Windows Analysis Report awxVepPEpA

Overview

General Information

Sample Name:	awxVepPEpA (renamed file extension from none to exe)
Analysis ID:	546024
MD5:	110526d2882da3d46aa3d7023b00f41e
SHA1:	250a483cead19e65bc11d215d48289dff51241b0
SHA256:	772f0c407388e029e98f9d885f57a0e3ef9b0f42099a16fe6367fb321d4e2444
Tags:	32exeRedLineStealertrojan
Infos:
Most interesting Screenshot:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Found malware configuration

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION

Tries to steal Crypto Currency Wallets

Connects to many ports of the same IP (likely port scanning)

Machine Learning detection for sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

PE file has nameless sections

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Found many strings related to Crypto-Wallets (likely being stolen)

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Yara detected Credential Stealer

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Is looking for software installed on the system

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Detected TCP or UDP traffic on non-standard ports

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000000.00000002.231691926.00000000000C2000.00000004.00000001.sdmp

Malware Configuration Extractor: RedLine {"C2 url": "85.209.89.134:41320", "Bot Id": "@flop_tc"}

Multi AV Scanner detection for submitted file

Source: awxVepPEpA.exe	Virustotal: Detection: 53%	Perma Link
Source: awxVepPEpA.exe	Metadefender: Detection: 22%	Perma Link
Source: awxVepPEpA.exe	ReversingLabs: Detection: 51%

Machine Learning detection for sample

Source: awxVepPEpA.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: awxVepPEpA.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_025E75E8 FindFirstFileA,		0_2_025E75E8
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_025E76C4 FindFirstFileA,GetLastError,		0_2_025E76C4

Networking:

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 85.209.89.134 ports 41320,0,1,2,3,4

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ON-LINE-DATAServerlocation-NetherlandsDrontenNL ON-LINE-DATAServerlocation-NetherlandsDrontenNL

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 85.209.89.134 85.209.89.134

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49752 -> 85.209.89.134:41320

Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134

Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: AppLaunch.exe, 00000003.00000003.286676990.00000000056FB000.00000004.00000001.sdmp	String found in binary or memory: http://iptc.tc4xmp
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultD
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: AppLaunch.exe, 00000003.00000002.289112352.00000000071EB000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: AppLaunch.exe, 00000003.00000002.289112352.00000000071EB000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289189345.0000000007249000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: AppLaunch.exe, 00000003.00000002.289112352.00000000071EB000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289189345.0000000007249000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: AppLaunch.exe, 00000003.00000002.289112352.00000000071EB000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289189345.0000000007249000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: AppLaunch.exe, 00000003.00000002.289112352.00000000071EB000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: AppLaunch.exe, 00000003.00000002.289112352.00000000071EB000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: AppLaunch.exe, 00000003.00000002.289112352.00000000071EB000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289189345.0000000007249000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: AppLaunch.exe, 00000003.00000002.289112352.00000000071EB000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: AppLaunch.exe, 00000003.00000002.289112352.00000000071EB000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: AppLaunch.exe, 00000003.00000002.289112352.00000000071EB000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: AppLaunch.exe, 00000003.00000002.289112352.00000000071EB000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: AppLaunch.exe, 00000003.00000002.289112352.00000000071EB000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: AppLaunch.exe, 00000003.00000002.289112352.00000000071EB000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: AppLaunch.exe, 00000003.00000002.289112352.00000000071EB000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: AppLaunch.exe, 00000003.00000002.289112352.00000000071EB000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: AppLaunch.exe, 00000003.00000002.289112352.00000000071EB000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: AppLaunch.exe, 00000003.00000002.289112352.00000000071EB000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289189345.0000000007249000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: AppLaunch.exe, 00000003.00000002.289112352.00000000071EB000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: AppLaunch.exe, 00000003.00000002.289112352.00000000071EB000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: AppLaunch.exe, 00000003.00000003.282823441.00000000085E4000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289689914.0000000007615000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289564008.00000000075D9000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289641750.00000000075FF000.00000004.00000001.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: awxVepPEpA.exe, 00000000.00000002.231691926.00000000000C2000.00000004.00000001.sdmp, awxVepPEpA.exe, 00000000.00000003.231382400.0000000003722000.00000040.00000001.sdmp, AppLaunch.exe, 00000003.00000002.287138246.0000000000402000.00000020.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: AppLaunch.exe, 00000003.00000003.282823441.00000000085E4000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289689914.0000000007615000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289564008.00000000075D9000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289641750.00000000075FF000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: AppLaunch.exe, 00000003.00000003.282823441.00000000085E4000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289689914.0000000007615000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289564008.00000000075D9000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289641750.00000000075FF000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: AppLaunch.exe, 00000003.00000003.282823441.00000000085E4000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289689914.0000000007615000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289564008.00000000075D9000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289641750.00000000075FF000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: AppLaunch.exe, 00000003.00000003.282823441.00000000085E4000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289689914.0000000007615000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289564008.00000000075D9000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289641750.00000000075FF000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: AppLaunch.exe, 00000003.00000003.282823441.00000000085E4000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289689914.0000000007615000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289564008.00000000075D9000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289641750.00000000075FF000.00000004.00000001.sdmp	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: AppLaunch.exe, 00000003.00000003.282823441.00000000085E4000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289689914.0000000007615000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289564008.00000000075D9000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289641750.00000000075FF000.00000004.00000001.sdmp	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: AppLaunch.exe, 00000003.00000003.282823441.00000000085E4000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289689914.0000000007615000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289564008.00000000075D9000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289641750.00000000075FF000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: awxVepPEpA.exe, 00000000.00000002.233926586.0000000000BEA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

