Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AHj20WexRe.exe

Overview

General Information

Sample Name:AHj20WexRe.exe
Analysis ID:652391
MD5:feed21ebd82979e5638211ca7b5f9f02
SHA1:b05191bad788b3cef9fd56c2da96846531b25856
SHA256:7220cc97230b21abdcf6d7d01db4be1d85679828173f537349b87ed4a914f979
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Writes to foreign memory regions
Tries to steal Crypto Currency Wallets
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Contains functionality to inject code into remote processes
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • AHj20WexRe.exe (PID: 5964 cmdline: "C:\Users\user\Desktop\AHj20WexRe.exe" MD5: FEED21EBD82979E5638211CA7B5F9F02)
    • conhost.exe (PID: 4220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • AppLaunch.exe (PID: 5308 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["193.233.193.55:48403"], "Bot Id": "166", "Authorization Header": "cb0f6806eb50e7a87e4ac51ebd57f0da"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.265307308.0000000000EB2000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      00000002.00000002.342959659.0000000000402000.00000020.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.266075212.00000000010EC000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000002.00000000.265590293.0000000000402000.00000020.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            00000002.00000000.265268925.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Click to see the 4 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              2.0.AppLaunch.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                2.0.AppLaunch.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  2.0.AppLaunch.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                  • 0x19c50:$pat14: , CommandLine:
                  • 0x12cc1:$v2_1: ListOfProcesses
                  • 0x12a81:$v4_3: base64str
                  • 0x136c5:$v4_4: stringKey
                  • 0x11233:$v4_5: BytesToStringConverted
                  • 0x1032e:$v4_6: FromBase64
                  • 0x117a6:$v4_8: procName
                  • 0x11abc:$v5_1: DownloadAndExecuteUpdate
                  • 0x12958:$v5_2: ITaskProcessor
                  • 0x11aaa:$v5_3: CommandLineUpdate
                  • 0x11a9b:$v5_4: DownloadUpdate
                  • 0x11e9f:$v5_5: FileScanning
                  • 0x11454:$v5_7: RecordHeaderField
                  • 0x110bc:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
                  0.3.AHj20WexRe.exe.eb0000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    0.3.AHj20WexRe.exe.eb0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                      Click to see the 9 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      Timestamp:193.233.193.55192.168.2.448403497582850353 06/26/22-09:44:57.292264
                      SID:2850353
                      Source Port:48403
                      Destination Port:49758
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.4193.233.193.5549758484032850286 06/26/22-09:45:16.984458
                      SID:2850286
                      Source Port:49758
                      Destination Port:48403
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.4193.233.193.5549758484032850027 06/26/22-09:44:55.578726
                      SID:2850027
                      Source Port:49758
                      Destination Port:48403
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Machine Learning detection for sample
                      Source: AHj20WexRe.exeJoe Sandbox ML: detected
                      Source: 2.2.AppLaunch.exe.400000.0.unpackMalware Configuration Extractor: RedLine {"C2 url": ["193.233.193.55:48403"], "Bot Id": "166", "Authorization Header": "cb0f6806eb50e7a87e4ac51ebd57f0da"}
                      Source: AHj20WexRe.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: AHj20WexRe.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: C:\Users\user\Desktop\AHj20WexRe.exeCode function: 0_2_0080C641 FindFirstFileExW,

