sctAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://duckduckgo.com/chrome_newtabAppLaunch.exe, 00000002.00000002.372408978.0000000008599000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372136186.0000000008538000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.371455315.000000000843C000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373051767.0000000008690000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.371778582.00000000084BA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372805407.000000000862F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373188331.00000000086AD000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.371644889.000000000849D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.371355743.000000000841F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372688030.0000000008612000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.359286293.0000000007569000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372551259.00000000085B6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.359831862.00000000075F5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.360602784.0000000007682000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.358674223.00000000074DD000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372032571.000000000851B000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://duckduckgo.com/ac/?q=AppLaunch.exe, 00000002.00000002.372551259.00000000085B6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.359831862.00000000075F5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.360602784.0000000007682000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.358674223.00000000074DD000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372032571.000000000851B000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id12ResponseAppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.363059245.0000000007752000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id2ResponseAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id21ResponseAppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.363059245.0000000007752000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id9AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2004/08/addressing/faulthAppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id8AppLaunch.exe, 00000002.00000002.360684678.000000000768F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://tempuri.org/Entity/Id5AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://tempuri.org/Entity/Id4AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://tempuri.org/Entity/Id7AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://tempuri.org/Entity/Id6AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://tempuri.org/Entity/Id19ResponseAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.363059245.0000000007752000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceAppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/faultAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2004/10/wsatAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://tempuri.org/Entity/Id15ResponseAppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.363059245.0000000007752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://tempuri.org/Entity/Id6ResponseAppLaunch.exe, 00000002.00000002.360684678.000000000768F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://api.ip.sb/ipfile.exe, file.exe, 00000000.00000000.298695211.0000000000A23000.00000004.00000001.01000000.00000003.sdmp, AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://schemas.xmlsoap.org/ws/2004/04/scAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id9ResponseAppLaunch.exe, 00000002.00000002.360684678.000000000768F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=AppLaunch.exe, 00000002.00000002.372551259.00000000085B6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.359831862.00000000075F5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.360602784.0000000007682000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.358674223.00000000074DD000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372032571.000000000851B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://tempuri.org/Entity/Id20AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://tempuri.org/Entity/Id21AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://tempuri.org/Entity/Id22AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://tempuri.org/Entity/Id23AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://tempuri.org/Entity/Id24AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://tempuri.org/Entity/Id24ResponseAppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://tempuri.org/Entity/Id1ResponseAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=AppLaunch.exe, 00000002.00000002.372408978.0000000008599000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372136186.0000000008538000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.371455315.000000000843C000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373051767.0000000008690000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.371778582.00000000084BA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372805407.000000000862F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373188331.00000000086AD000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.371644889.000000000849D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.371355743.000000000841F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372688030.0000000008612000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.359286293.0000000007569000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372551259.00000000085B6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.359831862.00000000075F5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.360602784.0000000007682000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.358674223.00000000074DD000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372032571.000000000851B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedAppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2004/08/addressingAppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/trustAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://tempuri.org/Entity/Id10AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id11AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id12AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id16ResponseAppLaunch.exe, 00000002.00000002.360684678.000000000768F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://tempuri.org/Entity/Id13AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id14AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id15AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id16AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/NonceAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://tempuri.org/Entity/Id17AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id18AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id5ResponseAppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id19AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsAppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://tempuri.org/Entity/Id10ResponseAppLaunch.exe, 00000002.00000002.360684678.000000000768F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RenewAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://tempuri.org/Entity/Id8ResponseAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.363059245.0000000007752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://schemas.xmlsoap.org/ws/2006/02/addressingidentityAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://schemas.xmlsoap.org/soap/envelope/AppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://search.yahoo.com?fr=crmas_sfpfAppLaunch.exe, 00000002.00000002.372408978.0000000008599000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372136186.0000000008538000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.371455315.000000000843C000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373051767.0000000008690000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.371778582.00000000084BA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372805407.000000000862F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373188331.00000000086AD000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.371644889.000000000849D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.371355743.000000000841F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372688030.0000000008612000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.359286293.0000000007569000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372551259.00000000085B6000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.359831862.00000000075F5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.360602784.0000000007682000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.358674223.00000000074DD000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.372032571.000000000851B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1AppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trustAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/RollbackAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://tempuri.org/Entity/Id23ResponseAppLaunch.exe, 00000002.00000002.363059245.0000000007752000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          		unknown
                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/06/addressingexAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wscoorAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/NonceAppLaunch.exe, 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponseAppLaunch.exe, 00000002.00000002.357962850.00000000073C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high