PE file has nameless sections

Source: awxVepPEpA.exe	Static PE information: section name:
Source: awxVepPEpA.exe	Static PE information: section name:
Source: awxVepPEpA.exe	Static PE information: section name:
Source: awxVepPEpA.exe	Static PE information: section name:
Source: awxVepPEpA.exe	Static PE information: section name:
Source: awxVepPEpA.exe	Static PE information: section name:
Source: awxVepPEpA.exe	Static PE information: section name:

Uses 32bit PE files

Source: awxVepPEpA.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Detected potential crypto function

Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026ACCEF	0_3_026ACCEF
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026ACCC7	0_3_026ACCC7
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026ACCB8	0_3_026ACCB8
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026ACCB1	0_3_026ACCB1
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026ACC8F	0_3_026ACC8F
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026ACC9E	0_3_026ACC9E
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026ACD2C	0_3_026ACD2C
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026ACD3C	0_3_026ACD3C
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026ACD04	0_3_026ACD04
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026ACD1D	0_3_026ACD1D
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_025FB334	0_2_025FB334
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_02606658	0_2_02606658
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_0261E7B0	0_2_0261E7B0
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_025F0538	0_2_025F0538
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_025FCADC	0_2_025FCADC
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_025F5918	0_2_025F5918
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_02611CDC	0_2_02611CDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_06F5EC28	3_2_06F5EC28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_0A63E298	3_2_0A63E298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_0A639880	3_2_0A639880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_0A6351D0	3_2_0A6351D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_0A63B9D8	3_2_0A63B9D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_0A63AEB8	3_2_0A63AEB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_0A637F70	3_2_0A637F70

Contains functionality to call native functions

Source: C:\Users\user\Desktop\awxVepPEpA.exe

Code function: 0_2_0260DC4C SetFocus,SendMessageA,DestroyWindow,DestroyWindow,DestroyWindow,DestroyWindow,NtdllDefWindowProc_A,

0_2_0260DC4C

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\awxVepPEpA.exe

Code function: 0_2_02600270: CreateFileA,DeviceIoControl,CloseHandle,

0_2_02600270

Sample file is different than original file name gathered from version info

Source: awxVepPEpA.exe	Binary or memory string: OriginalFilename vs awxVepPEpA.exe
Source: awxVepPEpA.exe, 00000000.00000003.228607582.0000000002580000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs awxVepPEpA.exe
Source: awxVepPEpA.exe, 00000000.00000003.228607582.0000000002580000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSV vs awxVepPEpA.exe
Source: awxVepPEpA.exe, 00000000.00000002.231691926.00000000000C2000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSpillage.exe4 vs awxVepPEpA.exe
Source: awxVepPEpA.exe, 00000000.00000002.234097114.00000000025E1000.00000040.00000001.sdmp	Binary or memory string: OriginalFilename vs awxVepPEpA.exe
Source: awxVepPEpA.exe, 00000000.00000002.234097114.00000000025E1000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameSV vs awxVepPEpA.exe
Source: awxVepPEpA.exe, 00000000.00000003.231411767.000000000373C000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameSpillage.exe4 vs awxVepPEpA.exe