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2850027 ETPRO TROJAN RedLine Stealer TCP CnC net.tcp Init 192.168.2.4:49758 -> 193.233.193.55:48403
                      Source: TrafficSnort IDS: 2850286 ETPRO TROJAN Redline Stealer TCP CnC Activity 192.168.2.4:49758 -> 193.233.193.55:48403
                      Source: TrafficSnort IDS: 2850353 ETPRO MALWARE Redline Stealer TCP CnC - Id1Response 193.233.193.55:48403 -> 192.168.2.4:49758
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: 2.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.AHj20WexRe.exe.eb0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Joe Sandbox ViewASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
                      Source: Joe Sandbox ViewIP Address: 193.233.193.55 193.233.193.55
                      Source: global trafficTCP traffic: 192.168.2.4:49758 -> 193.233.193.55:48403
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.233.193.55
                      Source: AppLaunch.exe, 00000002.00000002.344825989.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347684515.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345620761.00000000073BE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346163068.0000000007483000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347453951.0000000007623000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: l9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
                      Source: AppLaunch.exe, 00000002.00000002.347453951.0000000007623000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: romium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-j
                      Source: AppLaunch.exe, 00000002.00000002.344825989.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347684515.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345620761.00000000073BE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346163068.0000000007483000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347453951.0000000007623000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                      Source: AppLaunch.exe, 00000002.00000002.347453951.0000000007623000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
                      Source: AppLaunch.exe, 00000002.00000002.344825989.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347684515.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345620761.00000000073BE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346163068.0000000007483000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347453951.0000000007623000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347200620.00000000075AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://forms.rea
                      Source: AppLaunch.exe, 00000002.00000002.344825989.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347684515.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345620761.00000000073BE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346163068.0000000007483000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347453951.0000000007623000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347200620.00000000075AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
                      Source: AppLaunch.exe, 00000002.00000002.347453951.0000000007623000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
                      Source: AppLaunch.exe, 00000002.00000002.344825989.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347684515.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345620761.00000000073BE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346163068.0000000007483000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347453951.0000000007623000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347200620.00000000075AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
                      Source: AppLaunch.exe, 00000002.00000002.344360939.00000000058CC000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.342734183.00000000058CC000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.342701692.00000000058CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://iptc.tc4xmp
                      Source: AppLaunch.exe, 00000002.00000002.344360939.00000000058CC000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.342734183.00000000058CC000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.342701692.00000000058CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.ado/Ident
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultL
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                      Source: AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                      Source: AppLaunch.exe, 00000002.00000002.344825989.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347684515.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345620761.00000000073BE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346163068.0000000007483000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347453951.0000000007623000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347200620.00000000075AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://service.r
                      Source: AppLaunch.exe, 00000002.00000002.344825989.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347684515.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345620761.00000000073BE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346163068.0000000007483000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347453951.0000000007623000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347200620.00000000075AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
                      Source: AppLaunch.exe, 00000002.00000002.344825989.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347684515.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345620761.00000000073BE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346163068.0000000007483000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347453951.0000000007623000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://support.a
                      Source: AppLaunch.exe, 00000002.00000002.344825989.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347684515.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345620761.00000000073BE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346163068.0000000007483000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347453951.0000000007623000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                      Source: AppLaunch.exe, 00000002.00000002.346963057.0000000007544000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                      Source: AppLaunch.exe, 00000002.00000002.346963057.0000000007544000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                      Source: AppLaunch.exe, 00000002.00000002.346963057.0000000007544000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                      Source: AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                      Source: AppLaunch.exe, 00000002.00000002.344825989.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347684515.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345620761.00000000073BE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346163068.0000000007483000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347453951.0000000007623000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
                      Source: AppLaunch.exe, 00000002.00000002.344825989.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347684515.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345620761.00000000073BE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346163068.0000000007483000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347453951.0000000007623000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347200620.00000000075AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
                      Source: AppLaunch.exe, 00000002.00000002.344825989.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347684515.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345620761.00000000073BE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.341095518.0000000008748000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347991345.00000000077A0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346163068.0000000007483000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.348657429.0000000008273000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346963057.0000000007544000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.348898606.0000000008329000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345511061.00000000073A8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346039544.000000000746C000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346852241.000000000752E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.341005290.00000000086D7000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347919190.0000000007789000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.349554568.0000000008665000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.348407129.0000000008202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: AHj20WexRe.exe, 00000000.00000002.266075212.00000000010EC000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.342959659.0000000000402000.00000020.00000400.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000000.265268925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                      Source: AppLaunch.exe, 00000002.00000002.344825989.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347684515.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345620761.00000000073BE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.341095518.0000000008748000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347991345.00000000077A0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346163068.0000000007483000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.348657429.0000000008273000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346963057.0000000007544000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.348898606.0000000008329000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345511061.00000000073A8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346039544.000000000746C000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346852241.000000000752E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.341005290.00000000086D7000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347919190.0000000007789000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.349554568.0000000008665000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.348407129.0000000008202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: AppLaunch.exe, 00000002.00000002.344825989.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347684515.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345620761.00000000073BE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.341095518.0000000008748000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347991345.00000000077A0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346163068.0000000007483000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.348657429.0000000008273000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346963057.0000000007544000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.348898606.0000000008329000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345511061.00000000073A8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346039544.000000000746C000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346852241.000000000752E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.341005290.00000000086D7000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347919190.0000000007789000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.349554568.0000000008665000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.348407129.0000000008202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: AppLaunch.exe, 00000002.00000002.344825989.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347684515.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345620761.00000000073BE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.341095518.0000000008748000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347991345.00000000077A0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346163068.0000000007483000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.348657429.0000000008273000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346963057.0000000007544000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.348898606.0000000008329000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345511061.00000000073A8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346039544.000000000746C000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346852241.000000000752E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.341005290.00000000086D7000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347919190.0000000007789000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.349554568.0000000008665000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.348407129.0000000008202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: AppLaunch.exe, 00000002.00000002.344825989.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347684515.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345620761.00000000073BE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.341095518.0000000008748000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347991345.00000000077A0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346163068.0000000007483000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.348657429.0000000008273000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346963057.0000000007544000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.348898606.0000000008329000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345511061.00000000073A8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346039544.000000000746C000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346852241.000000000752E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.341005290.00000000086D7000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347919190.0000000007789000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.349554568.0000000008665000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.348407129.0000000008202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: AppLaunch.exe, 00000002.00000002.344825989.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347684515.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345620761.00000000073BE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346163068.0000000007483000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347453951.0000000007623000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://get.adob
                      Source: AppLaunch.exe, 00000002.00000002.344825989.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347684515.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345620761.00000000073BE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346163068.0000000007483000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347453951.0000000007623000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://helpx.ad
                      Source: AppLaunch.exe, 00000002.00000002.344825989.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347684515.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345620761.00000000073BE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.341095518.0000000008748000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347991345.00000000077A0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346163068.0000000007483000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.348657429.0000000008273000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346963057.0000000007544000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.348898606.0000000008329000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345511061.00000000073A8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346039544.000000000746C000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346852241.000000000752E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.341005290.00000000086D7000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347919190.0000000007789000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.349554568.0000000008665000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.348407129.0000000008202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                      Source: AppLaunch.exe, 00000002.00000002.344825989.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347684515.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345620761.00000000073BE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.341095518.0000000008748000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347991345.00000000077A0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346163068.0000000007483000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.348657429.0000000008273000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346963057.0000000007544000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.348898606.0000000008329000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345511061.00000000073A8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346039544.000000000746C000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346852241.000000000752E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.341005290.00000000086D7000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347919190.0000000007789000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.349554568.0000000008665000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.348407129.0000000008202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: AppLaunch.exe, 00000002.00000002.347453951.0000000007623000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
                      Source: AppLaunch.exe, 00000002.00000002.347453951.0000000007623000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                      Source: AppLaunch.exe, 00000002.00000002.344825989.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347684515.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345620761.00000000073BE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346163068.0000000007483000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347453951.0000000007623000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347200620.00000000075AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_java
                      Source: AppLaunch.exe, 00000002.00000002.344825989.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347684515.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345620761.00000000073BE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346163068.0000000007483000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347453951.0000000007623000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
                      Source: AppLaunch.exe, 00000002.00000002.344825989.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347684515.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345620761.00000000073BE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346163068.0000000007483000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347453951.0000000007623000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
                      Source: AppLaunch.exe, 00000002.00000002.344825989.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347684515.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345620761.00000000073BE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346163068.0000000007483000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347453951.0000000007623000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347200620.00000000075AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_real
                      Source: AppLaunch.exe, 00000002.00000002.347453951.0000000007623000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
                      Source: AppLaunch.exe, 00000002.00000002.344825989.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347684515.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345620761.00000000073BE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346163068.0000000007483000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347453951.0000000007623000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347200620.00000000075AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
                      Source: AppLaunch.exe, 00000002.00000002.347453951.0000000007623000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
                      Source: AppLaunch.exe, 00000002.00000002.344825989.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347684515.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345620761.00000000073BE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.341095518.0000000008748000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347991345.00000000077A0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346163068.0000000007483000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.348657429.0000000008273000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346963057.0000000007544000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.348898606.0000000008329000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345511061.00000000073A8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346039544.000000000746C000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346852241.000000000752E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.341005290.00000000086D7000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347919190.0000000007789000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.349554568.0000000008665000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.348407129.0000000008202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                      Source: AHj20WexRe.exe, 00000000.00000002.266049947.00000000010DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 2.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 0.3.AHj20WexRe.exe.eb0000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 0.2.AHj20WexRe.exe.10eb4b8.1.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 2.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 2.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: AHj20WexRe.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 2.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 0.3.AHj20WexRe.exe.eb0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 0.2.AHj20WexRe.exe.10eb4b8.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 2.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 2.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: C:\Users\user\Desktop\AHj20WexRe.exeCode function: 0_2_008022EA
                      Source: C:\Users\user\Desktop\AHj20WexRe.exeCode function: 0_2_008123DD
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_051FEF08
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A6A3F50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A6A67D8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A6A6FE8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A6A6FF8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A6AF240
                      Source: C:\Users\user\Desktop\AHj20WexRe.exeCode function: String function: 00806FA0 appears 33 times
                      Source: AHj20WexRe.exe, 00000000.00000002.266075212.00000000010EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRoughest.exe4 vs AHj20WexRe.exe
                      Source: AHj20WexRe.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\AHj20WexRe.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\AHj20WexRe.exe "C:\Users\user\Desktop\AHj20WexRe.exe"
                      Source: C:\Users\user\Desktop\AHj20WexRe.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\AHj20WexRe.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                      Source: C:\Users\user\Desktop\AHj20WexRe.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile created: C:\Users\user\AppData\Local\YandexJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/1@0/1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: 0.3.AHj20WexRe.exe.eb0000.0.unpack, BrEx.csBase64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV
                      Source: 2.2.AppLaunch.exe.400000.0.unpack, BrEx.csBase64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV
                      Source: 2.0.AppLaunch.exe.400000.1.unpack, BrEx.csBase64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV
                      Source: 2.0.AppLaunch.exe.400000.0.unpack, BrEx.csBase64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4220:120:WilError_01
                      Source: AHj20WexRe.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: AHj20WexRe.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: C:\Users\user\Desktop\AHj20WexRe.exeCode function: 0_2_00806770 push ecx; ret
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_051F6A70 push 5D5F5E5Bh; ret
                      Source: C:\Users\user\Desktop\AHj20WexRe.exeCode function: 0_2_008022EA LoadLibraryA,GetProcAddress,VirtualProtect,
                      Source: C:\Users\user\Desktop\AHj20WexRe.exeCode function: 0_2_00805F40 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 6724Thread sleep time: -4611686018427385s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5276Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\AHj20WexRe.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeRegistry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWindow / User API: threadDelayed 1283
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWindow / User API: threadDelayed 436
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\AHj20WexRe.exeCode function: 0_2_00801816 __EH_prolog3_catch,GetSystemInfo,GetCurrentProcess,CheckRemoteDebuggerPresent,IsDebuggerPresent,
                      Source: C:\Users\user\Desktop\AHj20WexRe.exeCode function: 0_2_0080C641 FindFirstFileExW,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477