                                                                                                                                                    World Map of Contacted IPs

                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                    Public IPs

                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                    194.110.203.100
                                                                                                                                                    		unknownUnited Kingdom
                                                                                                                                                    		42693KMBBANK-ASRUtrue

                                                                                                                                                    General Information

                                                                                                                                                    Joe Sandbox Version:36.0.0 Rainbow Opal
                                                                                                                                                    Analysis ID:740246
                                                                                                                                                    Start date and time:2022-11-07 20:01:20 +01:00
                                                                                                                                                    Joe Sandbox Product:CloudBasic
                                                                                                                                                    Overall analysis duration:0h 8m 24s
                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                    Report type:light
                                                                                                                                                    Sample file name:file.exe
                                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                    Number of analysed new started processes analysed:15
                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                    Technologies:
                                                                                                                                                    • HCA enabled
                                                                                                                                                    • EGA enabled
                                                                                                                                                    • HDC enabled
                                                                                                                                                    • AMSI enabled
                                                                                                                                                    Analysis Mode:default
                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                    Detection:MAL
                                                                                                                                                    Classification:mal100.troj.spyw.evad.winEXE@8/6@0/1
                                                                                                                                                    EGA Information:
                                                                                                                                                    • Successful, ratio: 50%
                                                                                                                                                    HDC Information:
                                                                                                                                                    • Successful, ratio: 97.3% (good quality ratio 90.8%)
                                                                                                                                                    • Quality average: 78.1%
                                                                                                                                                    • Quality standard deviation: 29.1%
                                                                                                                                                    HCA Information:
                                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                                    • Number of executed functions: 0
                                                                                                                                                    • Number of non-executed functions: 0
                                                                                                                                                    Cookbook Comments:
                                                                                                                                                    • Found application associated with file extension: .exe

                                                                                                                                                    Warnings

                                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                                                    • Excluded IPs from analysis (whitelisted): 20.42.65.92
                                                                                                                                                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, watson.telemetry.microsoft.com
                                                                                                                                                    • Execution Graph export aborted for target AppLaunch.exe, PID 100032 because it is empty
                                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                    Simulations

                                                                                                                                                    Behavior and APIs

                                                                                                                                                    TimeTypeDescription
                                                                                                                                                    20:02:46API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                                                                                    20:03:04API Interceptor26x Sleep call for process: AppLaunch.exe modified

                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                    IPs

                                                                                                                                                    No context

                                                                                                                                                    Domains

                                                                                                                                                    No context

                                                                                                                                                    ASNs

                                                                                                                                                    No context

                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                    No context

                                                                                                                                                    Dropped Files

                                                                                                                                                    No context

                                                                                                                                                    Created / dropped Files

                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_2badc22553de5577b078ab10208ce43d7e4f5c0_ae08e2d3_8757f04c\Report.wer

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):65536
                                                                                                                                                    Entropy (8bit):0.6146576752327751
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:192:8x8bPvcWkHBUZMXz03jE/u7sLS274ItmhB:NCBUZMXYjE/u7sLX4ItA
                                                                                                                                                    MD5:87FC08DFB1CDBBEECED61F71782858B6
                                                                                                                                                    SHA1:D8DE7FFC4D42D45D576DF967B761A3E9C612A0C8
                                                                                                                                                    SHA-256:36E068F5844B4955F152E6259DF99FABE9F93FC9B750B5715F306B7776E358B2
                                                                                                                                                    SHA-512:28528648875BBCF03372726817FF71836E63C641B0C2AE6FC6A56B9D1C2C83C941CC0FF158083DFECE0AB22F4917CA76D3A1206E93F770CE8BFA85B1CF3AB105
                                                                                                                                                    Malicious:true
                                                                                                                                                    Reputation:low
                                                                                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.1.2.3.5.3.7.6.2.6.2.1.5.1.9.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.1.2.3.5.3.7.6.4.8.2.4.6.3.8.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.5.e.5.5.b.a.3.-.f.4.5.b.-.4.4.9.a.-.9.b.7.7.-.f.7.3.c.e.3.0.b.8.7.a.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.4.0.f.e.9.2.b.-.9.f.1.8.-.4.4.b.5.-.b.9.a.8.-.5.1.2.d.8.8.3.0.1.e.1.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.d.0.-.0.0.0.1.-.0.0.1.a.-.4.3.0.f.-.0.c.e.4.2.6.f.3.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.3.f.1.d.e.c.6.1.6.7.f.3.e.5.2.c.4.a.7.2.3.0.9.5.b.f.f.9.9.9.a.e.d.3.1.c.7.1.c.3.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.1.1.