Source: awxVepPEpA.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: awxVepPEpA.exe	Static PE information: Section: ZLIB complexity 1.00044194799
Source: awxVepPEpA.exe	Static PE information: Section: ZLIB complexity 1.00052083333
Source: awxVepPEpA.exe	Static PE information: Section: ZLIB complexity 1.0107421875
Source: awxVepPEpA.exe	Static PE information: Section: ZLIB complexity 1.00165264423
Source: awxVepPEpA.exe	Static PE information: Section: .rsrc ZLIB complexity 0.999701433121

Source: awxVepPEpA.exe	Virustotal: Detection: 53%
Source: awxVepPEpA.exe	Metadefender: Detection: 22%
Source: awxVepPEpA.exe	ReversingLabs: Detection: 51%

Source: C:\Users\user\Desktop\awxVepPEpA.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\awxVepPEpA.exe "C:\Users\user\Desktop\awxVepPEpA.exe"
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

File created: C:\Users\user\AppData\Local\Yandex

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@0/1

Source: C:\Users\user\Desktop\awxVepPEpA.exe

Code function: 0_2_025E7898 GetDiskFreeSpaceA,

0_2_025E7898

Source: C:\Users\user\Desktop\awxVepPEpA.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: awxVepPEpA.exe

Static file information: File size 3617280 > 1048576

Source: awxVepPEpA.exe

Static PE information: Raw size of is bigger than: 0x100000 < 0x2f9c00

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026B367F push ss; retf	0_3_026B3628
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026AC253 push ebp; iretd	0_3_026AC2A7
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026B3635 push ss; retf	0_3_026B3628
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026B0F90 push ecx; retf 0051h	0_3_026B0F93
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026AC46B push esp; retf 0000h	0_3_026AC46C
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026B1468 push ebp; ret	0_3_026B1470
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026AEC7F pushfd ; ret	0_3_026AECA9
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026B2561 push edx; ret	0_3_026B256D
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026B4950 push ecx; retf	0_3_026B4951
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026AD131 push edi; iretd	0_3_026AD133
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026AD1A3 push cs; retf	0_3_026AD1AB
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026AF184 push ecx; iretd	0_3_026AF193
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_0261526C push 02615298h; ret	0_2_02615290
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_02615234 push 02615260h; ret	0_2_02615258
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_0260523C push 02605268h; ret	0_2_02605260
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_02605204 push 02605230h; ret	0_2_02605228
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_025FE2D8 push 025FE304h; ret	0_2_025FE2FC
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_0261D2BC push 0261D2E8h; ret	0_2_0261D2E0
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_02602290 push esi; ret	0_2_02602344
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_025EF344 push 025EF3A1h; ret	0_2_025EF399
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_02620340 push 0262036Ch; ret	0_2_02620364
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_025EC310 push 025EC37Fh; ret	0_2_025EC377
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_02620308 push 02620334h; ret	0_2_0262032C
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_0261731C push 02617348h; ret	0_2_02617340
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_025EC3C8 push 025EC3F4h; ret	0_2_025EC3EC
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_025EC390 push 025EC3BCh; ret	0_2_025EC3B4
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_0261538C push 026153B8h; ret	0_2_026153B0
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_025F6028 push 025F6054h; ret	0_2_025F604C
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_025FE0C8 push 025FE0F4h; ret	0_2_025FE0EC
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_0260E0A0 push 0260E0CCh; ret	0_2_0260E0C4
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_026100A8 push 026100E0h; ret	0_2_026100D8

PE file contains sections with non-standard names

Source: awxVepPEpA.exe	Static PE information: section name:
Source: awxVepPEpA.exe	Static PE information: section name:
Source: awxVepPEpA.exe	Static PE information: section name:
Source: awxVepPEpA.exe	Static PE information: section name:
Source: awxVepPEpA.exe	Static PE information: section name:
Source: awxVepPEpA.exe	Static PE information: section name:
Source: awxVepPEpA.exe	Static PE information: section name:
Source: awxVepPEpA.exe	Static PE information: section name: .tZjoKcx
Source: awxVepPEpA.exe	Static PE information: section name: .adata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\awxVepPEpA.exe