                      Anti Debugging

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                      Source: C:\Users\user\Desktop\AHj20WexRe.exeCode function: 0_2_00801816 __EH_prolog3_catch,GetSystemInfo,GetCurrentProcess,CheckRemoteDebuggerPresent,IsDebuggerPresent,
                      Source: C:\Users\user\Desktop\AHj20WexRe.exeCode function: 0_2_00801816 __EH_prolog3_catch,GetSystemInfo,GetCurrentProcess,CheckRemoteDebuggerPresent,IsDebuggerPresent,
                      Source: C:\Users\user\Desktop\AHj20WexRe.exeCode function: 0_2_008022EA LoadLibraryA,GetProcAddress,VirtualProtect,
                      Source: C:\Users\user\Desktop\AHj20WexRe.exeCode function: 0_2_0080DA8A GetProcessHeap,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\AHj20WexRe.exeCode function: 0_2_008098BD mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\AHj20WexRe.exeCode function: 0_2_0080B3B2 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\AHj20WexRe.exeCode function: 0_2_010EAE7C mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory allocated: page read and write | page guard
                      Source: C:\Users\user\Desktop\AHj20WexRe.exeCode function: 0_2_00806F30 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\AHj20WexRe.exeCode function: 0_2_008094F3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\AHj20WexRe.exeCode function: 0_2_00806DCB IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\AHj20WexRe.exeCode function: 0_2_00806FE5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\AHj20WexRe.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000
                      Source: C:\Users\user\Desktop\AHj20WexRe.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 53C0008
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\AHj20WexRe.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\AHj20WexRe.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A
                      Contains functionality to inject code into remote processes
                      Source: C:\Users\user\Desktop\AHj20WexRe.exeCode function: 0_2_010EAEB1 CreateProcessW,GetThreadContext,ReadProcessMemory,VirtualAlloc,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,VirtualFree,WriteProcessMemory,SetThreadContext,ResumeThread,
                      Source: C:\Users\user\Desktop\AHj20WexRe.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                      Source: C:\Users\user\Desktop\AHj20WexRe.exeCode function: 0_2_00806BE7 cpuid
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Users\user\Desktop\AHj20WexRe.exeCode function: 0_2_008061FA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 2.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.AHj20WexRe.exe.eb0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.AHj20WexRe.exe.10eb4b8.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000003.265307308.0000000000EB2000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.342959659.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.266075212.00000000010EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.265590293.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.265268925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: AHj20WexRe.exe PID: 5964, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 5308, type: MEMORYSTR
                      Tries to steal Crypto Currency Wallets
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                      Source: Yara matchFile source: 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 5308, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 2.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.AHj20WexRe.exe.eb0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.AHj20WexRe.exe.10eb4b8.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000003.265307308.0000000000EB2000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.342959659.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.266075212.00000000010EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.265590293.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.265268925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: AHj20WexRe.exe PID: 5964, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 5308, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts221
                      Windows Management Instrumentation                      		Path Interception411
                      Process Injection                      		1
                      Masquerading                      		1
                      OS Credential Dumping                      		1
                      System Time Discovery                      		Remote Services1
                      Input Capture                      		Exfiltration Over Other Network Medium1
                      Encrypted Channel                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default Accounts2
                      Native API                      		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                      Disable or Modify Tools                      		1
                      Input Capture                      		34
                      Security Software Discovery                      		Remote Desktop Protocol1
                      Archive Collected Data                      		Exfiltration Over Bluetooth1
                      Non-Standard Port                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)231
                      Virtualization/Sandbox Evasion                      		Security Account Manager11
                      Process Discovery                      		SMB/Windows Admin Shares2
                      Data from Local System                      		Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)411
                      Process Injection                      		NTDS231
                      Virtualization/Sandbox Evasion                      		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets1
                      Application Window Discovery                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common21
                      Obfuscated Files or Information                      		Cached Domain Credentials1
                      File and Directory Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync135
                      System Information Discovery                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      AHj20WexRe.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      2.2.AppLaunch.exe.400000.0.unpack100%AviraHEUR/AGEN.1234971Download File
                      2.0.AppLaunch.exe.400000.1.unpack100%AviraHEUR/AGEN.1234971Download File
                      2.0.AppLaunch.exe.400000.0.unpack100%AviraHEUR/AGEN.1234971Download File
                      0.3.AHj20WexRe.exe.eb0000.0.unpack100%AviraHEUR/AGEN.1234971Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://service.r0%URL Reputationsafe
                      http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
                      http://tempuri.org/0%URL Reputationsafe
                      http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id90%URL Reputationsafe
                      http://tempuri.org/Entity/Id80%URL Reputationsafe
                      http://tempuri.org/Entity/Id50%URL Reputationsafe
                      http://tempuri.org/Entity/Id40%URL Reputationsafe
                      http://tempuri.org/Entity/Id70%URL Reputationsafe
                      http://tempuri.org/Entity/Id60%URL Reputationsafe
                      http://tempuri.org/Entity/Id19Response0%URL Reputationsafe
                      http://www.interoperabilitybridges.com/wmp-extension-for-chrome0%URL Reputationsafe
                      http://ns.ado/Ident0%URL Reputationsafe
                      http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
                      http://support.a0%URL Reputationsafe
                      http://iptc.tc4xmp0%URL Reputationsafe
                      http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
                      https://api.ip.sb/ip0%URL Reputationsafe
                      http://tempuri.org/Entity/Id9Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id200%URL Reputationsafe
                      http://tempuri.org/Entity/Id210%URL Reputationsafe
                      http://tempuri.org/Entity/Id220%URL Reputationsafe
                      http://tempuri.org/Entity/Id230%URL Reputationsafe
                      http://tempuri.org/Entity/Id240%URL Reputationsafe
                      http://tempuri.org/Entity/Id24Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
                      http://forms.rea0%URL Reputationsafe
                      http://tempuri.org/Entity/Id100%URL Reputationsafe
                      http://tempuri.org/Entity/Id110%URL Reputationsafe
                      http://tempuri.org/Entity/Id120%URL Reputationsafe
                      http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id130%URL Reputationsafe
                      http://tempuri.org/Entity/Id140%URL Reputationsafe
                      http://tempuri.org/Entity/Id150%URL Reputationsafe
                      http://tempuri.org/Entity/Id160%URL Reputationsafe
                      http://tempuri.org/Entity/Id170%URL Reputationsafe
                      http://tempuri.org/Entity/Id180%URL Reputationsafe
                      http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id190%URL Reputationsafe
                      http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id8Response0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextAppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/02/sc/sctAppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://duckduckgo.com/chrome_newtabAppLaunch.exe, 00000002.00000002.344825989.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347684515.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345620761.00000000073BE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.341095518.0000000008748000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347991345.00000000077A0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346163068.0000000007483000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.348657429.0000000008273000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346963057.0000000007544000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.348898606.0000000008329000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345511061.00000000073A8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346039544.000000000746C000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346852241.000000000752E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.341005290.00000000086D7000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347919190.0000000007789000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.349554568.0000000008665000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.348407129.0000000008202000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://service.rAppLaunch.exe, 00000002.00000002.344825989.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347684515.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345620761.00000000073BE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346163068.0000000007483000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347453951.0000000007623000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347200620.00000000075AD000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkAppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://duckduckgo.com/ac/?q=AppLaunch.exe, 00000002.00000002.344825989.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347684515.