Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report OfficialKiddionsModMenuV0.8.7.exe

Overview

General Information

Sample Name:OfficialKiddionsModMenuV0.8.7.exe
Analysis ID:546181
MD5:7de3896baf12500f3e1cd311e2340806
SHA1:500b906981aaa4810848643f1d8c17efa87bad20
SHA256:213fce24e326925749adebaff2d85e23bba2b616c872e2089b23fa231f18756e
Tags:exe
Infos:

Most interesting Screenshot:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Found malware configuration
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Crypto Currency Wallets
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Detected TCP or UDP traffic on non-standard ports
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • OfficialKiddionsModMenuV0.8.7.exe (PID: 7072 cmdline: "C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exe" MD5: 7DE3896BAF12500F3E1CD311E2340806)
    • AppLaunch.exe (PID: 6652 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": "103.246.144.29:44301"}

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000002.292031662.00000000000C2000.00000004.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      0000000A.00000002.348909899.0000000000402000.00000020.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000001.00000003.291666157.0000000003B12000.00000040.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          Process Memory Space: AppLaunch.exe PID: 6652JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.OfficialKiddionsModMenuV0.8.7.exe.c3b54.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              10.2.AppLaunch.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                1.3.OfficialKiddionsModMenuV0.8.7.exe.3b10000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Jbx Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 00000001.00000002.292031662.00000000000C2000.00000004.00000001.sdmpMalware Configuration Extractor: RedLine {"C2 url": "103.246.144.29:44301"}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: OfficialKiddionsModMenuV0.8.7.exeVirustotal: Detection: 26%Perma Link
                  Machine Learning detection for sampleShow sources
                  Source: OfficialKiddionsModMenuV0.8.7.exeJoe Sandbox ML: detected
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 10_2_0AB9E128 CryptUnprotectData,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 10_2_0AB9E8A0 CryptUnprotectData,
                  Source: OfficialKiddionsModMenuV0.8.7.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                  Source: Joe Sandbox ViewASN Name: EMAXXTELECOMCOLTD-AS-APEmaxxTelecomCoLtdKH EMAXXTELECOMCOLTD-AS-APEmaxxTelecomCoLtdKH
                  Source: Joe Sandbox ViewIP Address: 103.246.144.29 103.246.144.29
                  Source: global trafficTCP traffic: 192.168.2.3:49746 -> 103.246.144.29:44301
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: unknownTCP traffic detected without corresponding DNS query: 103.246.144.29
                  Source: AppLaunch.exe, 0000000A.00000002.351614640.0000000006F8F000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350886277.0000000006E0C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmpString found in binary or memory: 6i9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
                  Source: AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmpString found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
                  Source: AppLaunch.exe, 0000000A.00000002.351614640.0000000006F8F000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350886277.0000000006E0C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                  Source: AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
                  Source: AppLaunch.exe, 0000000A.00000002.351614640.0000000006F8F000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350886277.0000000006E0C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmpString found in binary or memory: http://forms.rea
                  Source: AppLaunch.exe, 0000000A.00000002.351614640.0000000006F8F000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350886277.0000000006E0C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmpString found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
                  Source: AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmpString found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
                  Source: AppLaunch.exe, 0000000A.00000002.351614640.0000000006F8F000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350886277.0000000006E0C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmpString found in binary or memory: http://go.micros
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultD
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                  Source: AppLaunch.exe, 0000000A.00000002.350561310.0000000006D8B000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                  Source: AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                  Source: AppLaunch.exe, 0000000A.00000002.351614640.0000000006F8F000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350886277.0000000006E0C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmpString found in binary or memory: http://service.r
                  Source: AppLaunch.exe, 0000000A.00000002.351614640.0000000006F8F000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350886277.0000000006E0C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmpString found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
                  Source: AppLaunch.exe, 0000000A.00000002.351614640.0000000006F8F000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350886277.0000000006E0C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmpString found in binary or memory: http://support.a
                  Source: AppLaunch.exe, 0000000A.00000002.351614640.0000000006F8F000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350886277.0000000006E0C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350561310.0000000006D8B000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                  Source: AppLaunch.exe, 0000000A.00000002.351614640.0000000006F8F000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350561310.0000000006D8B000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                  Source: AppLaunch.exe, 0000000A.00000002.351614640.0000000006F8F000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350561310.0000000006D8B000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350561310.0000000006D8B000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350561310.0000000006D8B000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350561310.0000000006D8B000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350551346.0000000006D87000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350561310.0000000006D8B000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350561310.0000000006D8B000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350561310.0000000006D8B000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350561310.0000000006D8B000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350561310.0000000006D8B000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350561310.0000000006D8B000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350561310.0000000006D8B000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                  Source: AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350561310.0000000006D8B000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                  Source: AppLaunch.exe, 0000000A.00000002.351614640.0000000006F8F000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350886277.0000000006E0C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