                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE0DB.tmp.dmp

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                    File Type:Mini DuMP crash report, 14 streams, Tue Nov 8 04:02:43 2022, 0x1205a4 type
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):2326066
                                                                                                                                                    Entropy (8bit):2.72014094231897
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:6144:XOBvoBDGxNDw128unr2TkWcgviLt5OTl4MRkifkOJn19DoEWp5:XCopEl5aVccHlvt19DoEWf
                                                                                                                                                    MD5:C6E94E8DC885B44B7491FB58D0DDC0A8
                                                                                                                                                    SHA1:7A723B25DB742C0F6D819498D1E46826E5D4BFC4
                                                                                                                                                    SHA-256:1B04E24A87AC1013804FC3C020491B7A5B3AF44126264646468FF327DABD4364
                                                                                                                                                    SHA-512:9776267A59359E97EFFB32D98F4290B961CAAF2C2F50AAA35DC7F4D08928AAFEC94297C932AC4DF96AAF0C5FBF4E7C1C55F08D0F4C75B83B8E241CF64E53B937
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:low
                                                                                                                                                    Preview:MDMP....... .........ic............4........... ...<.......T...............T.......8...........T............g..z...........\...........H....................................................................U...........B..............GenuineIntelW...........T.............ic.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE7E1.tmp.WERInternalMetadata.xml

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):8268
                                                                                                                                                    Entropy (8bit):3.693331909547304
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:192:Rrl7r3GLNiLCE6Dh6YqbSUVZ0igmfBSVS/OCprV89bWbsfNym:RrlsNit6F6YGSUjJgmfOScWgfp
                                                                                                                                                    MD5:9A2D91907082D657F924A56CD80E3F64
                                                                                                                                                    SHA1:31DA20E5E800B1EA2C3A4803E3CB2DCFEFE9AEEC
                                                                                                                                                    SHA-256:CD54AEB84D9F2D772C98904CE0F24F0387EE722D9548D45B08A75C2831C591F4
                                                                                                                                                    SHA-512:245BEDDB7C37623166424A1EA5D5DF20F55AF927C9251C6473BBA8528F0090512680DDCE1876C284EEBD2DD01A6DD6440481BE6473793E3BA75F5F3B9075BBFA
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:low
                                                                                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.8.4.0.<./.P.i.d.>.......