Code function: 0_2_026133CC LoadLibraryA,GetProcAddress,

0_2_026133CC

PE file contains an invalid checksum

Source: awxVepPEpA.exe

Static PE information: real checksum: 0x378e0d should be: 0x381dcf

Source: initial sample	Static PE information: section name: entropy: 7.99711453077
Source: initial sample	Static PE information: section name: entropy: 7.9942215702
Source: initial sample	Static PE information: section name: entropy: 7.79345594108
Source: initial sample	Static PE information: section name: entropy: 7.97396561553
Source: initial sample	Static PE information: section name: .rsrc entropy: 7.99695916307
Source: initial sample	Static PE information: section name: .tZjoKcx entropy: 7.91909215806

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5036	Thread sleep time: -11068046444225724s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 4600	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\awxVepPEpA.exe

Code function: 0_2_0260B0FC rdtsc

0_2_0260B0FC

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Is looking for software installed on the system

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Registry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Window / User API: threadDelayed 2391			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Window / User API: threadDelayed 3711			Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_025E75E8 FindFirstFileA,		0_2_025E75E8
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_025E76C4 FindFirstFileA,GetLastError,		0_2_025E76C4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: awxVepPEpA.exe, 00000000.00000002.233926586.0000000000BEA000.00000004.00000020.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\awxVepPEpA.exe

Code function: 0_2_026133CC LoadLibraryA,GetProcAddress,

0_2_026133CC

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\awxVepPEpA.exe

Code function: 0_2_0260B0FC rdtsc

0_2_0260B0FC

Enables debug privileges

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\awxVepPEpA.exe

Code function: 0_2_00407497 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00407497

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Source: C:\Users\user\Desktop\awxVepPEpA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000			Jump to behavior
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: FBB008			Jump to behavior

Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION

Source: C:\Users\user\Desktop\awxVepPEpA.exe

Message posted: Message id: QUERYENDSESSION

Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\awxVepPEpA.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\awxVepPEpA.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\awxVepPEpA.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpy,GetLocaleInfoA,lstrlen,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,		0_2_025E4CB8
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: GetLocaleInfoA,		0_2_025E9C9C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\awxVepPEpA.exe

Code function: 0_2_025ED280 GetLocalTime,

0_2_025ED280

Source: C:\Users\user\Desktop\awxVepPEpA.exe

Code function: 0_2_02610558 GetVersionExA,GetVersionExA,

0_2_02610558

Lowering of HIPS / PFW / Operating System Security Settings:

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected RedLine Stealer

Source: Yara match	File source: 3.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.awxVepPEpA.exe.3720000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.awxVepPEpA.exe.c3aec.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.awxVepPEpA.exe.c3aec.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.231691926.00000000000C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.287138246.0000000000402000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.231382400.0000000003722000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: dump.pcap, type: PCAP

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\			Jump to behavior

Found many strings related to Crypto-Wallets (likely being stolen)

Source: AppLaunch.exe, 00000003.00000002.289189345.0000000007249000.00000004.00000001.sdmp	String found in binary or memory: %appdata%\Electrum\wallets
Source: AppLaunch.exe, 00000003.00000002.289189345.0000000007249000.00000004.00000001.sdmp	String found in binary or memory: m2C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: AppLaunch.exe, 00000003.00000002.289189345.0000000007249000.00000004.00000001.sdmp	String found in binary or memory: JaxxxLiberty
Source: AppLaunch.exe, 00000003.00000002.289189345.0000000007249000.00000004.00000001.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: AppLaunch.exe, 00000003.00000002.289189345.0000000007249000.00000004.00000001.sdmp	String found in binary or memory: %appdata%\Ethereum\wallets
Source: AppLaunch.exe, 00000003.00000002.289189345.0000000007249000.00000004.00000001.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: AppLaunch.exe, 00000003.00000002.289189345.0000000007249000.00000004.00000001.sdmp	String found in binary or memory: %appdata%\Ethereum\wallets
Source: AppLaunch.exe, 00000003.00000002.289189345.0000000007249000.00000004.00000001.sdmp	String found in binary or memory: m6C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000003.00000002.289189345.0000000007249000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AppLaunch.exe PID: 1008, type: MEMORYSTR

Remote Access Functionality:

Yara detected RedLine Stealer

Source: Yara match	File source: 3.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.awxVepPEpA.exe.3720000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.awxVepPEpA.exe.c3aec.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.awxVepPEpA.exe.c3aec.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.231691926.00000000000C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.287138246.0000000000402000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.231382400.0000000003722000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: dump.pcap, type: PCAP

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
85.209.89.134	unknown	Ukraine		204601	ON-LINE-DATAServerlocation-NetherlandsDrontenNL	true