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345620761.00000000073BE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.341095518.0000000008748000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347991345.00000000077A0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346163068.0000000007483000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.348657429.0000000008273000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346963057.0000000007544000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.348898606.0000000008329000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345511061.00000000073A8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346039544.000000000746C000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346852241.000000000752E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.341005290.00000000086D7000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347919190.0000000007789000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.349554568.0000000008665000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.348407129.0000000008202000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2004/08/addressing/faultLAppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryAppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id12ResponseAppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://tempuri.org/AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://tempuri.org/Entity/Id2ResponseAppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id21ResponseAppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapAppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id9AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDAppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id8AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://tempuri.org/Entity/Id5AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareAppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://tempuri.org/Entity/Id4AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://tempuri.org/Entity/Id7AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://tempuri.org/Entity/Id6AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretAppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://support.google.com/chrome/?p=plugin_realAppLaunch.exe, 00000002.00000002.344825989.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347684515.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345620761.00000000073BE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346163068.0000000007483000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347453951.0000000007623000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347200620.00000000075AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://tempuri.org/Entity/Id19ResponseAppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseAppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueAppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.interoperabilitybridges.com/wmp-extension-for-chromeAppLaunch.exe, 00000002.00000002.344825989.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347684515.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345620761.00000000073BE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346163068.0000000007483000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347453951.0000000007623000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347200620.00000000075AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedAppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceAppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://ns.ado/IdentAppLaunch.exe, 00000002.00000002.344360939.00000000058CC000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.342734183.00000000058CC000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.342701692.00000000058CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://support.google.com/chrome/?p=plugin_pdfAppLaunch.exe, 00000002.00000002.344825989.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347684515.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345620761.00000000073BE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346163068.0000000007483000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347453951.0000000007623000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/faultAppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2004/10/wsatAppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyAppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://tempuri.org/Entity/Id15ResponseAppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameAppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://forms.real.com/real/realone/download.html?type=rpsp_usAppLaunch.exe, 00000002.00000002.344825989.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347684515.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345620761.00000000073BE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346163068.0000000007483000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347453951.0000000007623000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347200620.00000000075AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://support.aAppLaunch.exe, 00000002.00000002.344825989.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347684515.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345620761.00000000073BE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346163068.0000000007483000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347453951.0000000007623000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewAppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterAppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://iptc.tc4xmpAppLaunch.exe, 00000002.00000002.344360939.00000000058CC000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.342734183.00000000058CC000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.342701692.00000000058CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://tempuri.org/Entity/Id6ResponseAppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyAppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://api.ip.sb/ipAHj20WexRe.exe, 00000000.00000002.266075212.00000000010EC000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.342959659.0000000000402000.00000020.00000400.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000000.265268925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exeAppLaunch.exe, 00000002.00000002.347453951.0000000007623000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://support.google.com/chrome/?p=plugin_quicktimeAppLaunch.exe, 00000002.00000002.344825989.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347684515.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345620761.00000000073BE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346163068.0000000007483000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347453951.0000000007623000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2004/04/scAppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCAppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelAppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://tempuri.org/Entity/Id9ResponseAppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=AppLaunch.exe, 00000002.00000002.344825989.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347684515.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345620761.00000000073BE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.341095518.0000000008748000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347991345.00000000077A0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346163068.0000000007483000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.348657429.0000000008273000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346963057.0000000007544000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.348898606.0000000008329000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345511061.00000000073A8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346039544.000000000746C000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346852241.000000000752E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.341005290.00000000086D7000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347919190.0000000007789000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.349554568.0000000008665000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.348407129.0000000008202000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://tempuri.org/Entity/Id20AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://tempuri.org/Entity/Id21AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://tempuri.org/Entity/Id22AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://tempuri.org/Entity/Id23AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://tempuri.org/Entity/Id24AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueAppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://tempuri.org/Entity/Id24ResponseAppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://tempuri.org/Entity/Id1ResponseAppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedAppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyAppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayAppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoAppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryAppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCAppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyAppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/ws/2004/08/addressingAppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://support.google.com/chrome/?p=plugin_shockwaveAppLaunch.exe, 00000002.00000002.347453951.0000000007623000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://forms.reaAppLaunch.exe, 00000002.00000002.344825989.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347684515.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345620761.00000000073BE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346163068.0000000007483000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347453951.0000000007623000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347200620.00000000075AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueAppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionAppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/trustAppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://tempuri.org/Entity/Id10AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://tempuri.org/Entity/Id11AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://tempuri.org/Entity/Id12AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://tempuri.org/Entity/Id16ResponseAppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseAppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelAppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://tempuri.org/Entity/Id13AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        http://tempuri.org/Entity/Id14AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        http://tempuri.org/Entity/Id15AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        http://tempuri.org/Entity/Id16AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/NonceAppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://tempuri.org/Entity/Id17AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          http://tempuri.org/Entity/Id18AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          http://tempuri.org/Entity/Id5ResponseAppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          http://tempuri.org/Entity/Id19AppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsAppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://tempuri.org/Entity/Id10ResponseAppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RenewAppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://tempuri.org/Entity/Id8ResponseAppLaunch.exe, 00000002.00000002.344385468.0000000007171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              https://support.google.com/chrome/?p=plugin_wmpAppLaunch.exe, 00000002.00000002.344825989.00000000072BF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347684515.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.345620761.00000000073BE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.346163068.0000000007483000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347453951.0000000007623000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.347200620.00000000075AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyAppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0AppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDAppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://support.google.com/chrome/answer/6258784AppLaunch.exe, 00000002.00000002.347453951.0000000007623000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTAppLaunch.exe, 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high