                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE8AD.tmp.xml

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):4521
                                                                                                                                                    Entropy (8bit):4.423660373002552
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:48:cvIwSD8zswJgtWI9FBWgc8sqYjP8fm8M4JhOFi+q8aBtdfNwd:uITf2yQgrsqYwJLhtlNwd
                                                                                                                                                    MD5:7B0C03096324CD48C67D527D0204126D
                                                                                                                                                    SHA1:6E3986447CF7AB690A5E6ABCCE08B110FDFF7F13
                                                                                                                                                    SHA-256:325FFFF9B3CFCDA929C98430A946C0D4703C27D3169040296957226BA8D162F6
                                                                                                                                                    SHA-512:8A15EA240D7A20FC8BF9E3D298B4D4DC307E4CD0A4C0DE207A05F004A700D1E9C4815A311923E4283B475423939528229B5C0A56AD672F0A8C885644968CA323
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1770553" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):2843
                                                                                                                                                    Entropy (8bit):5.3371553026862095
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:48:MxHKXeHKlEHU0YHKhQnouHIWUfHKhBHKdHKBfHK5AHKzvQTHmtHoxHImHKx1qHje:iqXeqm00YqhQnouOqLqdqNq2qzcGtIxU
                                                                                                                                                    MD5:75BC6DB42CE4C37482926043D9B80BC9
                                                                                                                                                    SHA1:700BDF1D18804FBE60EB0318B290C37CDC60EA41
                                                                                                                                                    SHA-256:15F15BDEB42AD40DBCB6BB9064C33B51CB43EDB99820EDE647350BE604AAF58A
                                                                                                                                                    SHA-512:26E15E546BBD6518265BAC343F952E75B30C7927143D293780F456A5B44C1E1B6B7D074DF00BC6328D23E52FE9E3F8850A879B129C35F47B0ED864E9C640BA4F
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

                                                                                                                                                    \Device\ConDrv

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):11
                                                                                                                                                    Entropy (8bit):2.663532754804255
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:gQdcXW:gQn
                                                                                                                                                    MD5:5F702714045C206E93012159054928D0
                                                                                                                                                    SHA1:3AEF30FD196AE230CD4C194006A3185524EFC82A
                                                                                                                                                    SHA-256:A6706758CED31780EA9392DDDFE62CF54D9D03EED69FCCBB00234AF431892043
                                                                                                                                                    SHA-512:AC25D23590C1907E726362F5C752022A0EC7F1D5E10B7A6CEB500CB6A685AACC2B5A8340EFB4AE0B30B186A17395BB7C682151F2389D765F1F890842B5884666
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:76587687123

                                                                                                                                                    Static File Info

                                                                                                                                                    General

                                                                                                                                                    File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                    Entropy (8bit):7.233138744312905
                                                                                                                                                    TrID:
                                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                    File name:file.exe
                                                                                                                                                    File size:355328
                                                                                                                                                    MD5:76b726f03046fc48fcc93701c14a3894
                                                                                                                                                    SHA1:3f1dec6167f3e52c4a723095bff999aed31c71c3
                                                                                                                                                    SHA256:983b19f3d65f37400eeb404fd838e322041fc26335ed14e08d29addbb87fcea9
                                                                                                                                                    SHA512:82adb5bb73b094bc71179b8273d1b4cfcd58562edb396bf0aa029b70098ba982a5a7d8a4edf179400523afba8d275c1ddffcbdf061a833545f1ce4d31aa12f8a
                                                                                                                                                    SSDEEP:6144:Sy1R2biwZ3RIcq5KlVwOTi4bBI8UAOdJYJfPfc+freo5JSjZY85U:Sy1RqiwZ3RIcq5d/knL5zr
                                                                                                                                                    TLSH:F474CF40B5D3DA72D8B3543609E0DB75897DB8200F705AFF67E4476B4E202C3A9B2A79
                                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......... J..sJ..sJ..s^..rG..s^..r...s^..r\..s...r[..s...r^..s...r...s^..rI..sJ..s...s...rK..s...rK..sRichJ..s................PE..L..

                                                                                                                                                    File Icon

                                                                                                                                                    Icon Hash:00828e8e8686b000

                                                                                                                                                    Static PE Info

                                                                                                                                                    General

                                                                                                                                                    Entrypoint:0x408d22
                                                                                                                                                    Entrypoint Section:.text
                                                                                                                                                    Digitally signed:false
                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                    Subsystem:windows cui
                                                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                    Time Stamp:0x636954D1 [Mon Nov 7 18:56:17 2022 UTC]
                                                                                                                                                    TLS Callbacks:
                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                    OS Version Major:6
                                                                                                                                                    OS Version Minor:0
                                                                                                                                                    File Version Major:6
                                                                                                                                                    File Version Minor:0
                                                                                                                                                    Subsystem Version Major:6
                                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                                    Import Hash:e2a07bb4b81e6c6d0f72670722ee7e56