AV Detection:

Found malware configuration

Source: 00000000.00000002.231691926.00000000000C2000.00000004.00000001.sdmp

Malware Configuration Extractor: RedLine {"C2 url": "85.209.89.134:41320", "Bot Id": "@flop_tc"}

Multi AV Scanner detection for submitted file

Source: awxVepPEpA.exe	Virustotal: Detection: 53%	Perma Link
Source: awxVepPEpA.exe	Metadefender: Detection: 22%	Perma Link
Source: awxVepPEpA.exe	ReversingLabs: Detection: 51%

Machine Learning detection for sample

Source: awxVepPEpA.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: awxVepPEpA.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_025E75E8 FindFirstFileA,		0_2_025E75E8
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_025E76C4 FindFirstFileA,GetLastError,		0_2_025E76C4

Networking:

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 85.209.89.134 ports 41320,0,1,2,3,4

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ON-LINE-DATAServerlocation-NetherlandsDrontenNL ON-LINE-DATAServerlocation-NetherlandsDrontenNL

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 85.209.89.134 85.209.89.134

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49752 -> 85.209.89.134:41320

Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.209.89.134

Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: AppLaunch.exe, 00000003.00000003.286676990.00000000056FB000.00000004.00000001.sdmp	String found in binary or memory: http://iptc.tc4xmp
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultD
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: AppLaunch.exe, 00000003.00000002.289112352.00000000071EB000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: AppLaunch.exe, 00000003.00000002.289112352.00000000071EB000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289189345.0000000007249000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: AppLaunch.exe, 00000003.00000002.289112352.00000000071EB000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289189345.0000000007249000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: AppLaunch.exe, 00000003.00000002.289112352.00000000071EB000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289189345.0000000007249000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: AppLaunch.exe, 00000003.00000002.289112352.00000000071EB000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: AppLaunch.exe, 00000003.00000002.289112352.00000000071EB000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: AppLaunch.exe, 00000003.00000002.289112352.00000000071EB000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289189345.0000000007249000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: AppLaunch.exe, 00000003.00000002.289112352.00000000071EB000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: AppLaunch.exe, 00000003.00000002.289112352.00000000071EB000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: AppLaunch.exe, 00000003.00000002.289112352.00000000071EB000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: AppLaunch.exe, 00000003.00000002.289112352.00000000071EB000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: AppLaunch.exe, 00000003.00000002.289112352.00000000071EB000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: AppLaunch.exe, 00000003.00000002.289112352.00000000071EB000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: AppLaunch.exe, 00000003.00000002.289112352.00000000071EB000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: AppLaunch.exe, 00000003.00000002.289112352.00000000071EB000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: AppLaunch.exe, 00000003.00000002.289112352.00000000071EB000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: AppLaunch.exe, 00000003.00000002.289112352.00000000071EB000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289189345.0000000007249000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: AppLaunch.exe, 00000003.00000002.289112352.00000000071EB000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: AppLaunch.exe, 00000003.00000002.289112352.00000000071EB000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: AppLaunch.exe, 00000003.00000002.289000008.00000000070E1000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: AppLaunch.exe, 00000003.00000003.282823441.00000000085E4000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289689914.0000000007615000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289564008.00000000075D9000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289641750.00000000075FF000.00000004.00000001.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: awxVepPEpA.exe, 00000000.00000002.231691926.00000000000C2000.00000004.00000001.sdmp, awxVepPEpA.exe, 00000000.00000003.231382400.0000000003722000.00000040.00000001.sdmp, AppLaunch.exe, 00000003.00000002.287138246.0000000000402000.00000020.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289055313.0000000007170000.00000004.00000001.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: AppLaunch.exe, 00000003.00000003.282823441.00000000085E4000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289689914.0000000007615000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289564008.00000000075D9000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289641750.00000000075FF000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: AppLaunch.exe, 00000003.00000003.282823441.00000000085E4000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289689914.0000000007615000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289564008.00000000075D9000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289641750.00000000075FF000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: AppLaunch.exe, 00000003.00000003.282823441.00000000085E4000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289689914.0000000007615000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289564008.00000000075D9000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289641750.00000000075FF000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: AppLaunch.exe, 00000003.00000003.282823441.00000000085E4000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289689914.0000000007615000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289564008.00000000075D9000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289641750.00000000075FF000.00000004.00000001.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: AppLaunch.exe, 00000003.00000003.282823441.00000000085E4000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289689914.0000000007615000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289564008.00000000075D9000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289641750.00000000075FF000.00000004.00000001.sdmp	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: AppLaunch.exe, 00000003.00000003.282823441.00000000085E4000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289689914.0000000007615000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289564008.00000000075D9000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289641750.00000000075FF000.00000004.00000001.sdmp	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: AppLaunch.exe, 00000003.00000003.282823441.00000000085E4000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289689914.0000000007615000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289564008.00000000075D9000.00000004.00000001.sdmp, AppLaunch.exe, 00000003.00000002.289641750.00000000075FF000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: awxVepPEpA.exe, 00000000.00000002.233926586.0000000000BEA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

