Windows Analysis Report
LiquidBounceLauncher.exe

Overview

General Information

Sample Name: LiquidBounceLauncher.exe
Analysis ID: 632538
MD5: 8aaeb1206b0ba5bc0d7697148509a3be
SHA1: 901683aa4bdef5527b69484de7a91a30e91348f0
SHA256: 61993e08ea08b735c8966bea3c2cab4dbd2c62ccd1ad88ec42c59e1a9a8f8c71
Tags: exe
Infos:

Detection

RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected RedLine Stealer
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Writes to foreign memory regions
Tries to steal Crypto Currency Wallets
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Contains functionality to inject code into remote processes
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Machine Learning detection for dropped file
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Drops PE files
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Found malware configuration
Source: 4.2.AppLaunch.exe.400000.0.unpack Malware Configuration Extractor: RedLine {"C2 url": ["185.106.92.73:34437"], "Bot Id": "", "Authorization Header": "3735c25e5f9d7ebba04764842edf761c"}
Multi AV Scanner detection for submitted file
Source: LiquidBounceLauncher.exe ReversingLabs: Detection: 19%
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Virustotal: Detection: 35% Perma Link
Machine Learning detection for sample
Source: LiquidBounceLauncher.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 17.3.Tempsvchost.exe.2260000.0.unpack Avira: Label: TR/ATRAPS.Gen4
Uses 32bit PE files
Source: LiquidBounceLauncher.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DEBUG_STRIPPED, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 176.9.247.226:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_004291F0 FindFirstFileA,_errno,GetLastError,_errno,_errno,_errno,_errno,_errno, 0_2_004291F0
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_00428CA0 FindFirstFileA,_errno,GetLastError,_errno,_errno,_errno,_errno,_errno, 17_2_00428CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 20_2_005468A3 FindFirstFileExW, 20_2_005468A3
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 4x nop then mov edx, dword ptr [ecx+08h] 0_2_0043612A
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 4x nop then push ebp 0_2_00438496
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 4x nop then sub esp, 1Ch 0_2_00430760
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 4x nop then mov eax, dword ptr [ecx] 0_2_00434830
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 4x nop then sub esp, 1Ch 17_2_00430210
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 4x nop then push ebx 17_2_00477670
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 4x nop then jmp 004720E0h 17_2_004747E0
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 17_2_0049E780
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 4x nop then jmp 004882D0h 17_2_0048A900

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2850027 ETPRO TROJAN RedLine Stealer TCP CnC net.tcp Init 192.168.2.4:49760 -> 185.106.92.73:34437
Source: Traffic Snort IDS: 2850286 ETPRO TROJAN Redline Stealer TCP CnC Activity 192.168.2.4:49760 -> 185.106.92.73:34437
Source: Traffic Snort IDS: 2850353 ETPRO MALWARE Redline Stealer TCP CnC - Id1Response 185.106.92.73:34437 -> 192.168.2.4:49760
Yara detected Generic Downloader
Source: Yara match File source: 4.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LiquidBounceLauncher.exe.7b0000.0.unpack, type: UNPACKEDPE
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SUPERSERVERSDATACENTERRU SUPERSERVERSDATACENTERRU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /628a4c7f14fb9g?raw HTTP/1.1Host: dl.uploadgram.meConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 176.9.247.226 176.9.247.226
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49760 -> 185.106.92.73:34437
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: unknown TCP traffic detected without corresponding DNS query: 185.106.92.73
Source: AppLaunch.exe, 00000004.00000002.356291916.0000000007616000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356056989.0000000007555000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355865556.0000000007495000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355711541.00000000073D8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355237303.00000000071D2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355538295.0000000007326000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355428723.0000000007298000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: \l9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
Source: AppLaunch.exe, 00000004.00000002.355237303.00000000071D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: romium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-j
Source: AppLaunch.exe, 00000004.00000002.356291916.0000000007616000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356056989.0000000007555000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355865556.0000000007495000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355711541.00000000073D8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355237303.00000000071D2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355538295.0000000007326000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355428723.0000000007298000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
Source: AppLaunch.exe, 00000004.00000002.360218389.000000000A3C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: AppLaunch.exe, 00000004.00000002.356781600.0000000007767000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://dl.uploadgram.me
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: AppLaunch.exe, 00000004.00000002.355237303.00000000071D2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355538295.0000000007326000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355428723.0000000007298000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: AppLaunch.exe, 00000004.00000002.356291916.0000000007616000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356056989.0000000007555000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355865556.0000000007495000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355711541.00000000073D8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355237303.00000000071D2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355538295.0000000007326000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://forms.rea
Source: AppLaunch.exe, 00000004.00000002.356291916.0000000007616000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356056989.0000000007555000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355865556.0000000007495000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355711541.00000000073D8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355237303.00000000071D2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355538295.0000000007326000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355428723.0000000007298000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