                                                                                                                                                    Entrypoint Preview

                                                                                                                                                    Instruction
                                                                                                                                                    call 00007F7774ABC519h
                                                                                                                                                    jmp 00007F7774ABBFC9h
                                                                                                                                                    push ebp
                                                                                                                                                    mov ebp, esp
                                                                                                                                                    mov eax, dword ptr [ebp+08h]
                                                                                                                                                    push esi
                                                                                                                                                    mov ecx, dword ptr [eax+3Ch]
                                                                                                                                                    add ecx, eax
                                                                                                                                                    movzx eax, word ptr [ecx+14h]
                                                                                                                                                    lea edx, dword ptr [ecx+18h]
                                                                                                                                                    add edx, eax
                                                                                                                                                    movzx eax, word ptr [ecx+06h]
                                                                                                                                                    imul esi, eax, 28h
                                                                                                                                                    add esi, edx
                                                                                                                                                    cmp edx, esi
                                                                                                                                                    je 00007F7774ABC16Bh
                                                                                                                                                    mov ecx, dword ptr [ebp+0Ch]
                                                                                                                                                    cmp ecx, dword ptr [edx+0Ch]
                                                                                                                                                    jc 00007F7774ABC15Ch
                                                                                                                                                    mov eax, dword ptr [edx+08h]
                                                                                                                                                    add eax, dword ptr [edx+0Ch]
                                                                                                                                                    cmp ecx, eax
                                                                                                                                                    jc 00007F7774ABC15Eh
                                                                                                                                                    add edx, 28h
                                                                                                                                                    cmp edx, esi
                                                                                                                                                    jne 00007F7774ABC13Ch
                                                                                                                                                    xor eax, eax
                                                                                                                                                    pop esi
                                                                                                                                                    pop ebp
                                                                                                                                                    ret
                                                                                                                                                    mov eax, edx
                                                                                                                                                    jmp 00007F7774ABC14Bh
                                                                                                                                                    push esi
                                                                                                                                                    call 00007F7774ABC9C5h
                                                                                                                                                    test eax, eax
                                                                                                                                                    je 00007F7774ABC172h
                                                                                                                                                    mov eax, dword ptr fs:[00000018h]
                                                                                                                                                    mov esi, 00455E2Ch
                                                                                                                                                    mov edx, dword ptr [eax+04h]
                                                                                                                                                    jmp 00007F7774ABC156h
                                                                                                                                                    cmp edx, eax
                                                                                                                                                    je 00007F7774ABC162h
                                                                                                                                                    xor eax, eax
                                                                                                                                                    mov ecx, edx
                                                                                                                                                    lock cmpxchg dword ptr [esi], ecx
                                                                                                                                                    test eax, eax
                                                                                                                                                    jne 00007F7774ABC142h
                                                                                                                                                    xor al, al
                                                                                                                                                    pop esi
                                                                                                                                                    ret
                                                                                                                                                    mov al, 01h
                                                                                                                                                    pop esi
                                                                                                                                                    ret
                                                                                                                                                    push ebp
                                                                                                                                                    mov ebp, esp
                                                                                                                                                    cmp dword ptr [ebp+08h], 00000000h
                                                                                                                                                    jne 00007F7774ABC159h
                                                                                                                                                    mov byte ptr [00455E30h], 00000001h
                                                                                                                                                    call 00007F7774ABC7B3h
                                                                                                                                                    call 00007F7774ABE9E7h
                                                                                                                                                    test al, al
                                                                                                                                                    jne 00007F7774ABC156h
                                                                                                                                                    xor al, al
                                                                                                                                                    pop ebp
                                                                                                                                                    ret
                                                                                                                                                    call 00007F7774AC67B2h
                                                                                                                                                    test al, al
                                                                                                                                                    jne 00007F7774ABC15Ch
                                                                                                                                                    push 00000000h
                                                                                                                                                    call 00007F7774ABE9EEh
                                                                                                                                                    pop ecx
                                                                                                                                                    jmp 00007F7774ABC13Bh
                                                                                                                                                    mov al, 01h
                                                                                                                                                    pop ebp
                                                                                                                                                    ret
                                                                                                                                                    push ebp
                                                                                                                                                    mov ebp, esp
                                                                                                                                                    cmp byte ptr [00455E31h], 00000000h
                                                                                                                                                    je 00007F7774ABC156h
                                                                                                                                                    mov al, 01h