                                                                                                                                          World Map of Contacted IPs

                                                                                                                                          • No. of IPs < 25%
                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                          • 75% < No. of IPs

                                                                                                                                          Public IPs

                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                          193.233.193.55
                                                                                                                                          		unknownRussian Federation
                                                                                                                                          		2895FREE-NET-ASFREEnetEUtrue

                                                                                                                                          General Information

                                                                                                                                          Joe Sandbox Version:35.0.0 Citrine
                                                                                                                                          Analysis ID:652391
                                                                                                                                          Start date and time: 26/06/202209:43:232022-06-26 09:43:23 +02:00
                                                                                                                                          Joe Sandbox Product:CloudBasic
                                                                                                                                          Overall analysis duration:0h 7m 8s
                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                          Report type:light
                                                                                                                                          Sample file name:AHj20WexRe.exe
                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                          Number of analysed new started processes analysed:27
                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                          Technologies:
                                                                                                                                          • HCA enabled
                                                                                                                                          • EGA enabled
                                                                                                                                          • HDC enabled
                                                                                                                                          • AMSI enabled
                                                                                                                                          Analysis Mode:default
                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                          Detection:MAL
                                                                                                                                          Classification:mal100.troj.spyw.evad.winEXE@4/1@0/1
                                                                                                                                          EGA Information:
                                                                                                                                          • Successful, ratio: 50%
                                                                                                                                          HDC Information:
                                                                                                                                          • Successful, ratio: 97.4% (good quality ratio 90%)
                                                                                                                                          • Quality average: 76.9%
                                                                                                                                          • Quality standard deviation: 30.3%
                                                                                                                                          HCA Information:
                                                                                                                                          • Successful, ratio: 99%
                                                                                                                                          • Number of executed functions: 0
                                                                                                                                          • Number of non-executed functions: 0
                                                                                                                                          Cookbook Comments:
                                                                                                                                          • Found application associated with file extension: .exe
                                                                                                                                          • Adjust boot time
                                                                                                                                          • Enable AMSI