Source: AppLaunch.exe, 00000004.00000002.355237303.00000000071D2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355538295.0000000007326000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355428723.0000000007298000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
Source: Tempsvchost.exe.4.dr String found in binary or memory: http://gcc.gnu.org/bugs.html):
Source: AppLaunch.exe, 00000004.00000002.356291916.0000000007616000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356056989.0000000007555000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355865556.0000000007495000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355711541.00000000073D8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355237303.00000000071D2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355538295.0000000007326000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://go.micros
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultL
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: AppLaunch.exe, 00000004.00000002.356291916.0000000007616000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356056989.0000000007555000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355865556.0000000007495000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355711541.00000000073D8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355237303.00000000071D2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355538295.0000000007326000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://service.r
Source: AppLaunch.exe, 00000004.00000002.356291916.0000000007616000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356056989.0000000007555000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355865556.0000000007495000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355711541.00000000073D8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355237303.00000000071D2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355538295.0000000007326000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355428723.0000000007298000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
Source: AppLaunch.exe, 00000004.00000002.356291916.0000000007616000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356056989.0000000007555000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355865556.0000000007495000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355711541.00000000073D8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355237303.00000000071D2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355538295.0000000007326000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://support.a
Source: AppLaunch.exe, 00000004.00000002.356291916.0000000007616000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356056989.0000000007555000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355865556.0000000007495000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355711541.00000000073D8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355237303.00000000071D2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355538295.0000000007326000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355428723.0000000007298000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://support.apple.com/kb/HT203092
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356578561.00000000076D8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24
Source: AppLaunch.exe, 00000004.00000002.356938745.0000000007799000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356578561.00000000076D8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3
Source: AppLaunch.exe, 00000004.00000002.356578561.00000000076D8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9
Source: AppLaunch.exe, 00000004.00000002.355068961.0000000007091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: AppLaunch.exe, 00000004.00000002.356291916.0000000007616000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356056989.0000000007555000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355865556.0000000007495000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355711541.00000000073D8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355237303.00000000071D2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355538295.0000000007326000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355428723.0000000007298000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: AppLaunch.exe, 00000004.00000002.356291916.0000000007616000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356056989.0000000007555000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355865556.0000000007495000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355711541.00000000073D8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355237303.00000000071D2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355538295.0000000007326000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355428723.0000000007298000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
Source: AppLaunch.exe, 00000004.00000002.356291916.0000000007616000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355525800.000000000731F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356056989.0000000007555000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.358181456.00000000084D0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355371895.0000000007281000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355865556.0000000007495000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356235277.0000000007600000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.358403236.0000000008541000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.357633859.0000000008257000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356578561.00000000076D8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355237303.00000000071D2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355979406.000000000753F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356471909.00000000076C1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355428723.0000000007298000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: LiquidBounceLauncher.exe, LiquidBounceLauncher.exe, 00000000.00000000.263929326.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, LiquidBounceLauncher.exe, 00000000.00000003.261371642.00000000007B2000.00000040.00001000.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.353313209.0000000000402000.00000020.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: AppLaunch.exe, 00000004.00000002.356291916.0000000007616000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355525800.000000000731F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356056989.0000000007555000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.358181456.00000000084D0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355371895.0000000007281000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355865556.0000000007495000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356235277.0000000007600000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.358403236.0000000008541000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.357633859.0000000008257000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356578561.00000000076D8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355237303.00000000071D2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355979406.000000000753F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356471909.00000000076C1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355428723.0000000007298000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: AppLaunch.exe, 00000004.00000002.356676996.0000000007757000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://dl.uploadgram.me