                                                                                                                                                    Data Directories

                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x3185c0x28.rdata
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x570000x1c58.reloc
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x2fe0c0x1c.rdata
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2fe280x40.rdata
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x240000x13c.rdata
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                    Sections

                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                    .text0x10000x22d220x22e00False0.5762768817204301data6.6605774583744495IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                    .rdata0x240000xdf720xe000False0.5242222377232143data5.554648741907312IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                    .data0x320000x249300x23c00False0.7996271306818182data7.495127080621036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                    .reloc0x570000x1c580x1e00False0.7291666666666666data6.3994808113416175IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                    Imports

                                                                                                                                                    DLLImport
                                                                                                                                                    KERNEL32.dllGetCurrentProcess, CreateThread, GetModuleHandleA, GetProcAddress, MultiByteToWideChar, FreeConsole, CreateFileW, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, GetStringTypeW, GetCPInfo, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, GetModuleHandleW, TerminateProcess, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, GetFileType, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, CloseHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetProcessHeap, HeapSize, WriteConsoleW

                                                                                                                                                    Network Behavior

                                                                                                                                                    Snort IDS Alerts

                                                                                                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                    192.168.2.6194.110.203.10049721327962850027 11/07/22-20:02:48.733611TCP2850027ETPRO TROJAN RedLine Stealer TCP CnC net.tcp Init4972132796192.168.2.6194.110.203.100
                                                                                                                                                    194.110.203.100192.168.2.632796497212850353 11/07/22-20:02:51.076682TCP2850353ETPRO MALWARE Redline Stealer TCP CnC - Id1Response3279649721194.110.203.100192.168.2.6
                                                                                                                                                    192.168.2.6194.110.203.10049721327962850286 11/07/22-20:03:07.287990TCP2850286ETPRO TROJAN Redline Stealer TCP CnC Activity4972132796192.168.2.6194.110.203.100

                                                                                                                                                    Network Port Distribution

                                                                                                                                                    TCP Packets

                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                    Nov 7, 2022 20:02:48.070909023 CET4972132796192.168.2.6194.110.203.100
                                                                                                                                                    Nov 7, 2022 20:02:48.119203091 CET3279649721194.110.203.100192.168.2.6
                                                                                                                                                    Nov 7, 2022 20:02:48.119393110 CET4972132796192.168.2.6194.110.203.100
                                                                                                                                                    Nov 7, 2022 20:02:48.733611107 CET4972132796192.168.2.6194.110.203.100
                                                                                                                                                    Nov 7, 2022 20:02:48.782188892 CET3279649721194.110.203.100192.168.2.6
                                                                                                                                                    Nov 7, 2022 20:02:48.870331049 CET4972132796192.168.2.6194.110.203.100
                                                                                                                                                    Nov 7, 2022 20:02:51.028397083 CET4972132796192.168.2.6194.110.203.100
                                                                                                                                                    Nov 7, 2022 20:02:51.076682091 CET3279649721194.110.203.100192.168.2.6
                                                                                                                                                    Nov 7, 2022 20:02:51.181005001 CET4972132796192.168.2.6194.110.203.100
                                                                                                                                                    Nov 7, 2022 20:03:01.529644966 CET4972132796192.168.2.6194.110.203.100
                                                                                                                                                    Nov 7, 2022 20:03:01.595479012 CET3279649721194.110.203.100192.168.2.6
                                                                                                                                                    Nov 7, 2022 20:03:01.595535994 CET3279649721194.110.203.100192.168.2.6
                                                                                                                                                    Nov 7, 2022 20:03:01.595587015 CET4972132796192.168.2.6194.110.203.100
                                                                                                                                                    Nov 7, 2022 20:03:01.595690012 CET3279649721194.110.203.100192.168.2.6
                                                                                                                                                    Nov 7, 2022 20:03:01.650660038 CET4972132796192.168.2.6194.110.203.100
                                                                                                                                                    Nov 7, 2022 20:03:03.444371939 CET4972132796192.168.2.6194.110.203.100
                                                                                                                                                    Nov 7, 2022 20:03:03.494756937 CET3279649721194.110.203.100192.168.2.6
                                                                                                                                                    Nov 7, 2022 20:03:03.519723892 CET4972132796192.168.2.6194.110.203.100
                                                                                                                                                    Nov 7, 2022 20:03:03.568541050 CET3279649721194.110.203.100192.168.2.6
                                                                                                                                                    Nov 7, 2022 20:03:03.619524002 CET4972132796192.168.2.6194.110.203.100
                                                                                                                                                    Nov 7, 2022 20:03:05.190699100 CET4972132796192.168.2.6194.110.203.100
                                                                                                                                                    Nov 7, 2022 20:03:05.240565062 CET3279649721194.110.203.100192.168.2.6
                                                                                                                                                    Nov 7, 2022 20:03:05.291585922 CET4972132796192.168.2.6194.110.203.100
                                                                                                                                                    Nov 7, 2022 20:03:05.463870049 CET4972132796192.168.2.6194.110.203.100
                                                                                                                                                    Nov 7, 2022 20:03:05.512433052 CET3279649721194.110.203.100192.168.2.6
                                                                                                                                                    Nov 7, 2022 20:03:05.557214022 CET4972132796192.168.2.6194.110.203.100
                                                                                                                                                    Nov 7, 2022 20:03:05.610408068 CET4972132796192.168.2.6194.110.203.100
                                                                                                                                                    Nov 7, 2022 20:03:05.658844948 CET3279649721194.110.203.100192.168.2.6
                                                                                                                                                    Nov 7, 2022 20:03:05.713537931 CET4972132796192.168.2.6194.110.203.100
                                                                                                                                                    Nov 7, 2022 20:03:05.787441969 CET4972132796192.168.2.6194.110.203.100
                                                                                                                                                    Nov 7, 2022 20:03:05.835834026 CET3279649721194.110.203.100192.168.2.6
                                                                                                                                                    Nov 7, 2022 20:03:05.850558996 CET4972132796192.168.2.6194.110.203.100
                                                                                                                                                    Nov 7, 2022 20:03:05.898813963 CET3279649721194.110.203.100192.168.2.6
                                                                                                                                                    Nov 7, 2022 20:03:05.917280912 CET4972132796192.168.2.6194.110.203.100
                                                                                                                                                    Nov 7, 2022 20:03:05.967777014 CET3279649721194.110.203.100192.168.2.6
                                                                                                                                                    Nov 7, 2022 20:03:06.010380983 CET4972132796192.168.2.6194.110.203.100
                                                                                                                                                    Nov 7, 2022 20:03:06.177527905 CET4972132796192.168.2.6194.110.203.100
                                                                                                                                                    Nov 7, 2022 20:03:06.226139069 CET3279649721194.110.203.100192.168.2.6
                                                                                                                                                    Nov 7, 2022 20:03:06.227144957 CET3279649721194.110.203.100192.168.2.6
                                                                                                                                                    Nov 7, 2022 20:03:06.276046991 CET4972132796192.168.2.6194.110.203.100
                                                                                                                                                    Nov 7, 2022 20:03:06.652749062 CET4972132796192.168.2.6194.110.203.100
                                                                                                                                                    Nov 7, 2022 20:03:06.701364040 CET3279649721194.110.203.100192.168.2.6
                                                                                                                                                    Nov 7, 2022 20:03:06.702847958 CET4972132796192.168.2.6194.110.203.100
                                                                                                                                                    Nov 7, 2022 20:03:06.752557039 CET3279649721194.110.203.100192.168.2.6
                                                                                                                                                    Nov 7, 2022 20:03:06.771147013 CET4972132796192.168.2.6194.110.203.100
                                                                                                                                                    Nov 7, 2022 20:03:06.819082022 CET3279649721194.110.203.100192.168.2.6
                                                                                                                                                    Nov 7, 2022 20:03:06.869879961 CET4972132796192.168.2.6194.110.203.100
                                                                                                                                                    Nov 7, 2022 20:03:06.944365978 CET4972132796192.168.2.6194.110.203.100
                                                                                                                                                    Nov 7, 2022 20:03:06.992187977 CET3279649721194.110.203.100192.168.2.6
                                                                                                                                                    Nov 7, 2022 20:03:06.992892981 CET3279649721194.110.203.100192.168.2.6
                                                                                                                                                    Nov 7, 2022 20:03:07.041780949 CET4972132796192.168.2.6194.110.203.100
                                                                                                                                                    Nov 7, 2022 20:03:07.084103107 CET4972132796192.168.2.6194.110.203.100
                                                                                                                                                    Nov 7, 2022 20:03:07.132455111 CET3279649721194.110.203.100192.168.2.6
                                                                                                                                                    Nov 7, 2022 20:03:07.138436079 CET4972132796192.168.2.6194.110.203.100
                                                                                                                                                    Nov 7, 2022 20:03:07.187535048 CET3279649721194.110.203.100192.168.2.6
                                                                                                                                                    Nov 7, 2022 20:03:07.190057993 CET4972132796192.168.2.6194.110.203.100
                                                                                                                                                    Nov 7, 2022 20:03:07.238189936 CET3279649721194.110.203.100192.168.2.6
                                                                                                                                                    Nov 7, 2022 20:03:07.239080906 CET4972132796192.168.2.6194.110.203.100
                                                                                                                                                    Nov 7, 2022 20:03:07.287101984 CET3279649721194.110.203.100192.168.2.6
                                                                                                                                                    Nov 7, 2022 20:03:07.287990093 CET4972132796192.168.2.6194.110.203.100
                                                                                                                                                    Nov 7, 2022 20:03:07.337461948 CET3279649721194.110.203.100192.168.2.6
                                                                                                                                                    Nov 7, 2022 20:03:07.385507107 CET4972132796192.168.2.6194.110.203.100
                                                                                                                                                    Nov 7, 2022 20:03:07.485074043 CET4972132796192.168.2.6194.110.203.100