PE file has nameless sections

Source: awxVepPEpA.exe	Static PE information: section name:
Source: awxVepPEpA.exe	Static PE information: section name:
Source: awxVepPEpA.exe	Static PE information: section name:
Source: awxVepPEpA.exe	Static PE information: section name:
Source: awxVepPEpA.exe	Static PE information: section name:
Source: awxVepPEpA.exe	Static PE information: section name:
Source: awxVepPEpA.exe	Static PE information: section name:

Uses 32bit PE files

Source: awxVepPEpA.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Detected potential crypto function

Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026ACCEF	0_3_026ACCEF
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026ACCC7	0_3_026ACCC7
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026ACCB8	0_3_026ACCB8
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026ACCB1	0_3_026ACCB1
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026ACC8F	0_3_026ACC8F
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026ACC9E	0_3_026ACC9E
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026ACD2C	0_3_026ACD2C
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026ACD3C	0_3_026ACD3C
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026ACD04	0_3_026ACD04
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026ACD1D	0_3_026ACD1D
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_025FB334	0_2_025FB334
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_02606658	0_2_02606658
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_0261E7B0	0_2_0261E7B0
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_025F0538	0_2_025F0538
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_025FCADC	0_2_025FCADC
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_025F5918	0_2_025F5918
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_02611CDC	0_2_02611CDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_06F5EC28	3_2_06F5EC28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_0A63E298	3_2_0A63E298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_0A639880	3_2_0A639880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_0A6351D0	3_2_0A6351D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_0A63B9D8	3_2_0A63B9D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_0A63AEB8	3_2_0A63AEB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 3_2_0A637F70	3_2_0A637F70

Contains functionality to call native functions

Source: C:\Users\user\Desktop\awxVepPEpA.exe

Code function: 0_2_0260DC4C SetFocus,SendMessageA,DestroyWindow,DestroyWindow,DestroyWindow,DestroyWindow,NtdllDefWindowProc_A,

0_2_0260DC4C

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\awxVepPEpA.exe

Code function: 0_2_02600270: CreateFileA,DeviceIoControl,CloseHandle,

0_2_02600270

Sample file is different than original file name gathered from version info

Source: awxVepPEpA.exe	Binary or memory string: OriginalFilename vs awxVepPEpA.exe
Source: awxVepPEpA.exe, 00000000.00000003.228607582.0000000002580000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs awxVepPEpA.exe
Source: awxVepPEpA.exe, 00000000.00000003.228607582.0000000002580000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSV vs awxVepPEpA.exe
Source: awxVepPEpA.exe, 00000000.00000002.231691926.00000000000C2000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSpillage.exe4 vs awxVepPEpA.exe
Source: awxVepPEpA.exe, 00000000.00000002.234097114.00000000025E1000.00000040.00000001.sdmp	Binary or memory string: OriginalFilename vs awxVepPEpA.exe
Source: awxVepPEpA.exe, 00000000.00000002.234097114.00000000025E1000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameSV vs awxVepPEpA.exe
Source: awxVepPEpA.exe, 00000000.00000003.231411767.000000000373C000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameSpillage.exe4 vs awxVepPEpA.exe

Source: awxVepPEpA.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: awxVepPEpA.exe	Static PE information: Section: ZLIB complexity 1.00044194799
Source: awxVepPEpA.exe	Static PE information: Section: ZLIB complexity 1.00052083333
Source: awxVepPEpA.exe	Static PE information: Section: ZLIB complexity 1.0107421875
Source: awxVepPEpA.exe	Static PE information: Section: ZLIB complexity 1.00165264423
Source: awxVepPEpA.exe	Static PE information: Section: .rsrc ZLIB complexity 0.999701433121