Source: AppLaunch.exe, 00000004.00000002.356676996.0000000007757000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355152654.0000000007121000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356578561.00000000076D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://dl.uploadgram.me/628a4c7f14fb9g?raw
Source: AppLaunch.exe, 00000004.00000002.356676996.0000000007757000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://dl.uploadgram.me4
Source: AppLaunch.exe, 00000004.00000002.356291916.0000000007616000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355525800.000000000731F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356056989.0000000007555000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.358181456.00000000084D0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355371895.0000000007281000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355865556.0000000007495000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356235277.0000000007600000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.358403236.0000000008541000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.357633859.0000000008257000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356578561.00000000076D8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355237303.00000000071D2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355979406.000000000753F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356471909.00000000076C1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355428723.0000000007298000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: AppLaunch.exe, 00000004.00000002.356291916.0000000007616000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355525800.000000000731F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356056989.0000000007555000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.358181456.00000000084D0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355371895.0000000007281000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355865556.0000000007495000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356235277.0000000007600000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.358403236.0000000008541000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.357633859.0000000008257000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356578561.00000000076D8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355237303.00000000071D2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355979406.000000000753F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356471909.00000000076C1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355428723.0000000007298000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: AppLaunch.exe, 00000004.00000002.356291916.0000000007616000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355525800.000000000731F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356056989.0000000007555000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.358181456.00000000084D0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355371895.0000000007281000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355865556.0000000007495000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356235277.0000000007600000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.358403236.0000000008541000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.357633859.0000000008257000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356578561.00000000076D8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355237303.00000000071D2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355979406.000000000753F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356471909.00000000076C1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355428723.0000000007298000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: AppLaunch.exe, 00000004.00000002.356291916.0000000007616000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356056989.0000000007555000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355865556.0000000007495000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355711541.00000000073D8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355237303.00000000071D2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355538295.0000000007326000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355428723.0000000007298000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://get.adob
Source: AppLaunch.exe, 00000004.00000002.356291916.0000000007616000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356056989.0000000007555000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355865556.0000000007495000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355711541.00000000073D8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355237303.00000000071D2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355538295.0000000007326000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://helpx.ad
Source: AppLaunch.exe, 00000004.00000002.356291916.0000000007616000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355525800.000000000731F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356056989.0000000007555000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.358181456.00000000084D0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355371895.0000000007281000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355865556.0000000007495000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356235277.0000000007600000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.358403236.0000000008541000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.357633859.0000000008257000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356578561.00000000076D8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355237303.00000000071D2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355979406.000000000753F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356471909.00000000076C1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355428723.0000000007298000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: AppLaunch.exe, 00000004.00000002.355428723.0000000007298000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://search.yahoo.com/search