                                                                                                                                          Warnings

                                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                          • TCP Packets have been reduced to 100
                                                                                                                                          • Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                                                                                                          • Execution Graph export aborted for target AppLaunch.exe, PID 5308 because it is empty
                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                          Simulations

                                                                                                                                          Behavior and APIs

                                                                                                                                          TimeTypeDescription
                                                                                                                                          09:45:15API Interceptor11x Sleep call for process: AppLaunch.exe modified

                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                          IPs

                                                                                                                                          No context

                                                                                                                                          Domains

                                                                                                                                          No context

                                                                                                                                          ASNs

                                                                                                                                          No context

                                                                                                                                          JA3 Fingerprints

                                                                                                                                          No context

                                                                                                                                          Dropped Files

                                                                                                                                          No context

                                                                                                                                          Created / dropped Files

                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):2932
                                                                                                                                          Entropy (8bit):5.334469918014252
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:48:MxHKXeHKlEHU0YHKhQnouHIWUfHK7HKhBHKdHKB1AHKzvQTHmtHoxHImHK1HxLHW:iqXeqm00YqhQnouOq7qLqdqUqzcGtIxf
                                                                                                                                          MD5:92A61FC50E2FFFA916EF86C2F42C7557
                                                                                                                                          SHA1:145AD3EAEB578E9BBEE8F36DF312024BDA733602
                                                                                                                                          SHA-256:12D868AA2721F27C9353109BC11B79E28880B388AE22A0681EB337540DD1D798
                                                                                                                                          SHA-512:35A0CC24FD5D081CDD4065F118A6FA2EBA688D756EAC708AC5F85D21C2358D6DF815BC23399096507F5562AF882303AA361EB92EA0F98ECA6AE9356C34BC431B
                                                                                                                                          Malicious:false
                                                                                                                                          Reputation:moderate, very likely benign file
                                                                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

                                                                                                                                          Static File Info

                                                                                                                                          General

                                                                                                                                          File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                          Entropy (8bit):6.810014353516838
                                                                                                                                          TrID:
                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                          File name:AHj20WexRe.exe
                                                                                                                                          File size:237568
                                                                                                                                          MD5:feed21ebd82979e5638211ca7b5f9f02
                                                                                                                                          SHA1:b05191bad788b3cef9fd56c2da96846531b25856
                                                                                                                                          SHA256:7220cc97230b21abdcf6d7d01db4be1d85679828173f537349b87ed4a914f979
                                                                                                                                          SHA512:b8ee60c264335458c64d73cb77df3b8199159adc7734069fd02d61d6a2720da7b1ad6a2fe851e4ff96d60758adc11dfa402adcee0187665b3d36f33d6e64a119
                                                                                                                                          SSDEEP:6144:rIQe6Nq6jNux2lqlWdmXxdNi+ThB1bl7ELdY+bC9JIT:rs6Nq6j5lqGmXIul74too
                                                                                                                                          TLSH:2834AE6137DC98F1C775BA791C23B7A444BDF8704E11BAAB238B67BD0F660C28916817
                                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q...5..Z5..Z5..Z!..[?..Z!..[...Z!..['..ZW..[$..ZW..[#..Z!..[0..Z5..Z...ZW..[...Z...Z7..Z...[4..Z...[4..ZRich5..Z...............

                                                                                                                                          File Icon

                                                                                                                                          Icon Hash:00828e8e8686b000

                                                                                                                                          Static PE Info

                                                                                                                                          General

                                                                                                                                          Entrypoint:0x406a9c
                                                                                                                                          Entrypoint Section:.text
                                                                                                                                          Digitally signed:false
                                                                                                                                          Imagebase:0x400000
                                                                                                                                          Subsystem:windows cui
                                                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                          Time Stamp:0x62B7F96D [Sun Jun 26 06:15:09 2022 UTC]
                                                                                                                                          TLS Callbacks:
                                                                                                                                          CLR (.Net) Version:
                                                                                                                                          OS Version Major:6
                                                                                                                                          OS Version Minor:0
                                                                                                                                          File Version Major:6
                                                                                                                                          File Version Minor:0
                                                                                                                                          Subsystem Version Major:6
                                                                                                                                          Subsystem Version Minor:0
                                                                                                                                          Import Hash:01c7deffe7567fdea4e6658ade466fd3

                                                                                                                                          Entrypoint Preview

                                                                                                                                          Instruction
                                                                                                                                          call 00007F32C4D7A4E8h
                                                                                                                                          jmp 00007F32C4D79CA9h
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          push ecx
                                                                                                                                          lea ecx, dword ptr [esp+08h]
                                                                                                                                          sub ecx, eax
                                                                                                                                          and ecx, 0Fh
                                                                                                                                          add eax, ecx
                                                                                                                                          sbb ecx, ecx
                                                                                                                                          or eax, ecx
                                                                                                                                          pop ecx
                                                                                                                                          jmp 00007F32C4D7A5DFh
                                                                                                                                          push ecx
                                                                                                                                          lea ecx, dword ptr [esp+08h]
                                                                                                                                          sub ecx, eax
                                                                                                                                          and ecx, 07h
                                                                                                                                          add eax, ecx
                                                                                                                                          sbb ecx, ecx
                                                                                                                                          or eax, ecx
                                                                                                                                          pop ecx
                                                                                                                                          jmp 00007F32C4D7A5C9h
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          push ebx
                                                                                                                                          push esi
                                                                                                                                          mov eax, dword ptr [esp+18h]
                                                                                                                                          or eax, eax
                                                                                                                                          jne 00007F32C4D79E4Ah
                                                                                                                                          mov ecx, dword ptr [esp+14h]
                                                                                                                                          mov eax, dword ptr [esp+10h]
                                                                                                                                          xor edx, edx
                                                                                                                                          div ecx
                                                                                                                                          mov ebx, eax
                                                                                                                                          mov eax, dword ptr [esp+0Ch]
                                                                                                                                          div ecx
                                                                                                                                          mov edx, ebx
                                                                                                                                          jmp 00007F32C4D79E73h
                                                                                                                                          mov ecx, eax
                                                                                                                                          mov ebx, dword ptr [esp+14h]
                                                                                                                                          mov edx, dword ptr [esp+10h]
                                                                                                                                          mov eax, dword ptr [esp+0Ch]
                                                                                                                                          shr ecx, 1
                                                                                                                                          rcr ebx, 1
                                                                                                                                          shr edx, 1
                                                                                                                                          rcr eax, 1
                                                                                                                                          or ecx, ecx
                                                                                                                                          jne 00007F32C4D79E26h
                                                                                                                                          div ebx
                                                                                                                                          mov esi, eax
                                                                                                                                          mul dword ptr [esp+18h]
                                                                                                                                          mov ecx, eax
                                                                                                                                          mov eax, dword ptr [esp+14h]
                                                                                                                                          mul esi
                                                                                                                                          add edx, ecx
                                                                                                                                          jc 00007F32C4D79E40h
                                                                                                                                          cmp edx, dword ptr [esp+10h]
                                                                                                                                          jnbe 00007F32C4D79E3Ah
                                                                                                                                          jc 00007F32C4D79E39h
                                                                                                                                          cmp eax, dword ptr [esp+0Ch]
                                                                                                                                          jbe 00007F32C4D79E33h
                                                                                                                                          dec esi
                                                                                                                                          xor edx, edx
                                                                                                                                          mov eax, esi
                                                                                                                                          pop esi
                                                                                                                                          pop ebx
                                                                                                                                          retn 0010h
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          int3
                                                                                                                                          push ebx
                                                                                                                                          mov eax, dword ptr [esp+14h]
                                                                                                                                          or eax, eax
                                                                                                                                          jne 00007F32C4D79E4Ah
                                                                                                                                          mov ecx, dword ptr [esp+10h]
                                                                                                                                          mov eax, dword ptr [esp+0Ch]
                                                                                                                                          xor edx, edx

                                                                                                                                          Data Directories

                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x1c5c40x3c.rdata
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x3b0000x1a14.reloc
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x1a2b00x1c.rdata
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x1a3000x18.rdata
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1a1f00x40.rdata
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x140000x170.rdata
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                          Sections

                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                          .text0x10000x121de0x12200False0.5988011853448276data6.603446862369813IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                          .rdata0x140000x8e860x9000False0.3971354166666667data4.70611488497576IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                          .data0x1d0000x1db980x1ce00False0.5036356872294372data6.591282203310851IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                          .reloc0x3b0000x1a140x1c00False0.7007533482142857data6.340378099422768IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                          Imports

                                                                                                                                          DLLImport
                                                                                                                                          USER32.dllShowWindow
                                                                                                                                          KERNEL32.dllCreateEventW, WriteConsoleW, IsDebuggerPresent, CheckRemoteDebuggerPresent, GetCurrentProcess, GetSystemInfo, GetConsoleWindow, RaiseException, InitializeSRWLock, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, TryEnterCriticalSection, DeleteCriticalSection, GetCurrentThreadId, InitializeConditionVariable, WakeConditionVariable, WakeAllConditionVariable, SleepConditionVariableCS, SleepConditionVariableSRW, InitOnceBeginInitialize, InitOnceComplete, GetLastError, FreeLibraryWhenCallbackReturns, CreateThreadpoolWork, SubmitThreadpoolWork, CloseThreadpoolWork, GetModuleHandleExW, IsProcessorFeaturePresent, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, CloseHandle, WaitForSingleObjectEx, CreateFileW, InitializeCriticalSectionAndSpinCount, SetEvent, ResetEvent, DecodePointer, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, TerminateProcess, GetCurrentProcessId, InitializeSListHead, RtlUnwind, SetLastError, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleFileNameW, GetStdHandle, WriteFile, GetCommandLineA, GetCommandLineW, CompareStringW, LCMapStringW, HeapFree, HeapAlloc, GetFileType, SetFilePointerEx, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, GetProcessHeap, SetStdHandle, GetStringTypeW, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, HeapSize, HeapReAlloc

                                                                                                                                          Network Behavior

                                                                                                                                          Snort IDS Alerts

                                                                                                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                          193.233.193.55192.168.2.448403497582850353 06/26/22-09:44:57.292264TCP2850353ETPRO MALWARE Redline Stealer TCP CnC - Id1Response4840349758193.233.193.55192.168.2.4
                                                                                                                                          192.168.2.4193.233.193.5549758484032850286 06/26/22-09:45:16.984458TCP2850286ETPRO TROJAN Redline Stealer TCP CnC Activity4975848403192.168.2.4193.233.193.55
                                                                                                                                          192.168.2.4193.233.193.5549758484032850027 06/26/22-09:44:55.578726TCP2850027ETPRO TROJAN RedLine Stealer TCP CnC net.tcp Init4975848403192.168.2.4193.233.193.55

                                                                                                                                          Network Port Distribution

                                                                                                                                          TCP Packets

                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                          Jun 26, 2022 09:44:55.012095928 CEST4975848403192.168.2.4193.233.193.55
                                                                                                                                          Jun 26, 2022 09:44:55.034389973 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:44:55.034513950 CEST4975848403192.168.2.4193.233.193.55
                                                                                                                                          Jun 26, 2022 09:44:55.578726053 CEST4975848403192.168.2.4193.233.193.55
                                                                                                                                          Jun 26, 2022 09:44:55.600933075 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:44:55.615884066 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:44:55.703222990 CEST4975848403192.168.2.4193.233.193.55
                                                                                                                                          Jun 26, 2022 09:44:57.240299940 CEST4975848403192.168.2.4193.233.193.55
                                                                                                                                          Jun 26, 2022 09:44:57.264451027 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:44:57.292263985 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:44:57.413984060 CEST4975848403192.168.2.4193.233.193.55
                                                                                                                                          Jun 26, 2022 09:45:04.204436064 CEST4975848403192.168.2.4193.233.193.55
                                                                                                                                          Jun 26, 2022 09:45:04.231043100 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:04.247549057 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:04.247607946 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:04.247648001 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:04.247771025 CEST4975848403192.168.2.4193.233.193.55
                                                                                                                                          Jun 26, 2022 09:45:04.414612055 CEST4975848403192.168.2.4193.233.193.55
                                                                                                                                          Jun 26, 2022 09:45:12.210522890 CEST4975848403192.168.2.4193.233.193.55
                                                                                                                                          Jun 26, 2022 09:45:12.252036095 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:12.356772900 CEST4975848403192.168.2.4193.233.193.55
                                                                                                                                          Jun 26, 2022 09:45:13.431720018 CEST4975848403192.168.2.4193.233.193.55
                                                                                                                                          Jun 26, 2022 09:45:13.456154108 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.456183910 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.456196070 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.456305981 CEST4975848403192.168.2.4193.233.193.55
                                                                                                                                          Jun 26, 2022 09:45:13.456343889 CEST4975848403192.168.2.4193.233.193.55
                                                                                                                                          Jun 26, 2022 09:45:13.456680059 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.456696987 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.456787109 CEST4975848403192.168.2.4193.233.193.55
                                                                                                                                          Jun 26, 2022 09:45:13.481261015 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.481300116 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.481314898 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.481326103 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.481338978 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.481349945 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.481363058 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.481390953 CEST4975848403192.168.2.4193.233.193.55
                                                                                                                                          Jun 26, 2022 09:45:13.481482983 CEST4975848403192.168.2.4193.233.193.55
                                                                                                                                          Jun 26, 2022 09:45:13.481514931 CEST4975848403192.168.2.4193.233.193.55
                                                                                                                                          Jun 26, 2022 09:45:13.481535912 CEST4975848403192.168.2.4193.233.193.55
                                                                                                                                          Jun 26, 2022 09:45:13.481794119 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.482584953 CEST4975848403192.168.2.4193.233.193.55
                                                                                                                                          Jun 26, 2022 09:45:13.506062031 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.506165981 CEST4975848403192.168.2.4193.233.193.55
                                                                                                                                          Jun 26, 2022 09:45:13.506258965 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.506277084 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.506294012 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.506355047 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.506361008 CEST4975848403192.168.2.4193.233.193.55
                                                                                                                                          Jun 26, 2022 09:45:13.506385088 CEST4975848403192.168.2.4193.233.193.55
                                                                                                                                          Jun 26, 2022 09:45:13.506417036 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.506423950 CEST4975848403192.168.2.4193.233.193.55
                                                                                                                                          Jun 26, 2022 09:45:13.506428003 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.506439924 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.506498098 CEST4975848403192.168.2.4193.233.193.55
                                                                                                                                          Jun 26, 2022 09:45:13.506515026 CEST4975848403192.168.2.4193.233.193.55
                                                                                                                                          Jun 26, 2022 09:45:13.506761074 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.507008076 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.507035017 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.507080078 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.507091999 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.507117033 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.507363081 CEST4975848403192.168.2.4193.233.193.55
                                                                                                                                          Jun 26, 2022 09:45:13.507410049 CEST4975848403192.168.2.4193.233.193.55
                                                                                                                                          Jun 26, 2022 09:45:13.507572889 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.507586002 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.507661104 CEST4975848403192.168.2.4193.233.193.55
                                                                                                                                          Jun 26, 2022 09:45:13.531019926 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.531049013 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.531060934 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.531080961 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.531095028 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.531107903 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.531121016 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.531120062 CEST4975848403192.168.2.4193.233.193.55
                                                                                                                                          Jun 26, 2022 09:45:13.531152010 CEST4975848403192.168.2.4193.233.193.55
                                                                                                                                          Jun 26, 2022 09:45:13.531167984 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.531181097 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.531656027 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.531683922 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.531729937 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.531740904 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.531769991 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.531783104 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.531802893 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.531850100 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.532274961 CEST4975848403192.168.2.4193.233.193.55
                                                                                                                                          Jun 26, 2022 09:45:13.532337904 CEST4975848403192.168.2.4193.233.193.55
                                                                                                                                          Jun 26, 2022 09:45:13.532454014 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.532468081 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.532497883 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.532541037 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.532563925 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.532577991 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.534832954 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.534847021 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.534858942 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.534895897 CEST4840349758193.233.193.55192.168.2.4
                                                                                                                                          Jun 26, 2022 09:45:13.534914970 CEST4840349758193.233.193.55192.168.2.4

                                                                                                                                          Statistics

                                                                                                                                          Behavior

                                                                                                                                          Click to jump to process

                                                                                                                                          System Behavior

                                                                                                                                          General

                                                                                                                                          Target ID:0
                                                                                                                                          Start time:09:44:36
                                                                                                                                          Start date:26/06/2022
                                                                                                                                          Path:C:\Users\user\Desktop\AHj20WexRe.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:"C:\Users\user\Desktop\AHj20WexRe.exe"
                                                                                                                                          Imagebase:0x800000
                                                                                                                                          File size:237568 bytes
                                                                                                                                          MD5 hash:FEED21EBD82979E5638211CA7B5F9F02
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Yara matches:
                                                                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.265307308.0000000000EB2000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.266075212.00000000010EC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                          Reputation:low

                                                                                                                                          General

                                                                                                                                          Target ID:1
                                                                                                                                          Start time:09:44:39
                                                                                                                                          Start date:26/06/2022
                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                          Imagebase:0x7ff647620000
                                                                                                                                          File size:625664 bytes
                                                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high

                                                                                                                                          General

                                                                                                                                          Target ID:2
                                                                                                                                          Start time:09:44:39
                                                                                                                                          Start date:26/06/2022
                                                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                          Imagebase:0x1090000
                                                                                                                                          File size:98912 bytes
                                                                                                                                          MD5 hash:6807F903AC06FF7E1670181378690B22
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                                                          Yara matches:
                                                                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.342959659.0000000000402000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000000.265590293.0000000000402000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000000.265268925.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.344552548.0000000007201000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                          Reputation:high

                                                                                                                                          Disassembly

                                                                                                                                          No disassembly