                                                                                                                                                    Statistics

                                                                                                                                                    Behavior

                                                                                                                                                    Click to jump to process

                                                                                                                                                    System Behavior

                                                                                                                                                    General

                                                                                                                                                    Target ID:0
                                                                                                                                                    Start time:20:02:16
                                                                                                                                                    Start date:07/11/2022
                                                                                                                                                    Path:C:\Users\user\Desktop\file.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\Users\user\Desktop\file.exe
                                                                                                                                                    Imagebase:0x9f0000
                                                                                                                                                    File size:355328 bytes
                                                                                                                                                    MD5 hash:76B726F03046FC48FCC93701C14A3894
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.298695211.0000000000A23000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.295452062.0000000000A23000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.312912092.0000000000A23000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.256237407.0000000000892000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    Reputation:low

                                                                                                                                                    General

                                                                                                                                                    Target ID:1
                                                                                                                                                    Start time:20:02:16
                                                                                                                                                    Start date:07/11/2022
                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                    Imagebase:0x7ff6da640000
                                                                                                                                                    File size:625664 bytes
                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    General

                                                                                                                                                    Target ID:2
                                                                                                                                                    Start time:20:02:21
                                                                                                                                                    Start date:07/11/2022
                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                    Imagebase:0x10d0000
                                                                                                                                                    File size:98912 bytes
                                                                                                                                                    MD5 hash:6807F903AC06FF7E1670181378690B22
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.358247423.0000000007453000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.363059245.0000000007752000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    Reputation:high

                                                                                                                                                    General

                                                                                                                                                    Target ID:4
                                                                                                                                                    Start time:20:02:34
                                                                                                                                                    Start date:07/11/2022
                                                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5840 -s 94748
                                                                                                                                                    Imagebase:0x1030000
                                                                                                                                                    File size:434592 bytes
                                                                                                                                                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    General

                                                                                                                                                    Target ID:6
                                                                                                                                                    Start time:20:02:42
                                                                                                                                                    Start date:07/11/2022
                                                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5840 -s 94748
                                                                                                                                                    Imagebase:0x1030000
                                                                                                                                                    File size:434592 bytes
                                                                                                                                                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    Disassembly

                                                                                                                                                    No disassembly