Source: AppLaunch.exe, 00000004.00000002.355428723.0000000007298000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: AppLaunch.exe, 00000004.00000002.355237303.00000000071D2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355538295.0000000007326000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355428723.0000000007298000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: AppLaunch.exe, 00000004.00000002.355237303.00000000071D2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355538295.0000000007326000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355428723.0000000007298000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: AppLaunch.exe, 00000004.00000002.355538295.0000000007326000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355428723.0000000007298000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_java
Source: AppLaunch.exe, 00000004.00000002.356291916.0000000007616000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356056989.0000000007555000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355865556.0000000007495000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355711541.00000000073D8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355237303.00000000071D2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355538295.0000000007326000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355428723.0000000007298000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
Source: AppLaunch.exe, 00000004.00000002.356291916.0000000007616000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356056989.0000000007555000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355865556.0000000007495000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355711541.00000000073D8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355237303.00000000071D2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355538295.0000000007326000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355428723.0000000007298000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
Source: AppLaunch.exe, 00000004.00000002.356291916.0000000007616000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356056989.0000000007555000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355865556.0000000007495000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355711541.00000000073D8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355237303.00000000071D2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355538295.0000000007326000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355428723.0000000007298000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: AppLaunch.exe, 00000004.00000002.355237303.00000000071D2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355538295.0000000007326000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355428723.0000000007298000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: AppLaunch.exe, 00000004.00000002.356291916.0000000007616000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356056989.0000000007555000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355865556.0000000007495000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355711541.00000000073D8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355237303.00000000071D2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355538295.0000000007326000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355428723.0000000007298000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: AppLaunch.exe, 00000004.00000002.355237303.00000000071D2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355538295.0000000007326000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355428723.0000000007298000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: AppLaunch.exe, 00000004.00000002.356291916.0000000007616000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355525800.000000000731F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356056989.0000000007555000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.358181456.00000000084D0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355371895.0000000007281000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355865556.0000000007495000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356235277.0000000007600000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.358403236.0000000008541000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.357633859.0000000008257000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356578561.00000000076D8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355237303.00000000071D2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355979406.000000000753F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.356471909.00000000076C1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000004.00000002.355428723.0000000007298000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown DNS traffic detected: queries for: dl.uploadgram.me
Source: global traffic HTTP traffic detected: GET /628a4c7f14fb9g?raw HTTP/1.1Host: dl.uploadgram.meConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 176.9.247.226:443 -> 192.168.2.4:49769 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 4.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.3.LiquidBounceLauncher.exe.7b0000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.0.LiquidBounceLauncher.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.0.LiquidBounceLauncher.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.0.LiquidBounceLauncher.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.LiquidBounceLauncher.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Uses 32bit PE files
Source: LiquidBounceLauncher.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DEBUG_STRIPPED, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 4.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.3.LiquidBounceLauncher.exe.7b0000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.0.LiquidBounceLauncher.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.0.LiquidBounceLauncher.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.0.LiquidBounceLauncher.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.LiquidBounceLauncher.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Tempsvchost.exe_47485259fa2fe91b22eefff99ee659f6163bac7_70cd5a86_1b5f7a5c\Report.wer, type: DROPPED Matched rule: SUSP_WER_Suspicious_Crash_Directory date = 2019-10-18, author = Florian Roth, description = Detects a crashed application executed in a suspicious directory, reference = https://twitter.com/cyb3rops/status/1185585050059976705, score =
One or more processes crash
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 652
Detected potential crypto function
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_0042A030 0_2_0042A030
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_004490C0 0_2_004490C0
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_0045E0C0 0_2_0045E0C0
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_0044A0F0 0_2_0044A0F0
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_004550B0 0_2_004550B0
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_00457270 0_2_00457270
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_00459220 0_2_00459220
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_004502C0 0_2_004502C0
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_004192E0 0_2_004192E0
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_0044E2A0 0_2_0044E2A0
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_0041F2B0 0_2_0041F2B0
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_0042C2B0 0_2_0042C2B0
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_00442300 0_2_00442300
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_0046C470 0_2_0046C470
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_00420540 0_2_00420540
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_00421580 0_2_00421580
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_004546D0 0_2_004546D0
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_0045D6E0 0_2_0045D6E0
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_0046B740 0_2_0046B740
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_00458750 0_2_00458750
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_0046A730 0_2_0046A730
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_0044F810 0_2_0044F810
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_0045A810 0_2_0045A810
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_004518F0 0_2_004518F0
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_004459D0 0_2_004459D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 4_2_0707EF68 4_2_0707EF68
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_004EF03E 17_2_004EF03E
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_00421030 17_2_00421030
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_004EF15E 17_2_004EF15E
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_004E1170 17_2_004E1170
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_0046A1E0 17_2_0046A1E0
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_0046B1F0 17_2_0046B1F0
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_00454180 17_2_00454180
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_0045D190 17_2_0045D190
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_00458200 17_2_00458200
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_0044F2C0 17_2_0044F2C0
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_0045A2C0 17_2_0045A2C0
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_004513A0 17_2_004513A0
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_004234E0 17_2_004234E0
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_00445480 17_2_00445480
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_004694B0 17_2_004694B0
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_0045E540 17_2_0045E540
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_00420680 17_2_00420680
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_004466A0 17_2_004466A0
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_0045B730 17_2_0045B730
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_004F3739 17_2_004F3739
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_004527C0 17_2_004527C0
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_004577F0 17_2_004577F0
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_00447790 17_2_00447790
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_004E8870 17_2_004E8870
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_0044E800 17_2_0044E800
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_00420810 17_2_00420810
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_00450830 17_2_00450830
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_00424A70 17_2_00424A70
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_00429AE0 17_2_00429AE0
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_004E8AA2 17_2_004E8AA2
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_00454B60 17_2_00454B60
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_00448B70 17_2_00448B70
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_0045DB70 17_2_0045DB70
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_00449BA0 17_2_00449BA0
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_00458CD0 17_2_00458CD0
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_004E5CE0 17_2_004E5CE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 20_2_00511000 20_2_00511000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 20_2_00513240 20_2_00513240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 20_2_0054A319 20_2_0054A319
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 20_2_0053F450 20_2_0053F450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 20_2_0053F682 20_2_0053F682
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 20_2_0053F8DF 20_2_0053F8DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 20_2_0053C8C0 20_2_0053C8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 20_2_0053A95B 20_2_0053A95B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 20_2_0054EACD 20_2_0054EACD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 20_2_00545C1E 20_2_00545C1E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 20_2_00537D50 20_2_00537D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 20_2_00545D3E 20_2_00545D3E
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: String function: 0040146E appears 58 times
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: String function: 0043A220 appears 34 times
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: String function: 0040146E appears 44 times
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: String function: 004A95A0 appears 42 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: String function: 005411D7 appears 167 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: String function: 00535900 appears 41 times
Sample file is different than original file name gathered from version info
Source: LiquidBounceLauncher.exe Binary or memory string: OriginalFilename vs LiquidBounceLauncher.exe
Source: LiquidBounceLauncher.exe, 00000000.00000000.263929326.00000000004B7000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameWhirrings.exe4 vs LiquidBounceLauncher.exe
Source: LiquidBounceLauncher.exe, 00000000.00000003.261371642.00000000007B2000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWhirrings.exe4 vs LiquidBounceLauncher.exe
PE / OLE file has an invalid certificate
Source: LiquidBounceLauncher.exe Static PE information: invalid certificate
Source: LiquidBounceLauncher.exe ReversingLabs: Detection: 19%
Source: LiquidBounceLauncher.exe Static PE information: Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\LiquidBounceLauncher.exe "C:\Users\user\Desktop\LiquidBounceLauncher.exe"
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 652
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process created: C:\Users\user\AppData\Local\Tempsvchost.exe "C:\Users\user\AppData\Local\Tempsvchost.exe"
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6588 -s 660
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process created: C:\Users\user\AppData\Local\Tempsvchost.exe "C:\Users\user\AppData\Local\Tempsvchost.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File created: C:\Users\user\AppData\Local\Yandex Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER6D03.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@11/10@1/3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: 0.3.LiquidBounceLauncher.exe.7b0000.0.unpack, BrEx.cs Base64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV
Source: 4.2.AppLaunch.exe.400000.0.unpack, BrEx.cs Base64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6596:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6588
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1556:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3368
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: LiquidBounceLauncher.exe Static file information: File size 1156040 > 1048576
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_0046E470 push eax; mov dword ptr [esp], ebx 0_2_0046E98B
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_004815E0 push eax; mov dword ptr [esp], ebx 0_2_00481960
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_004806D0 push eax; mov dword ptr [esp], ebx 0_2_00480940
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_0047D840 push eax; mov dword ptr [esp], ebx 0_2_0047D976
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_0046E9A0 push eax; mov dword ptr [esp], ebx 0_2_0046EEBB
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_00481090 push eax; mov dword ptr [esp], ebx 17_2_00481410
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_00480180 push eax; mov dword ptr [esp], ebx 17_2_004803F0
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_0047D2F0 push eax; mov dword ptr [esp], ebx 17_2_0047D426
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_0046E450 push eax; mov dword ptr [esp], ebx 17_2_0046E96B
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_0047D540 push eax; mov dword ptr [esp], ebx 17_2_0047D676
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_004816E0 push eax; mov dword ptr [esp], ebx 17_2_00481A60
PE file contains sections with non-standard names
Source: LiquidBounceLauncher.exe Static PE information: section name: .eh_fram
Source: Tempsvchost.exe.4.dr Static PE information: section name: .eh_fram
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_00401340 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,atexit, 0_2_00401340
PE file contains an invalid checksum
Source: LiquidBounceLauncher.exe Static PE information: real checksum: 0x119a4f should be: 0x125029
Source: Tempsvchost.exe.4.dr Static PE information: real checksum: 0x1cc809 should be: 0x1d85ee
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File created: C:\Users\user\AppData\Local\Tempsvchost.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 6532 Thread sleep time: -24903104499507879s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1508 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Is looking for software installed on the system
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Window / User API: threadDelayed 3432 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Window / User API: threadDelayed 4959 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Found large amount of non-executed APIs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe API coverage: 1.8 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 20_2_00516EF0 GetSystemInfo, 20_2_00516EF0
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_004291F0 FindFirstFileA,_errno,GetLastError,_errno,_errno,_errno,_errno,_errno, 0_2_004291F0
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_00428CA0 FindFirstFileA,_errno,GetLastError,_errno,_errno,_errno,_errno,_errno, 17_2_00428CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 20_2_005468A3 FindFirstFileExW, 20_2_005468A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Tempsvchost.exe API call chain: ExitProcess graph end node
Source: AppLaunch.exe, 00000004.00000002.354656742.0000000005521000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\]
Source: AppLaunch.exe, 00000004.00000002.360218389.000000000A3C2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware
Source: AppLaunch.exe, 00000004.00000002.354787034.00000000055A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oy
Source: AppLaunch.exe, 00000004.00000002.360218389.000000000A3C2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Win32_VideoController(Standard display types)VMware316SXOVTWin32_VideoControllerLN2T19VYVideoController120060621000000.000000-00011432646display.infMSBDAYL91XYF1PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsXPWFG3Y9S
Source: AppLaunch.exe, 00000004.00000002.354787034.00000000055A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: AppLaunch.exe, 00000004.00000002.354787034.00000000055A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\oy
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 20_2_005463B8 IsDebuggerPresent,OutputDebugStringW, 20_2_005463B8
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_00401340 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,atexit, 0_2_00401340
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 20_2_005481D0 GetProcessHeap, 20_2_005481D0
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_004B09BC mov eax, dword ptr fs:[00000030h] 0_2_004B09BC
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_004B09BC mov eax, dword ptr fs:[00000030h] 0_2_004B09BC
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_00415EC4 mov eax, dword ptr fs:[00000030h] 0_2_00415EC4
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_00415EC4 mov eax, dword ptr fs:[00000030h] 0_2_00415EC4
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_00415EC4 mov eax, dword ptr fs:[00000030h] 0_2_00415EC4
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_004D234C mov eax, dword ptr fs:[00000030h] 0_2_004D234C
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_004B046C mov eax, dword ptr fs:[00000030h] 17_2_004B046C
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_004B046C mov eax, dword ptr fs:[00000030h] 17_2_004B046C
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_00415972 mov eax, dword ptr fs:[00000030h] 17_2_00415972
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_00415972 mov eax, dword ptr fs:[00000030h] 17_2_00415972
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_00415972 mov eax, dword ptr fs:[00000030h] 17_2_00415972
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_004DB430 mov eax, dword ptr fs:[00000030h] 17_2_004DB430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 20_2_00532010 mov eax, dword ptr fs:[00000030h] 20_2_00532010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 20_2_005399F4 mov eax, dword ptr fs:[00000030h] 20_2_005399F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 20_2_00542A60 mov eax, dword ptr fs:[00000030h] 20_2_00542A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 20_2_00542AD5 mov eax, dword ptr fs:[00000030h] 20_2_00542AD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 20_2_00542AA4 mov eax, dword ptr fs:[00000030h] 20_2_00542AA4
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_004011B0 SetUnhandledExceptionFilter,_iob,_setmode,_setmode,_setmode,__p__fmode,__p__environ,_cexit,ExitProcess, 0_2_004011B0
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_004011B0 SetUnhandledExceptionFilter,_iob,_setmode,_setmode,_setmode,__p__fmode,__p__environ,_cexit,ExitProcess, 17_2_004011B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 20_2_00535835 SetUnhandledExceptionFilter, 20_2_00535835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 20_2_0053521C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 20_2_0053521C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 20_2_00539503 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_00539503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 20_2_005356A2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_005356A2

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: FAF008 Jump to behavior
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 510000 Jump to behavior
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 208008 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 510000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 510000 value starts with: 4D5A Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Code function: 0_2_004D2381 CreateProcessW,GetThreadContext,ReadProcessMemory,VirtualAlloc,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,VirtualFree,WriteProcessMemory,SetThreadContext,ResumeThread, 0_2_004D2381
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\LiquidBounceLauncher.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process created: C:\Users\user\AppData\Local\Tempsvchost.exe "C:\Users\user\AppData\Local\Tempsvchost.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Tempsvchost.exe Code function: 17_2_0041F7E0 cpuid 17_2_0041F7E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 20_2_00541258 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 20_2_00541258
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 4.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LiquidBounceLauncher.exe.7b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.LiquidBounceLauncher.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.LiquidBounceLauncher.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.LiquidBounceLauncher.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LiquidBounceLauncher.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.263929326.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.263225019.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.261371642.00000000007B2000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.285108215.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.353313209.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LiquidBounceLauncher.exe PID: 3368, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AppLaunch.exe PID: 4616, type: MEMORYSTR
Tries to steal Crypto Currency Wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: AppLaunch.exe PID: 4616, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 4.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.LiquidBounceLauncher.exe.7b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.LiquidBounceLauncher.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.LiquidBounceLauncher.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.LiquidBounceLauncher.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LiquidBounceLauncher.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.263929326.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.263225019.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.261371642.00000000007B2000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.285108215.00000000004B7000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.353313209.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LiquidBounceLauncher.exe PID: 3368, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AppLaunch.exe PID: 4616, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 632538 Sample: LiquidBounceLauncher.exe Startdate: 23/05/2022 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic 2->37 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 4 other signatures 2->43 8 LiquidBounceLauncher.exe 1 2->8         started        process3 signatures4 53 Contains functionality to inject code into remote processes 8->53 55 Writes to foreign memory regions 8->55 57 Allocates memory in foreign processes 8->57 59 Injects a PE file into a foreign processes 8->59 11 AppLaunch.exe 15 7 8->11         started        16 WerFault.exe 23 9 8->16         started        18 conhost.exe 8->18         started        process5 dnsIp6 31 185.106.92.73, 34437, 49760 SUPERSERVERSDATACENTERRU Russian Federation 11->31 33 dl.uploadgram.me 176.9.247.226, 443, 49769 HETZNER-ASDE Germany 11->33 35 192.168.2.1 unknown unknown 11->35 29 C:\Users\user\AppData\Local\Tempsvchost.exe, PE32 11->29 dropped 61 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->61 63 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 11->63 65 Tries to harvest and steal browser information (history, passwords, etc) 11->65 67 Tries to steal Crypto Currency Wallets 11->67 20 Tempsvchost.exe 1 11->20         started        file7 signatures8 process9 signatures10 45 Multi AV Scanner detection for dropped file 20->45 47 Machine Learning detection for dropped file 20->47 49 Writes to foreign memory regions 20->49 51 2 other signatures 20->51 23 WerFault.exe 19 9 20->23         started        25 conhost.exe 20->25         started        27 AppLaunch.exe 20->27         started        process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
176.9.247.226
 dl.uploadgram.me Germany
24940 HETZNER-ASDE false
185.106.92.73
 unknown Russian Federation
50113 SUPERSERVERSDATACENTERRU true

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
dl.uploadgram.me 176.9.247.226 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://dl.uploadgram.me/628a4c7f14fb9g?raw false
  • Avira URL Cloud: safe
 unknown