Source: awxVepPEpA.exe	Virustotal: Detection: 53%
Source: awxVepPEpA.exe	Metadefender: Detection: 22%
Source: awxVepPEpA.exe	ReversingLabs: Detection: 51%

Source: C:\Users\user\Desktop\awxVepPEpA.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\awxVepPEpA.exe "C:\Users\user\Desktop\awxVepPEpA.exe"
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

File created: C:\Users\user\AppData\Local\Yandex

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@0/1

Source: C:\Users\user\Desktop\awxVepPEpA.exe

Code function: 0_2_025E7898 GetDiskFreeSpaceA,

0_2_025E7898

Source: C:\Users\user\Desktop\awxVepPEpA.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: awxVepPEpA.exe

Static file information: File size 3617280 > 1048576

Source: awxVepPEpA.exe

Static PE information: Raw size of is bigger than: 0x100000 < 0x2f9c00

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026B367F push ss; retf	0_3_026B3628
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026AC253 push ebp; iretd	0_3_026AC2A7
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026B3635 push ss; retf	0_3_026B3628
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026B0F90 push ecx; retf 0051h	0_3_026B0F93
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026AC46B push esp; retf 0000h	0_3_026AC46C
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026B1468 push ebp; ret	0_3_026B1470
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026AEC7F pushfd ; ret	0_3_026AECA9
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026B2561 push edx; ret	0_3_026B256D
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026B4950 push ecx; retf	0_3_026B4951
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026AD131 push edi; iretd	0_3_026AD133
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026AD1A3 push cs; retf	0_3_026AD1AB
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_3_026AF184 push ecx; iretd	0_3_026AF193
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_0261526C push 02615298h; ret	0_2_02615290
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_02615234 push 02615260h; ret	0_2_02615258
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_0260523C push 02605268h; ret	0_2_02605260
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_02605204 push 02605230h; ret	0_2_02605228
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_025FE2D8 push 025FE304h; ret	0_2_025FE2FC
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_0261D2BC push 0261D2E8h; ret	0_2_0261D2E0
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_02602290 push esi; ret	0_2_02602344
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_025EF344 push 025EF3A1h; ret	0_2_025EF399
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_02620340 push 0262036Ch; ret	0_2_02620364
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_025EC310 push 025EC37Fh; ret	0_2_025EC377
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_02620308 push 02620334h; ret	0_2_0262032C
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_0261731C push 02617348h; ret	0_2_02617340
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_025EC3C8 push 025EC3F4h; ret	0_2_025EC3EC
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_025EC390 push 025EC3BCh; ret	0_2_025EC3B4
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_0261538C push 026153B8h; ret	0_2_026153B0
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_025F6028 push 025F6054h; ret	0_2_025F604C
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_025FE0C8 push 025FE0F4h; ret	0_2_025FE0EC
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_0260E0A0 push 0260E0CCh; ret	0_2_0260E0C4
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_026100A8 push 026100E0h; ret	0_2_026100D8

PE file contains sections with non-standard names

Source: awxVepPEpA.exe	Static PE information: section name:
Source: awxVepPEpA.exe	Static PE information: section name:
Source: awxVepPEpA.exe	Static PE information: section name:
Source: awxVepPEpA.exe	Static PE information: section name:
Source: awxVepPEpA.exe	Static PE information: section name:
Source: awxVepPEpA.exe	Static PE information: section name:
Source: awxVepPEpA.exe	Static PE information: section name:
Source: awxVepPEpA.exe	Static PE information: section name: .tZjoKcx
Source: awxVepPEpA.exe	Static PE information: section name: .adata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\awxVepPEpA.exe

Code function: 0_2_026133CC LoadLibraryA,GetProcAddress,

0_2_026133CC

PE file contains an invalid checksum

Source: awxVepPEpA.exe

Static PE information: real checksum: 0x378e0d should be: 0x381dcf

Source: initial sample	Static PE information: section name: entropy: 7.99711453077
Source: initial sample	Static PE information: section name: entropy: 7.9942215702
Source: initial sample	Static PE information: section name: entropy: 7.79345594108
Source: initial sample	Static PE information: section name: entropy: 7.97396561553
Source: initial sample	Static PE information: section name: .rsrc entropy: 7.99695916307
Source: initial sample	Static PE information: section name: .tZjoKcx entropy: 7.91909215806

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5036	Thread sleep time: -11068046444225724s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 4600	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\awxVepPEpA.exe