                  Source: AppLaunch.exe, 0000000A.00000002.351614640.0000000006F8F000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350886277.0000000006E0C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
                  Source: AppLaunch.exe, 0000000A.00000002.351614640.0000000006F8F000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351542491.0000000006F79000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350886277.0000000006E0C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.353500698.0000000007F6C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.353413406.0000000007EFB000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351328252.0000000006EB7000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350715517.0000000006DF6000.00000004.00000001.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: OfficialKiddionsModMenuV0.8.7.exe, 00000001.00000002.292031662.00000000000C2000.00000004.00000001.sdmp, OfficialKiddionsModMenuV0.8.7.exe, 00000001.00000003.291666157.0000000003B12000.00000040.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.348909899.0000000000402000.00000020.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpString found in binary or memory: https://api.ip.sb/ip
                  Source: AppLaunch.exe, 0000000A.00000002.351614640.0000000006F8F000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351542491.0000000006F79000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350886277.0000000006E0C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.353500698.0000000007F6C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.353413406.0000000007EFB000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351328252.0000000006EB7000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350715517.0000000006DF6000.00000004.00000001.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351328252.0000000006EB7000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350715517.0000000006DF6000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: AppLaunch.exe, 0000000A.00000002.351614640.0000000006F8F000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351542491.0000000006F79000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350886277.0000000006E0C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.353500698.0000000007F6C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.353413406.0000000007EFB000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351328252.0000000006EB7000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350715517.0000000006DF6000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: AppLaunch.exe, 0000000A.00000002.351614640.0000000006F8F000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350886277.0000000006E0C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab4
                  Source: AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351328252.0000000006EB7000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350715517.0000000006DF6000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: AppLaunch.exe, 0000000A.00000002.351614640.0000000006F8F000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350886277.0000000006E0C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmpString found in binary or memory: https://get.adob
                  Source: AppLaunch.exe, 0000000A.00000002.351614640.0000000006F8F000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350886277.0000000006E0C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmpString found in binary or memory: https://helpx.ad
                  Source: AppLaunch.exe, 0000000A.00000002.351614640.0000000006F8F000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351542491.0000000006F79000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350886277.0000000006E0C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.353500698.0000000007F6C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.353413406.0000000007EFB000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351328252.0000000006EB7000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350715517.0000000006DF6000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                  Source: AppLaunch.exe, 0000000A.00000002.351614640.0000000006F8F000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351542491.0000000006F79000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350886277.0000000006E0C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.353500698.0000000007F6C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.353413406.0000000007EFB000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351328252.0000000006EB7000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350715517.0000000006DF6000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
                  Source: AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                  Source: AppLaunch.exe, 0000000A.00000002.351614640.0000000006F8F000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350886277.0000000006E0C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_java
                  Source: AppLaunch.exe, 0000000A.00000002.351614640.0000000006F8F000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350886277.0000000006E0C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
                  Source: AppLaunch.exe, 0000000A.00000002.351614640.0000000006F8F000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350886277.0000000006E0C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
                  Source: AppLaunch.exe, 0000000A.00000002.351614640.0000000006F8F000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350886277.0000000006E0C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_real
                  Source: AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
                  Source: AppLaunch.exe, 0000000A.00000002.351614640.0000000006F8F000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350886277.0000000006E0C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
                  Source: AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
                  Source: AppLaunch.exe, 0000000A.00000002.351614640.0000000006F8F000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351542491.0000000006F79000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350886277.0000000006E0C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.353500698.0000000007F6C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.353413406.0000000007EFB000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351328252.0000000006EB7000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350715517.0000000006DF6000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: OfficialKiddionsModMenuV0.8.7.exe, 00000001.00000002.294473503.0000000000E1A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                  System Summary:

                  barindex
                  PE file has nameless sectionsShow sources
                  Source: OfficialKiddionsModMenuV0.8.7.exeStatic PE information: section name:
                  Source: OfficialKiddionsModMenuV0.8.7.exeStatic PE information: section name:
                  Source: OfficialKiddionsModMenuV0.8.7.exeStatic PE information: section name:
                  Source: OfficialKiddionsModMenuV0.8.7.exeStatic PE information: section name:
                  Source: OfficialKiddionsModMenuV0.8.7.exeStatic PE information: section name:
                  Source: OfficialKiddionsModMenuV0.8.7.exeStatic PE information: section name:
                  Source: OfficialKiddionsModMenuV0.8.7.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeCode function: 1_3_02A6C6A4
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeCode function: 1_3_02A6C6B3
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeCode function: 1_3_02A6C68A
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeCode function: 1_3_02A6C69D
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeCode function: 1_3_02A6C6F0
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeCode function: 1_3_02A6C6DB
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeCode function: 1_3_02A6C67B
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeCode function: 1_3_02A6C728
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeCode function: 1_3_02A6C709
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeCode function: 1_3_02A6C718
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 10_2_0533EC28
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 10_2_0A27E298
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 10_2_0A279880
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 10_2_0A2751D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 10_2_0A27B9D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 10_2_0A27AEB8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 10_2_0A277F70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 10_2_0A93DDF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 10_2_0A9318C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 10_2_0AB90800
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 10_2_0AB929C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 10_2_0AB90D9F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 10_2_0AB9B2D7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 10_2_0AB94308
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 10_2_0AB91340
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 10_2_0AB99B20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 10_2_0AB9D3BA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 10_2_0AB9B6D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 10_2_0AB907F2
                  Source: OfficialKiddionsModMenuV0.8.7.exe, 00000001.00000003.282742747.00000000028B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs OfficialKiddionsModMenuV0.8.7.exe
                  Source: OfficialKiddionsModMenuV0.8.7.exe, 00000001.00000003.282742747.00000000028B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSV vs OfficialKiddionsModMenuV0.8.7.exe
                  Source: OfficialKiddionsModMenuV0.8.7.exe, 00000001.00000003.291717303.0000000003B2C000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameMares.exe4 vs OfficialKiddionsModMenuV0.8.7.exe
                  Source: OfficialKiddionsModMenuV0.8.7.exe, 00000001.00000002.294607982.0000000002911000.00000040.00000001.sdmpBinary or memory string: OriginalFilename vs OfficialKiddionsModMenuV0.8.7.exe
                  Source: OfficialKiddionsModMenuV0.8.7.exe, 00000001.00000002.294607982.0000000002911000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameSV vs OfficialKiddionsModMenuV0.8.7.exe
                  Source: OfficialKiddionsModMenuV0.8.7.exe, 00000001.00000002.292031662.00000000000C2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMares.exe4 vs OfficialKiddionsModMenuV0.8.7.exe
                  Source: OfficialKiddionsModMenuV0.8.7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
                  Source: OfficialKiddionsModMenuV0.8.7.exeStatic PE information: Section: ZLIB complexity 1.00043874547
                  Source: OfficialKiddionsModMenuV0.8.7.exeStatic PE information: Section: ZLIB complexity 1.00051229508
                  Source: OfficialKiddionsModMenuV0.8.7.exeStatic PE information: Section: ZLIB complexity 1.0107421875
                  Source: OfficialKiddionsModMenuV0.8.7.exeVirustotal: Detection: 26%
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: unknownProcess created: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exe "C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exe"
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile created: C:\Users\user\AppData\Local\YandexJump to behavior
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@0/1
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: OfficialKiddionsModMenuV0.8.7.exeStatic file information: File size 4397056 > 1048576
                  Source: OfficialKiddionsModMenuV0.8.7.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x3cd400
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeCode function: 1_3_02A742F8 push ecx; retf
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeCode function: 1_3_02A70E28 push ebp; ret
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeCode function: 1_3_02A6E66B pushfd ; ret
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeCode function: 1_3_02A6CB8F push cs; retf
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeCode function: 1_3_02A747C7 push ebx; iretd
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeCode function: 1_3_02A71F21 push edx; ret
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeCode function: 1_3_02A6CB1D push edi; iretd
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeCode function: 1_3_02A6EB70 push ecx; iretd
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 10_2_05333C58 push esp; iretd
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 10_2_05333C93 push esp; iretd
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 10_2_0A27D042 pushad ; retf
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 10_2_0A9318B0 push esp; retf
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 10_2_0AB9F9B8 push E863A1F5h; retf
                  Source: OfficialKiddionsModMenuV0.8.7.exeStatic PE information: section name:
                  Source: OfficialKiddionsModMenuV0.8.7.exeStatic PE information: section name:
                  Source: OfficialKiddionsModMenuV0.8.7.exeStatic PE information: section name:
                  Source: OfficialKiddionsModMenuV0.8.7.exeStatic PE information: section name:
                  Source: OfficialKiddionsModMenuV0.8.7.exeStatic PE information: section name:
                  Source: OfficialKiddionsModMenuV0.8.7.exeStatic PE information: section name:
                  Source: OfficialKiddionsModMenuV0.8.7.exeStatic PE information: section name: .yke1AWY
                  Source: OfficialKiddionsModMenuV0.8.7.exeStatic PE information: section name: .adata
                  Source: OfficialKiddionsModMenuV0.8.7.exeStatic PE information: real checksum: 0x438810 should be: 0x43a204
                  Source: initial sampleStatic PE information: section name: entropy: 7.99788481833
                  Source: initial sampleStatic PE information: section name: entropy: 7.9951936828
                  Source: initial sampleStatic PE information: section name: entropy: 7.79914503297
                  Source: initial sampleStatic PE information: section name: .rsrc entropy: 6.95928882324
                  Source: initial sampleStatic PE information: section name: .yke1AWY entropy: 7.91755317496

                  Hooking and other Techniques for Hiding and Protection:

                  barindex
                  Overwrites code with unconditional jumps - possibly settings hooks in foreign processShow sources
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeMemory written: PID: 7072 base: 2990005 value: E9 FB BF C8 74
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeMemory written: PID: 7072 base: 7761C000 value: E9 0A 40 37 8B
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeMemory written: PID: 7072 base: 2B50008 value: E9 AB E0 B0 74
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeMemory written: PID: 7072 base: 7765E0B0 value: E9 60 1F 4F 8B
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeMemory written: PID: 7072 base: 2CB0005 value: E9 CB 5A C5 73
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeMemory written: PID: 7072 base: 76905AD0 value: E9 3A A5 3A 8C
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeMemory written: PID: 7072 base: 2D70005 value: E9 5B B0 BB 73
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeMemory written: PID: 7072 base: 7692B060 value: E9 AA 4F 44 8C
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeMemory written: PID: 7072 base: 3AF0005 value: E9 DB F8 A5 70
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeMemory written: PID: 7072 base: 7454F8E0 value: E9 2A 07 5A 8F
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeMemory written: PID: 7072 base: 3B00005 value: E9 FB 42 A7 70
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeMemory written: PID: 7072 base: 74574300 value: E9 0A BD 58 8F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion:

                  barindex
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                  Source: OfficialKiddionsModMenuV0.8.7.exe, 00000001.00000002.292430105.0000000000435000.00000020.00020000.sdmpBinary or memory string: OUSBIEDLL.DLLVHE%
                  Source: OfficialKiddionsModMenuV0.8.7.exe, 00000001.00000002.292430105.0000000000435000.00000020.00020000.sdmpBinary or memory string: OUSBIEDLL.DLL
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                  Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)Show sources
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 6136Thread sleep time: -6456360425798339s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 6732Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeRegistry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWindow / User API: threadDelayed 2128
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWindow / User API: threadDelayed 889
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeProcess information queried: ProcessInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
                  Source: OfficialKiddionsModMenuV0.8.7.exe, 00000001.00000002.294473503.0000000000E1A000.00000004.00000020.sdmp, AppLaunch.exe, 0000000A.00000002.350037953.000000000500C000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess token adjusted: Debug
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory allocated: page read and write | page guard

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  Writes to foreign memory regionsShow sources
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 4A89008
                  Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSIONShow sources
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeMessage posted: Message id: QUERYENDSESSION
                  Allocates memory in foreign processesShow sources
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write
                  Injects a PE file into a foreign processesShow sources
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A
                  Source: C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected RedLine StealerShow sources
                  Source: Yara matchFile source: 1.2.OfficialKiddionsModMenuV0.8.7.exe.c3b54.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.3.OfficialKiddionsModMenuV0.8.7.exe.3b10000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.292031662.00000000000C2000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.348909899.0000000000402000.00000020.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000003.291666157.0000000003B12000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Tries to steal Crypto Currency WalletsShow sources
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                  Tries to harvest and steal browser information (history, passwords, etc)Show sources
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 6652, type: MEMORYSTR

                  Remote Access Functionality:

                  barindex
                  Yara detected RedLine StealerShow sources
                  Source: Yara matchFile source: 1.2.OfficialKiddionsModMenuV0.8.7.exe.c3b54.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.3.OfficialKiddionsModMenuV0.8.7.exe.3b10000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.292031662.00000000000C2000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.348909899.0000000000402000.00000020.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000003.291666157.0000000003B12000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: dump.pcap, type: PCAP

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management Instrumentation221Path InterceptionProcess Injection311Masquerading1OS Credential Dumping1Security Software Discovery321Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools11Credential API Hooking1Process Discovery11Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion231Input Capture1Virtualization/Sandbox Evasion231SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection311NTDSApplication Window Discovery1Distributed Component Object ModelData from Local System2Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsSystem Information Discovery123SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing2Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  OfficialKiddionsModMenuV0.8.7.exe26%VirustotalBrowse
                  OfficialKiddionsModMenuV0.8.7.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  1.0.OfficialKiddionsModMenuV0.8.7.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                  1.1.OfficialKiddionsModMenuV0.8.7.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                  1.2.OfficialKiddionsModMenuV0.8.7.exe.400000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://service.r0%URL Reputationsafe
                  http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
                  http://tempuri.org/0%URL Reputationsafe
                  http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id90%URL Reputationsafe
                  http://tempuri.org/Entity/Id80%URL Reputationsafe
                  http://tempuri.org/Entity/Id50%URL Reputationsafe
                  http://tempuri.org/Entity/Id40%URL Reputationsafe
                  http://tempuri.org/Entity/Id70%URL Reputationsafe
                  http://tempuri.org/Entity/Id60%URL Reputationsafe
                  http://tempuri.org/Entity/Id19Response0%URL Reputationsafe
                  http://www.interoperabilitybridges.com/wmp-extension-for-chrome0%URL Reputationsafe
                  http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
                  http://support.a0%URL Reputationsafe
                  http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
                  https://api.ip.sb/ip0%URL Reputationsafe
                  http://tempuri.org/Entity/Id9Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id200%URL Reputationsafe
                  http://tempuri.org/Entity/Id210%URL Reputationsafe
                  http://tempuri.org/Entity/Id220%URL Reputationsafe
                  http://tempuri.org/Entity/Id230%URL Reputationsafe
                  http://tempuri.org/Entity/Id240%URL Reputationsafe
                  http://tempuri.org/Entity/Id24Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
                  http://forms.rea0%URL Reputationsafe
                  http://tempuri.org/Entity/Id100%URL Reputationsafe
                  http://tempuri.org/Entity/Id110%URL Reputationsafe
                  http://tempuri.org/Entity/Id120%URL Reputationsafe
                  http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id130%URL Reputationsafe
                  http://tempuri.org/Entity/Id140%URL Reputationsafe
                  http://tempuri.org/Entity/Id150%URL Reputationsafe
                  http://tempuri.org/Entity/Id160%URL Reputationsafe
                  http://tempuri.org/Entity/Id170%URL Reputationsafe
                  http://tempuri.org/Entity/Id180%URL Reputationsafe
                  http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id190%URL Reputationsafe
                  http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
                  http://tempuri.org/Entity/Id8Response0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextAppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                    		high
                    http://schemas.xmlsoap.org/ws/2005/02/sc/sctAppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                      		high
                      https://duckduckgo.com/chrome_newtabAppLaunch.exe, 0000000A.00000002.351614640.0000000006F8F000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351542491.0000000006F79000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350886277.0000000006E0C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.353500698.0000000007F6C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.353413406.0000000007EFB000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351328252.0000000006EB7000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350715517.0000000006DF6000.00000004.00000001.sdmpfalse
                        		high
                        http://service.rAppLaunch.exe, 0000000A.00000002.351614640.0000000006F8F000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350886277.0000000006E0C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkAppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                          		high
                          https://duckduckgo.com/ac/?q=AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351328252.0000000006EB7000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350715517.0000000006DF6000.00000004.00000001.sdmpfalse
                            		high
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryAppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                              		high
                              http://tempuri.org/Entity/Id12ResponseAppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://tempuri.org/AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://tempuri.org/Entity/Id2ResponseAppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                		high
                                http://tempuri.org/Entity/Id21ResponseAppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350561310.0000000006D8B000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapAppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id9AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDAppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id8AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://tempuri.org/Entity/Id5AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareAppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id4AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://tempuri.org/Entity/Id7AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://tempuri.org/Entity/Id6AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretAppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                        		high
                                        https://support.google.com/chrome/?p=plugin_realAppLaunch.exe, 0000000A.00000002.351614640.0000000006F8F000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350886277.0000000006E0C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id19ResponseAppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseAppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueAppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.interoperabilitybridges.com/wmp-extension-for-chromeAppLaunch.exe, 0000000A.00000002.351614640.0000000006F8F000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350886277.0000000006E0C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedAppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceAppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://support.google.com/chrome/?p=plugin_pdfAppLaunch.exe, 0000000A.00000002.351614640.0000000006F8F000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350886277.0000000006E0C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/faultAppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2004/10/wsatAppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyAppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://tempuri.org/Entity/Id15ResponseAppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350561310.0000000006D8B000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameAppLaunch.exe, 0000000A.00000002.350561310.0000000006D8B000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://forms.real.com/real/realone/download.html?type=rpsp_usAppLaunch.exe, 0000000A.00000002.351614640.0000000006F8F000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350886277.0000000006E0C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://support.aAppLaunch.exe, 0000000A.00000002.351614640.0000000006F8F000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350886277.0000000006E0C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewAppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterAppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://tempuri.org/Entity/Id6ResponseAppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350561310.0000000006D8B000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyAppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://api.ip.sb/ipOfficialKiddionsModMenuV0.8.7.exe, 00000001.00000002.292031662.00000000000C2000.00000004.00000001.sdmp, OfficialKiddionsModMenuV0.8.7.exe, 00000001.00000003.291666157.0000000003B12000.00000040.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.348909899.0000000000402000.00000020.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exeAppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://support.google.com/chrome/?p=plugin_quicktimeAppLaunch.exe, 0000000A.00000002.351614640.0000000006F8F000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350886277.0000000006E0C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/ws/2004/04/scAppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCAppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelAppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              http://tempuri.org/Entity/Id9ResponseAppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350561310.0000000006D8B000.00000004.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351328252.0000000006EB7000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350715517.0000000006DF6000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://tempuri.org/Entity/Id20AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://tempuri.org/Entity/Id21AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350551346.0000000006D87000.00000004.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://tempuri.org/Entity/Id22AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://tempuri.org/Entity/Id23AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://tempuri.org/Entity/Id24AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueAppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://tempuri.org/Entity/Id24ResponseAppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://tempuri.org/Entity/Id1ResponseAppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedAppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyAppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayAppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoAppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryAppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCAppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyAppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2004/08/addressingAppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      https://support.google.com/chrome/?p=plugin_shockwaveAppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        http://forms.reaAppLaunch.exe, 0000000A.00000002.351614640.0000000006F8F000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350886277.0000000006E0C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueAppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionAppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/ws/2004/04/trustAppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              http://tempuri.org/Entity/Id10AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id11AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id12AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id16ResponseAppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseAppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelAppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://tempuri.org/Entity/Id13AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  http://tempuri.org/Entity/Id14AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  http://tempuri.org/Entity/Id15AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  http://tempuri.org/Entity/Id16AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/NonceAppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://tempuri.org/Entity/Id17AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://tempuri.org/Entity/Id18AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://tempuri.org/Entity/Id5ResponseAppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350561310.0000000006D8B000.00000004.00000001.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://tempuri.org/Entity/Id19AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://schemas.xmlsoap.org/ws/2004/08/addressing/faultDAppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsAppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://tempuri.org/Entity/Id10ResponseAppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350561310.0000000006D8B000.00000004.00000001.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RenewAppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://tempuri.org/Entity/Id8ResponseAppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350561310.0000000006D8B000.00000004.00000001.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          https://support.google.com/chrome/?p=plugin_wmpAppLaunch.exe, 0000000A.00000002.351614640.0000000006F8F000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.350886277.0000000006E0C000.00000004.00000001.sdmp, AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyAppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0AppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDAppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://support.google.com/chrome/answer/6258784AppLaunch.exe, 0000000A.00000002.351383258.0000000006ECE000.00000004.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTAppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://schemas.xmlsoap.org/ws/2006/02/addressingidentityAppLaunch.exe, 0000000A.00000002.350492242.0000000006D10000.00000004.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/soap/envelope/AppLaunch.exe, 0000000A.00000002.350441198.0000000006C81000.00000004.00000001.sdmpfalse
                                                                                                                                          		high

                                                                                                                                          Contacted IPs

                                                                                                                                          • No. of IPs < 25%
                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                          • 75% < No. of IPs

                                                                                                                                          Public

                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                          103.246.144.29
                                                                                                                                          		unknownCambodia
                                                                                                                                          		58447EMAXXTELECOMCOLTD-AS-APEmaxxTelecomCoLtdKHtrue

                                                                                                                                          General Information

                                                                                                                                          Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                          Analysis ID:546181
                                                                                                                                          Start date:29.12.2021
                                                                                                                                          Start time:08:50:28
                                                                                                                                          Joe Sandbox Product:CloudBasic
                                                                                                                                          Overall analysis duration:0h 7m 33s
                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                          Report type:light
                                                                                                                                          Sample file name:OfficialKiddionsModMenuV0.8.7.exe
                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                          Number of analysed new started processes analysed:24
                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                          Technologies:
                                                                                                                                          • HCA enabled
                                                                                                                                          • EGA enabled
                                                                                                                                          • HDC enabled
                                                                                                                                          • AMSI enabled
                                                                                                                                          Analysis Mode:default
                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                          Detection:MAL
                                                                                                                                          Classification:mal100.troj.spyw.evad.winEXE@3/1@0/1
                                                                                                                                          EGA Information:Failed
                                                                                                                                          HDC Information:
                                                                                                                                          • Successful, ratio: 88.1% (good quality ratio 73.8%)
                                                                                                                                          • Quality average: 64.2%
                                                                                                                                          • Quality standard deviation: 34.1%
                                                                                                                                          HCA Information:
                                                                                                                                          • Successful, ratio: 87%
                                                                                                                                          • Number of executed functions: 0
                                                                                                                                          • Number of non-executed functions: 0
                                                                                                                                          Cookbook Comments:
                                                                                                                                          • Adjust boot time
                                                                                                                                          • Enable AMSI
                                                                                                                                          • Found application associated with file extension: .exe
                                                                                                                                          Warnings:
                                                                                                                                          Show All
                                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                          • TCP Packets have been reduced to 100
                                                                                                                                          • Excluded IPs from analysis (whitelisted): 23.203.78.112
                                                                                                                                          • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, wildcard.weather.microsoft.com.edgekey.net, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, cdn.onenote.net, e15275.g.akamaiedge.net, arc.msn.com
                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                          Simulations

                                                                                                                                          Behavior and APIs

                                                                                                                                          TimeTypeDescription
                                                                                                                                          08:51:51API Interceptor17x Sleep call for process: AppLaunch.exe modified

                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                          IPs

                                                                                                                                          No context

                                                                                                                                          Domains

                                                                                                                                          No context

                                                                                                                                          ASN

                                                                                                                                          No context

                                                                                                                                          JA3 Fingerprints

                                                                                                                                          No context

                                                                                                                                          Dropped Files

                                                                                                                                          No context

                                                                                                                                          Created / dropped Files

                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
                                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):2291
                                                                                                                                          Entropy (8bit):5.3192079301865585
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:48:MOfHK5HKXAHKhBHKdHKB1AHKzvQTHmYHKhQnoPtHoxHImHKAHK1HxLHG1qHqH5HX:vq5qXAqLqdqUqzcGYqhQnoPtIxHbqAqG
                                                                                                                                          MD5:174E563C986AB09114A6F31F870A6E13
                                                                                                                                          SHA1:F68EFDC04D0559B24C448E629A0115F2E6C3B39D
                                                                                                                                          SHA-256:465C8001CEFD747AF8A94EDD62CC829D8DFF4D6BED174591DA0B71E10FDC584F
                                                                                                                                          SHA-512:252A2B615BB7BB4223F0873F41CC7C4BC6576172CD704DD93926E004CD5795CA5DC2DE3332586BF3C44E0B564148A7661563C00B204649C7A5594C097C1E9ECE
                                                                                                                                          Malicious:false
                                                                                                                                          Reputation:moderate, very likely benign file
                                                                                                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\34957343ad5d84daee97a1affda91665\System.Runtime.Serialization.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.ServiceModel.Internals, Version=4.0.0.0, Culture=

                                                                                                                                          Static File Info

                                                                                                                                          General

                                                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                          Entropy (8bit):7.999073227693366
                                                                                                                                          TrID:
                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                          File name:OfficialKiddionsModMenuV0.8.7.exe
                                                                                                                                          File size:4397056
                                                                                                                                          MD5:7de3896baf12500f3e1cd311e2340806
                                                                                                                                          SHA1:500b906981aaa4810848643f1d8c17efa87bad20
                                                                                                                                          SHA256:213fce24e326925749adebaff2d85e23bba2b616c872e2089b23fa231f18756e
                                                                                                                                          SHA512:d08cf4dcb3170f4654ef7121078b2c902285732dc3b2292d1a1e9d576f639050c98c08e8d1391b1bfa46f313bb9b8840968b86077d5e52f49e882994f13abef1
                                                                                                                                          SSDEEP:98304:xmAM03cGX50EXFEACRwiGbJ3hjOQxsaS3XnLUBzEydzEI:xBM03c+0ACRZGNBdONXe5
                                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....a.a................. ...................@....@...........................n.......C....................................

                                                                                                                                          File Icon

                                                                                                                                          Icon Hash:00828e8e8686b000

                                                                                                                                          Static PE Info

                                                                                                                                          General

                                                                                                                                          Entrypoint:0x401000
                                                                                                                                          Entrypoint Section:
                                                                                                                                          Digitally signed:false
                                                                                                                                          Imagebase:0x400000
                                                                                                                                          Subsystem:windows gui
                                                                                                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                                                                                                                                          DLL Characteristics:TERMINAL_SERVER_AWARE, NX_COMPAT
                                                                                                                                          Time Stamp:0x61CB6117 [Tue Dec 28 19:10:15 2021 UTC]
                                                                                                                                          TLS Callbacks:
                                                                                                                                          CLR (.Net) Version:
                                                                                                                                          OS Version Major:6
                                                                                                                                          OS Version Minor:0
                                                                                                                                          File Version Major:6
                                                                                                                                          File Version Minor:0
                                                                                                                                          Subsystem Version Major:6
                                                                                                                                          Subsystem Version Minor:0
                                                                                                                                          Import Hash:9a4258c5d218cf6e5c500e8415d5f5ed

                                                                                                                                          Entrypoint Preview

                                                                                                                                          Instruction
                                                                                                                                          push 00A9E001h
                                                                                                                                          call 00007F928879CFB6h
                                                                                                                                          ret
                                                                                                                                          ret
                                                                                                                                          js 00007F928879D003h
                                                                                                                                          sbb eax, B4729368h
                                                                                                                                          pop edi
                                                                                                                                          jecxz 00007F928879CF38h
                                                                                                                                          jl 00007F928879CF9Ch
                                                                                                                                          pushad
                                                                                                                                          fdivr dword ptr [ecx]
                                                                                                                                          mov dword ptr [esi-19286F1Bh], edi
                                                                                                                                          xchg eax, ecx
                                                                                                                                          push ebp
                                                                                                                                          daa
                                                                                                                                          and esp, dword ptr [esi+5517E0F3h]
                                                                                                                                          and bh, byte ptr [edi]
                                                                                                                                          and dword ptr [esi], eax
                                                                                                                                          adc dword ptr [esi+03h], ebx
                                                                                                                                          shr ebx, cl
                                                                                                                                          push ss
                                                                                                                                          salc
                                                                                                                                          pushad
                                                                                                                                          inc ebp
                                                                                                                                          outsd
                                                                                                                                          push ds
                                                                                                                                          out A0h, al
                                                                                                                                          into
                                                                                                                                          jno 00007F928879CFC7h
                                                                                                                                          pop ss
                                                                                                                                          cmc
                                                                                                                                          pop edi

                                                                                                                                          Data Directories

                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x69ec7c0x19c.yke1AWY
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x69d0000x1d5.rsrc
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x100000

                                                                                                                                          Sections

                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                          0x10000x220000x11400False1.00043874547data7.99788481833IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                          0x230000x47c0x0False0empty0.0IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                          0x240000xf0000x7a00False1.00051229508data7.9951936828IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                          0x330000x20000x400False1.0107421875data7.79914503297IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                          0x350000x26c1d50x0unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                          0x2a20000x3fb0000x3cd400unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                          .rsrc0x69d0000x10000x200False0.9453125data6.95928882324IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                          .yke1AWY0x69e0000x4b0000x4ac00False0.98668412939data7.91755317496IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                          .adata0x6e90000x10000x0False0empty0.0IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

                                                                                                                                          Resources

                                                                                                                                          NameRVASizeTypeLanguageCountry
                                                                                                                                          RT_MANIFEST0x69ee180x17dXML 1.0 document textEnglishUnited States

                                                                                                                                          Imports

                                                                                                                                          DLLImport
                                                                                                                                          kernel32.dllGetProcAddress, GetModuleHandleA, LoadLibraryA
                                                                                                                                          user32.dllSendNotifyMessageA
                                                                                                                                          wtsapi32.dllWTSSendMessageW
                                                                                                                                          user32.dllGetProcessWindowStation
                                                                                                                                          user32.dllGetProcessWindowStation
                                                                                                                                          oleaut32.dllVariantChangeTypeEx
                                                                                                                                          kernel32.dllRaiseException

                                                                                                                                          Possible Origin

                                                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                                                          EnglishUnited States

                                                                                                                                          Network Behavior

                                                                                                                                          Network Port Distribution

                                                                                                                                          TCP Packets

                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                          Dec 29, 2021 08:51:36.571156025 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:36.597944021 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:36.598120928 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:36.912719011 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:36.943679094 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:36.999392986 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:38.447905064 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:38.475564957 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:38.530684948 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:45.947582006 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:45.982111931 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:45.982182026 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:45.982230902 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:45.982285023 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:46.031198978 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:49.412308931 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:49.490027905 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:49.545097113 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:49.564868927 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:49.593951941 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:49.637119055 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:49.664072990 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:49.664133072 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:49.666006088 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:49.718990088 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:49.814471006 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:49.842281103 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:49.843413115 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:49.890883923 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:50.006309032 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:50.034548998 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:50.075628996 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:50.102291107 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:50.131640911 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:50.154380083 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:50.183568001 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:50.202549934 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:50.230156898 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:50.281553984 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:50.660599947 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:50.688788891 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:50.734721899 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:50.830621958 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:50.858542919 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:50.906598091 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:51.872104883 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:51.905642986 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:51.953699112 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:51.961874008 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:51.991065979 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:52.031763077 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:52.538160086 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:52.564951897 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:52.564985991 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:52.565011024 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:52.565035105 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:52.565084934 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:52.565154076 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:52.565172911 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:52.565185070 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:52.565201044 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:52.565257072 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:52.565284014 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:52.565335989 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:52.565362930 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:52.565423965 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:52.565454006 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:52.565692902 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:52.565761089 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:52.593914986 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:52.593939066 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:52.593949080 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:52.593959093 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:52.593974113 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:52.593985081 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:52.593998909 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:52.594011068 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:52.594024897 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:52.594036102 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:52.594050884 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:52.594062090 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:52.594077110 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:52.594086885 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:52.594103098 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:52.594114065 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:52.594187021 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:52.594204903 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:52.594295025 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:52.594300985 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:52.594491005 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:52.594563007 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:52.628158092 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:52.628528118 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:52.628705025 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:52.628916025 CET4974644301192.168.2.3103.246.144.29
                                                                                                                                          Dec 29, 2021 08:51:52.657891989 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:52.657917023 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:52.657934904 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:52.657952070 CET4430149746103.246.144.29192.168.2.3
                                                                                                                                          Dec 29, 2021 08:51:52.657993078 CET4974644301192.168.2.3103.246.144.29

                                                                                                                                          Code Manipulations

                                                                                                                                          Statistics

                                                                                                                                          Behavior

                                                                                                                                          Click to jump to process

                                                                                                                                          System Behavior

                                                                                                                                          Analysis Process: OfficialKiddionsModMenuV0.8.7.exe PID: 7072 Parent PID: 3608

                                                                                                                                          General

                                                                                                                                          Start time:08:51:22
                                                                                                                                          Start date:29/12/2021
                                                                                                                                          Path:C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:"C:\Users\user\Desktop\OfficialKiddionsModMenuV0.8.7.exe"
                                                                                                                                          Imagebase:0x400000
                                                                                                                                          File size:4397056 bytes
                                                                                                                                          MD5 hash:7DE3896BAF12500F3E1CD311E2340806
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:Borland Delphi
                                                                                                                                          Yara matches:
                                                                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000002.292031662.00000000000C2000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000003.291666157.0000000003B12000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                          Reputation:low

                                                                                                                                          Analysis Process: AppLaunch.exe PID: 6652 Parent PID: 7072

                                                                                                                                          General

                                                                                                                                          Start time:08:51:26
                                                                                                                                          Start date:29/12/2021
                                                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                          Imagebase:0x2b0000
                                                                                                                                          File size:98912 bytes
                                                                                                                                          MD5 hash:6807F903AC06FF7E1670181378690B22
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                                                          Yara matches:
                                                                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000002.348909899.0000000000402000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                                                          Reputation:moderate

                                                                                                                                          Disassembly

                                                                                                                                          Code Analysis

                                                                                                                                          Reset < >