Code function: 0_2_0260B0FC rdtsc

0_2_0260B0FC

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Is looking for software installed on the system

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Registry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Window / User API: threadDelayed 2391			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Window / User API: threadDelayed 3711			Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_025E75E8 FindFirstFileA,		0_2_025E75E8
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: 0_2_025E76C4 FindFirstFileA,GetLastError,		0_2_025E76C4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: awxVepPEpA.exe, 00000000.00000002.233926586.0000000000BEA000.00000004.00000020.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\awxVepPEpA.exe

Code function: 0_2_026133CC LoadLibraryA,GetProcAddress,

0_2_026133CC

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\awxVepPEpA.exe

Code function: 0_2_0260B0FC rdtsc

0_2_0260B0FC

Enables debug privileges

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\awxVepPEpA.exe

Code function: 0_2_00407497 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00407497

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Source: C:\Users\user\Desktop\awxVepPEpA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000			Jump to behavior
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: FBB008			Jump to behavior

Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION

Source: C:\Users\user\Desktop\awxVepPEpA.exe

Message posted: Message id: QUERYENDSESSION

Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\awxVepPEpA.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\awxVepPEpA.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\awxVepPEpA.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpy,GetLocaleInfoA,lstrlen,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,		0_2_025E4CB8
Source: C:\Users\user\Desktop\awxVepPEpA.exe	Code function: GetLocaleInfoA,		0_2_025E9C9C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\awxVepPEpA.exe

Code function: 0_2_025ED280 GetLocalTime,

0_2_025ED280

Source: C:\Users\user\Desktop\awxVepPEpA.exe

Code function: 0_2_02610558 GetVersionExA,GetVersionExA,

0_2_02610558

Lowering of HIPS / PFW / Operating System Security Settings:

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected RedLine Stealer

Source: Yara match	File source: 3.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.awxVepPEpA.exe.3720000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.awxVepPEpA.exe.c3aec.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.awxVepPEpA.exe.c3aec.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.231691926.00000000000C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.287138246.0000000000402000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.231382400.0000000003722000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: dump.pcap, type: PCAP

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\			Jump to behavior

Found many strings related to Crypto-Wallets (likely being stolen)

Source: AppLaunch.exe, 00000003.00000002.289189345.0000000007249000.00000004.00000001.sdmp	String found in binary or memory: %appdata%\Electrum\wallets
Source: AppLaunch.exe, 00000003.00000002.289189345.0000000007249000.00000004.00000001.sdmp	String found in binary or memory: m2C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: AppLaunch.exe, 00000003.00000002.289189345.0000000007249000.00000004.00000001.sdmp	String found in binary or memory: JaxxxLiberty
Source: AppLaunch.exe, 00000003.00000002.289189345.0000000007249000.00000004.00000001.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: AppLaunch.exe, 00000003.00000002.289189345.0000000007249000.00000004.00000001.sdmp	String found in binary or memory: %appdata%\Ethereum\wallets
Source: AppLaunch.exe, 00000003.00000002.289189345.0000000007249000.00000004.00000001.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: AppLaunch.exe, 00000003.00000002.289189345.0000000007249000.00000004.00000001.sdmp	String found in binary or memory: %appdata%\Ethereum\wallets
Source: AppLaunch.exe, 00000003.00000002.289189345.0000000007249000.00000004.00000001.sdmp	String found in binary or memory: m6C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000003.00000002.289189345.0000000007249000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AppLaunch.exe PID: 1008, type: MEMORYSTR

Remote Access Functionality:

Yara detected RedLine Stealer

Source: Yara match	File source: 3.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.awxVepPEpA.exe.3720000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.awxVepPEpA.exe.c3aec.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.awxVepPEpA.exe.c3aec.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.231691926.00000000000C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.287138246.0000000000402000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.231382400.0000000003722000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: dump.pcap, type: PCAP

ID:	546024
Product:	CloudBasic
Start time:	20:07:09
Start date:	28.12.2021
Sample:	awxVepPEpA
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	110526d2882da3d46aa3d7023b00f41e
SHA1:	250a483cead19e65bc11d215d48289dff51241b0
SHA256:	772f0c407388e029e98f9d885f57a0e3ef9b0f42099a16fe6367fb321d4e2444
Filetype:	Win32 Executable (generic) a (10002005/4) 99.94%

Windows Analysis Report awxVepPEpA

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs