Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Installer.exe

Overview

General Information

Sample Name:Installer.exe
Analysis ID:791291
MD5:f62872fe4592273abda6f704fb27b3ec
SHA1:c9f193458f5b59a81b3fcb6fed90112d6d0dd48f
SHA256:8f136c424f604be973a76795d1de0dca7281ca25e543e264565d753e2dea404c
Tags:exe
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Writes to foreign memory regions
Tries to steal Crypto Currency Wallets
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Entry point lies outside standard sections
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Tries to load missing DLLs
Detected TCP or UDP traffic on non-standard ports
Contains capabilities to detect virtual machines
PE file contains more sections than normal
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • Installer.exe (PID: 1228 cmdline: C:\Users\user\Desktop\Installer.exe MD5: F62872FE4592273ABDA6F704FB27B3EC)
    • conhost.exe (PID: 3788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • AppLaunch.exe (PID: 996 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["82.115.223.46:57672"], "Authorization Header": "7352deef2adb5a71ae170f48b8b9de21"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000003.304751719.0000000001432000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.306753398.00000000013D5000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000002.00000002.370528626.00000000041C2000.00000020.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              00000002.00000002.373473272.0000000006782000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 2 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.Installer.exe.13d4614.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.2.Installer.exe.13d4614.1.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                  • 0x11c91:$v2_1: ListOfProcesses
                  • 0x11a70:$v4_3: base64str
                  • 0x125d6:$v4_4: stringKey
                  • 0x1038b:$v4_5: BytesToStringConverted
                  • 0xf59e:$v4_6: FromBase64
                  • 0x108b4:$v4_8: procName
                  • 0x11012:$v5_5: FileScanning
                  • 0x10594:$v5_7: RecordHeaderField
                  • 0x1025c:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
                  0.3.Installer.exe.1430000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    0.3.Installer.exe.1430000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                    • 0xd00:$pat14: , CommandLine:
                    • 0x13a91:$v2_1: ListOfProcesses
                    • 0x13870:$v4_3: base64str
                    • 0x143d6:$v4_4: stringKey
                    • 0x1218b:$v4_5: BytesToStringConverted
                    • 0x1139e:$v4_6: FromBase64
                    • 0x126b4:$v4_8: procName
                    • 0x12e12:$v5_5: FileScanning
                    • 0x12394:$v5_7: RecordHeaderField
                    • 0x1205c:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
                    2.2.AppLaunch.exe.41c0000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      Click to see the 1 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      Timestamp:82.115.223.46192.168.2.457672496972043234 01/25/23-09:37:20.266410
                      SID:2043234
                      Source Port:57672
                      Destination Port:49697
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.482.115.223.4649697576722043233 01/25/23-09:37:15.679519
                      SID:2043233
                      Source Port:49697
                      Destination Port:57672
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.482.115.223.4649697576722043231 01/25/23-09:37:33.121439
                      SID:2043231
                      Source Port:49697
                      Destination Port:57672
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: Installer.exeVirustotal: Detection: 38%Perma Link
                      Antivirus detection for URL or domain
                      Source: http://tempuri.org/Entity/Id19ResponseonURL Reputation: Label: phishing
                      Machine Learning detection for sample
                      Source: Installer.exeJoe Sandbox ML: detected
                      Source: 0.2.Installer.exe.13d4614.1.unpackAvira: Label: TR/ATRAPS.Gen5
                      Source: 0.3.Installer.exe.1430000.0.unpackMalware Configuration Extractor: RedLine {"C2 url": ["82.115.223.46:57672"], "Authorization Header": "7352deef2adb5a71ae170f48b8b9de21"}
                      Source: Installer.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 4x nop then jmp 09BA243Ah
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 4x nop then jmp 09BA28BAh
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 4x nop then jmp 09BA5A18h
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 4x nop then jmp 09BA1435h

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2043233 ET TROJAN RedLine Stealer TCP CnC net.tcp Init 192.168.2.4:49697 -> 82.115.223.46:57672
                      Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.4:49697 -> 82.115.223.46:57672
                      Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 82.115.223.46:57672 -> 192.168.2.4:49697
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 82.115.223.46:57672
                      Source: Joe Sandbox ViewASN Name: MIDNET-ASTK-TelecomRU MIDNET-ASTK-TelecomRU
                      Source: Joe Sandbox ViewIP Address: 82.115.223.46 82.115.223.46
                      Source: global trafficTCP traffic: 192.168.2.4:49697 -> 82.115.223.46:57672
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                      Source: AppLaunch.exe, 00000002.00000003.370355641.000000000492D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.365745204.000000000492C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.c/g
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultP
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000069E7000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000069E7000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.0000000006782000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Responseon
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000069E7000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066DF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066DF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.0000000006782000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Responseon
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4y/
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000069E7000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                      Source: AppLaunch.exe, 00000002.00000002.381215531.0000000007684000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.000000000694E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: Installer.exe, 00000000.00000003.304751719.0000000001432000.00000040.00001000.00020000.00000000.sdmp, Installer.exe, 00000000.00000002.306753398.00000000013D5000.00000004.00000010.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.370528626.00000000041C2000.00000020.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                      Source: AppLaunch.exe, 00000002.00000002.381215531.0000000007684000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.000000000694E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: AppLaunch.exe, 00000002.00000002.381215531.0000000007684000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.000000000694E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000069DA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000068C1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.381215531.0000000007684000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.000000000694E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: AppLaunch.exe, 00000002.00000002.381215531.0000000007684000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.000000000694E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000069DA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000068C1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.381215531.0000000007684000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.000000000694E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000069DA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000068C1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.381215531.0000000007684000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.000000000694E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
                      Source: AppLaunch.exe, 00000002.00000002.381215531.0000000007684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000069DA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000068C1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.381215531.0000000007684000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.000000000694E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000069DA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000068C1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.381215531.0000000007684000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.000000000694E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                      Source: Installer.exe, 00000000.00000002.306845382.000000000163A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 0.2.Installer.exe.13d4614.1.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 0.3.Installer.exe.1430000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 2.2.AppLaunch.exe.41c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: Installer.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE
                      Source: 0.2.Installer.exe.13d4614.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 0.3.Installer.exe.1430000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 2.2.AppLaunch.exe.41c0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: C:\Users\user\Desktop\Installer.exeCode function: 0_2_001216AB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0491F7C8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0491F368
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09BA2B50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09BA2018
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09BA2009
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09BAC2A8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09BA5538
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09BA4528
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09BA4518
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09BA14B8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09BA14C8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09BA0768
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09BAE1C8
                      Source: Installer.exe, 00000000.00000003.304751719.0000000001432000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHarpists.exe< vs Installer.exe
                      Source: C:\Users\user\Desktop\Installer.exeSection loaded: sfc.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: sfc.dll
                      Source: Installer.exeStatic PE information: Number of sections : 20 > 10
                      Source: Installer.exeStatic PE information: Section: .reloc ZLIB complexity 1.5
                      Source: Installer.exeVirustotal: Detection: 38%
                      Source: C:\Users\user\Desktop\Installer.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\Installer.exe C:\Users\user\Desktop\Installer.exe
                      Source: C:\Users\user\Desktop\Installer.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Installer.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                      Source: C:\Users\user\Desktop\Installer.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile created: C:\Users\user\AppData\Local\YandexJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/1@0/1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: 0.3.Installer.exe.1430000.0.unpack, BrEx.csBase64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV
                      Source: 2.2.AppLaunch.exe.41c0000.0.unpack, BrEx.csBase64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApmZm5iZWxmZG9laW9oZW5ramlibm1hZGppZWhqaGFqYnxZb3JvaVdhbGxldAppYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb2lob2ZlY3xUcm9ubGluawpqYmRhb2NuZWlpaW5tamJqbGdhbGhjZWxnYmVqbW5pZHxOaWZ0eVdhbGxldApua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnxNZXRhbWFzawphZmJjYmpwYnBmYWRsa21obWNsaGtlZW9kbWFtY2ZsY3xNYXRoV2FsbGV0CmhuZmFua25vY2Zlb2ZiZGRnY2lqbm1obmZua2RuYWFkfENvaW5iYXNlCmZoYm9oaW1hZWxib2hwamJibGRjbmdjbmFwbmRvZGpwfEJpbmFuY2VDaGFpbgpvZGJmcGVlaWhka2JpaG1vcGtiam1vb25mYW5sYmZjbHxCcmF2ZVdhbGxldApocGdsZmhnZm5oYmdwamRlbmpnbWRnb2VpYXBwYWZsbnxHdWFyZGFXYWxsZXQKYmxuaWVpaWZmYm9pbGxrbmpuZXBvZ2poa2dub2FwYWN8RXF1YWxXYWxsZXQKY2plbGZwbHBsZWJkamplbmxscGpjYmxtamtmY2ZmbmV8SmF4eHhMaWJlcnR5CmZpaGtha2ZvYmtta2pvanBjaHBmZ2NtaGZqbm1uZnBpfEJpdEFwcFdhbGxldAprbmNjaGRpZ29iZ2hlbmJiYWRkb2pqbm5hb2dmcHBmanxpV2FsbGV0CmFta21qam1tZmxkZG9nbWhwamxvaW1pcGJvZm5mamlofFdvbWJhdApmaGlsYWhlaW1nbGlnbmRka2pnb2ZrY2JnZWtoZW5iaHxBdG9taWNXYWxsZXQKbmxibW5uaWpjbmxlZ2tqanBjZmpjbG1jZmdnZmVmZG18TWV3Q3gKbmFuam1ka25oa2luaWZua2dkY2dnY2ZuaGRhYW1tbWp8R3VpbGRXYWxsZXQKbmtkZGduY2RqZ2pmY2RkYW1mZ2NtZm5saGNjbmltaWd8U2F0dXJuV2FsbGV0CmZuamhta2hobWtiamtrYWJuZGNubm9nYWdvZ2JuZWVjfFJvbmluV2FsbGV
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3788:120:WilError_01
                      Source: Installer.exeStatic file information: File size 2306455 > 1048576
                      Source: Installer.exeStatic PE information: Raw size of .JVWQ is bigger than: 0x100000 < 0x1f4000
                      Source: C:\Users\user\Desktop\Installer.exeCode function: 0_2_00124228 pushad ; ret
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09BA5B42 push eax; retf
                      Source: Installer.exeStatic PE information: section name: /4
                      Source: Installer.exeStatic PE information: section name: /14
                      Source: Installer.exeStatic PE information: section name: /29
                      Source: Installer.exeStatic PE information: section name: /41
                      Source: Installer.exeStatic PE information: section name: /55
                      Source: Installer.exeStatic PE information: section name: /67
                      Source: Installer.exeStatic PE information: section name: /80
                      Source: Installer.exeStatic PE information: section name: .JVWQ
                      Source: Installer.exeStatic PE information: section name: .JVWQ
                      Source: C:\Users\user\Desktop\Installer.exeCode function: 0_2_001214C0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: initial sampleStatic PE information: section where entry point is pointing to: .JVWQ
                      Source: Installer.exeStatic PE information: real checksum: 0x239810 should be: 0x23980f
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Query firmware table information (likely to detect VMs)
                      Source: C:\Users\user\Desktop\Installer.exeSystem information queried: FirmwareTableInformation
                      Tries to detect sandboxes / dynamic malware analysis system (registry check)
                      Source: C:\Users\user\Desktop\Installer.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 4812Thread sleep time: -1844674407370954s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 2400Thread sleep count: 3254 > 30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 4984Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeRegistry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWindow / User API: threadDelayed 3254
                      Source: C:\Users\user\Desktop\Installer.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                      Source: C:\Users\user\Desktop\Installer.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                      Source: C:\Users\user\Desktop\Installer.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Installer.exeAPI coverage: 10.0 %
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
                      Source: Installer.exe, 00000000.00000002.306845382.000000000163A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__!
                      Source: C:\Users\user\Desktop\Installer.exeCode function: 0_2_001214C0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess token adjusted: Debug
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory allocated: page read and write | page guard
                      Source: C:\Users\user\Desktop\Installer.exeCode function: 0_2_00121150 Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,_amsg_exit,_initterm,GetStartupInfoA,_cexit,_initterm,exit,

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\Installer.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 41C0000
                      Source: C:\Users\user\Desktop\Installer.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 43CF008
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\Installer.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 41C0000 protect: page execute and read and write
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\Installer.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 41C0000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\Installer.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Users\user\Desktop\Installer.exeCode function: 0_2_0012162F GetVersion,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.Installer.exe.13d4614.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.Installer.exe.1430000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.AppLaunch.exe.41c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000003.304751719.0000000001432000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.306753398.00000000013D5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.370528626.00000000041C2000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 996, type: MEMORYSTR
                      Tries to steal Crypto Currency Wallets
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                      Found many strings related to Crypto-Wallets (likely being stolen)
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumE#
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q1C:\Users\user\AppData\Roaming\Electrum\wallets\*
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: JaxxE#
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\wallets
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ExodusE#
                      Source: AppLaunch.exe, 00000002.00000002.373473272.00000000066DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: EthereumE#
                      Source: AppLaunch.exe, 00000002.00000002.373473272.0000000006782000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                      Source: Yara matchFile source: 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.373473272.0000000006782000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 996, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.Installer.exe.13d4614.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.Installer.exe.1430000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.AppLaunch.exe.41c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000003.304751719.0000000001432000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.306753398.00000000013D5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.370528626.00000000041C2000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 996, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts221
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		311
                      Process Injection                      		1
                      Masquerading                      		1
                      OS Credential Dumping                      		431
                      Security Software Discovery                      		Remote Services1
                      Input Capture                      		Exfiltration Over Other Network Medium1
                      Encrypted Channel                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default Accounts1
                      Native API                      		Boot or Logon Initialization Scripts1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		1
                      Input Capture                      		11
                      Process Discovery                      		Remote Desktop Protocol1
                      Archive Collected Data                      		Exfiltration Over Bluetooth1
                      Non-Standard Port                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)341
                      Virtualization/Sandbox Evasion                      		Security Account Manager341
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin Shares3
                      Data from Local System                      		Automated Exfiltration1
                      Application Layer Protocol                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)311
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script21
                      Obfuscated Files or Information                      		LSA Secrets124
                      System Information Discovery                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common2
                      Software Packing                      		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                      DLL Side-Loading                      		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Installer.exe39%VirustotalBrowse
                      Installer.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      0.3.Installer.exe.1430000.0.unpack100%AviraHEUR/AGEN.1252166Download File
                      2.2.AppLaunch.exe.41c0000.0.unpack100%AviraHEUR/AGEN.1252166Download File
                      0.2.Installer.exe.13d4614.1.unpack100%AviraTR/ATRAPS.Gen5Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://tempuri.org/Entity/Id19Responseon100%URL Reputationphishing
                      http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
                      http://tempuri.org/0%URL Reputationsafe
                      http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                      http://ns.adobe.c/g0%URL Reputationsafe
                      http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id90%URL Reputationsafe
                      http://tempuri.org/Entity/Id80%URL Reputationsafe
                      http://tempuri.org/Entity/Id50%URL Reputationsafe
                      http://tempuri.org/Entity/Id70%URL Reputationsafe
                      http://tempuri.org/Entity/Id60%URL Reputationsafe
                      http://tempuri.org/Entity/Id19Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
                      https://api.ip.sb/ip0%URL Reputationsafe
                      http://tempuri.org/Entity/Id9Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id200%URL Reputationsafe
                      http://tempuri.org/Entity/Id210%URL Reputationsafe
                      http://tempuri.org/Entity/Id220%URL Reputationsafe
                      http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id100%URL Reputationsafe
                      http://tempuri.org/Entity/Id110%URL Reputationsafe
                      http://tempuri.org/Entity/Id120%URL Reputationsafe
                      http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id130%URL Reputationsafe
                      http://tempuri.org/Entity/Id140%URL Reputationsafe
                      http://tempuri.org/Entity/Id150%URL Reputationsafe
                      http://tempuri.org/Entity/Id160%URL Reputationsafe
                      http://tempuri.org/Entity/Id170%URL Reputationsafe
                      http://tempuri.org/Entity/Id180%URL Reputationsafe
                      http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id190%URL Reputationsafe
                      http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id8Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id17Response0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/02/sc/sctAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2004/08/addressing/faultPAppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://duckduckgo.com/chrome_newtabAppLaunch.exe, 00000002.00000002.373473272.00000000069DA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000068C1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.381215531.0000000007684000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.000000000694E000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://duckduckgo.com/ac/?q=AppLaunch.exe, 00000002.00000002.381215531.0000000007684000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.000000000694E000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id19ResponseonAppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmptrue
                                    • URL Reputation: phishing
                                    		unknown
                                    http://tempuri.org/Entity/Id12ResponseAppLaunch.exe, 00000002.00000002.373473272.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://tempuri.org/AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://tempuri.org/Entity/Id2ResponseAppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://ns.adobe.c/gAppLaunch.exe, 00000002.00000003.370355641.000000000492D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.365745204.000000000492C000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id21ResponseAppLaunch.exe, 00000002.00000002.373473272.00000000069E7000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id9AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id8AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://tempuri.org/Entity/Id5AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://tempuri.org/Entity/Id7AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://tempuri.org/Entity/Id6AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://tempuri.org/Entity/Id19ResponseAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceAppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/faultAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2004/10/wsatAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://tempuri.org/Entity/Id15ResponseAppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.0000000006782000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://tempuri.org/Entity/Id6ResponseAppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://api.ip.sb/ipInstaller.exe, 00000000.00000003.304751719.0000000001432000.00000040.00001000.00020000.00000000.sdmp, Installer.exe, 00000000.00000002.306753398.00000000013D5000.00000004.00000010.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.370528626.00000000041C2000.00000020.00000400.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://schemas.xmlsoap.org/ws/2004/04/scAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id9ResponseAppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=AppLaunch.exe, 00000002.00000002.381215531.0000000007684000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.000000000694E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://tempuri.org/Entity/Id20AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://tempuri.org/Entity/Id21AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://tempuri.org/Entity/Id22AppLaunch.exe, 00000002.00000002.373473272.00000000066DF000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://tempuri.org/Entity/Id1ResponseAppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=AppLaunch.exe, 00000002.00000002.373473272.00000000069DA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000068C1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.381215531.0000000007684000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.000000000694E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedAppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2004/08/addressingAppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/trustAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://tempuri.org/Entity/Id10AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id11AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id12AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id16ResponseAppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.0000000006782000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://tempuri.org/Entity/Id13AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id14AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id15AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id16AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/NonceAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://tempuri.org/Entity/Id17AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id18AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id5ResponseAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id19AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsAppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://tempuri.org/Entity/Id10ResponseAppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RenewAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://tempuri.org/Entity/Id8ResponseAppLaunch.exe, 00000002.00000002.373473272.00000000069E7000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://schemas.xmlsoap.org/ws/2006/02/addressingidentityAppLaunch.exe, 00000002.00000002.373473272.00000000066DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://schemas.xmlsoap.org/soap/envelope/AppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://search.yahoo.com?fr=crmas_sfpfAppLaunch.exe, 00000002.00000002.373473272.00000000069DA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000068C1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.381215531.0000000007684000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.000000000694E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trustAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/RollbackAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/06/addressingexAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wscoorAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/NonceAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponseAppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/RenewAppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://tempuri.org/Entity/Id17ResponseAppLaunch.exe, 00000002.00000002.373473272.0000000006651000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      		unknown
                                                                                                                                                      http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510AppLaunch.exe, 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high

                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                        Public IPs

                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                        82.115.223.46
                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                        		209821MIDNET-ASTK-TelecomRUtrue

                                                                                                                                                        General Information

                                                                                                                                                        Joe Sandbox Version:36.0.0 Rainbow Opal
                                                                                                                                                        Analysis ID:791291
                                                                                                                                                        Start date and time:2023-01-25 09:36:08 +01:00
                                                                                                                                                        Joe Sandbox Product:CloudBasic
                                                                                                                                                        Overall analysis duration:0h 5m 41s
                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                        Report type:light
                                                                                                                                                        Sample file name:Installer.exe
                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                        Number of analysed new started processes analysed:3
                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                        Technologies:
                                                                                                                                                        • HCA enabled
                                                                                                                                                        • EGA enabled
                                                                                                                                                        • HDC enabled
                                                                                                                                                        • AMSI enabled
                                                                                                                                                        Analysis Mode:default
                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                        Detection:MAL
                                                                                                                                                        Classification:mal100.troj.spyw.evad.winEXE@4/1@0/1
                                                                                                                                                        EGA Information:
                                                                                                                                                        • Successful, ratio: 50%
                                                                                                                                                        HDC Information:
                                                                                                                                                        • Successful, ratio: 64.5% (good quality ratio 41.1%)
                                                                                                                                                        • Quality average: 52.7%
                                                                                                                                                        • Quality standard deviation: 43.9%
                                                                                                                                                        HCA Information:
                                                                                                                                                        • Successful, ratio: 73%
                                                                                                                                                        • Number of executed functions: 0
                                                                                                                                                        • Number of non-executed functions: 0
                                                                                                                                                        Cookbook Comments:
                                                                                                                                                        • Found application associated with file extension: .exe
                                                                                                                                                        • Stop behavior analysis, all processes terminated

                                                                                                                                                        Warnings

                                                                                                                                                        • Excluded domains from analysis (whitelisted): login.live.com
                                                                                                                                                        • TCP Packets have been reduced to 100
                                                                                                                                                        • Execution Graph export aborted for target AppLaunch.exe, PID 996 because it is empty
                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                        Simulations

                                                                                                                                                        Behavior and APIs

                                                                                                                                                        TimeTypeDescription
                                                                                                                                                        09:37:30API Interceptor18x Sleep call for process: AppLaunch.exe modified

                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                        IPs

                                                                                                                                                        No context

                                                                                                                                                        Domains

                                                                                                                                                        No context

                                                                                                                                                        ASNs

                                                                                                                                                        No context

                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                        No context

                                                                                                                                                        Dropped Files

                                                                                                                                                        No context

                                                                                                                                                        Created / dropped Files

                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):2843
                                                                                                                                                        Entropy (8bit):5.3371553026862095
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:48:MxHKXeHKlEHU0YHKhQnouHIWUfHKhBHKdHKBfHK5AHKzvQTHmtHoxHImHKx1qHjC:iqXeqm00YqhQnouOqLqdqNq2qzcGtIxw
                                                                                                                                                        MD5:3CF15F26423086F7633BB4066F6D1128
                                                                                                                                                        SHA1:009194C567E122B6CBB9BFC45FD854BA30433C43
                                                                                                                                                        SHA-256:28279AEAD69778149C740526EF13D927FF69632B69B5F1759E6C697720D9D413
                                                                                                                                                        SHA-512:14FD6C0CDF9CDE9B651DF4420DD81F847288C5534F5DDC9773DA9B80B49B15BCE7C804E3DB9819CACF9C09CAADEE75812F43A897F8C678E3650CF46107E24AF9
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:moderate, very likely benign file
                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

                                                                                                                                                        Static File Info

                                                                                                                                                        General

                                                                                                                                                        File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                        Entropy (8bit):5.798086983844678
                                                                                                                                                        TrID:
                                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                        • VXD Driver (31/22) 0.00%
                                                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                        File name:Installer.exe
                                                                                                                                                        File size:2306455
                                                                                                                                                        MD5:f62872fe4592273abda6f704fb27b3ec
                                                                                                                                                        SHA1:c9f193458f5b59a81b3fcb6fed90112d6d0dd48f
                                                                                                                                                        SHA256:8f136c424f604be973a76795d1de0dca7281ca25e543e264565d753e2dea404c
                                                                                                                                                        SHA512:c0d974bd1605ddff4fc06251689c49bce541a5ea9b0d1137c3d250d164ea347fe44823bf4140950c5d58e3dbd5822aadca85afd0dd8ce15224d679f2c40a11b8
                                                                                                                                                        SSDEEP:24576:SbS0tTtCM79UnERXLb9HOlSEE2Rly1luF/6yQhA68NNMOJMD+WDeQGl4Z1cb8zQi:y7TLhwSEeJ
                                                                                                                                                        TLSH:92B51CD7BF11219BDB1F88BC51E9BB336D2F6EF18130C5119B6A343CE692C903A49691
                                                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c....K..........'............H........0....@..........................p#.......#...@... ............................

                                                                                                                                                        File Icon

                                                                                                                                                        Icon Hash:00828e8e8686b000

                                                                                                                                                        Static PE Info

                                                                                                                                                        General

                                                                                                                                                        Entrypoint:0x518948
                                                                                                                                                        Entrypoint Section:.JVWQ
                                                                                                                                                        Digitally signed:false
                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                        Subsystem:windows cui
                                                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                                        DLL Characteristics:DYNAMIC_BASE
                                                                                                                                                        Time Stamp:0x63D0B3E7 [Wed Jan 25 04:45:27 2023 UTC]
                                                                                                                                                        TLS Callbacks:
                                                                                                                                                        CLR (.Net) Version:
                                                                                                                                                        OS Version Major:4
                                                                                                                                                        OS Version Minor:0
                                                                                                                                                        File Version Major:4
                                                                                                                                                        File Version Minor:0
                                                                                                                                                        Subsystem Version Major:4
                                                                                                                                                        Subsystem Version Minor:0
                                                                                                                                                        Import Hash:0757a8f986ddb3ab9e2a579b3f752934

                                                                                                                                                        Entrypoint Preview

                                                                                                                                                        Instruction
                                                                                                                                                        push ebp
                                                                                                                                                        call 00007FF638CAD19Dh
                                                                                                                                                        pop ebp
                                                                                                                                                        sub ebp, 000D694Eh
                                                                                                                                                        call 00007FF638CAD1DBh
                                                                                                                                                        pop eax
                                                                                                                                                        sub eax, 0011895Ah
                                                                                                                                                        jmp 00007FF638CAD2BDh
                                                                                                                                                        jmp 00007FF638CAD19Eh
                                                                                                                                                        jmp 00007FF638CAD16Fh
                                                                                                                                                        jmp 00007FF638CAD1AFh
                                                                                                                                                        jmp 00007FF638CAD1F3h
                                                                                                                                                        mov eax, eax
                                                                                                                                                        jmp 00007FF638CB82B8h
                                                                                                                                                        jmp 00007FF638CB93B8h
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        cmp byte ptr [ecx], al
                                                                                                                                                        or byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        push es
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [edi], dh
                                                                                                                                                        add ah, dl
                                                                                                                                                        add byte ptr [esi+01h], dh
                                                                                                                                                        or byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        pop ebp
                                                                                                                                                        popfd
                                                                                                                                                        dec ebx
                                                                                                                                                        insb
                                                                                                                                                        les esp, fword ptr [edx+0Ah]
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add dl, bh
                                                                                                                                                        jmp 00007FF638CB830Ah
                                                                                                                                                        inc eax
                                                                                                                                                        or al, 00h
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        mov ch, B1h
                                                                                                                                                        ret
                                                                                                                                                        clc
                                                                                                                                                        cmp bh, byte ptr [eax-7Ah]
                                                                                                                                                        pop esp
                                                                                                                                                        or al, byte ptr [eax]
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        dec ecx
                                                                                                                                                        xor bh, dl
                                                                                                                                                        xor ecx, dword ptr [ebx+6Ch]
                                                                                                                                                        push 00000AB2h
                                                                                                                                                        add byte ptr [esi+0C20E6E6h], al
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax-55h], al
                                                                                                                                                        aas
                                                                                                                                                        add byte ptr [esi], bh
                                                                                                                                                        jo 00007FF638CB827Ch
                                                                                                                                                        or al, byte ptr fs:[eax]
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        fstcw word ptr [edx]
                                                                                                                                                        push 0000002Bh
                                                                                                                                                        dec ebx
                                                                                                                                                        insb
                                                                                                                                                        aam B1h
                                                                                                                                                        or al, byte ptr [eax]
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        inc ebp
                                                                                                                                                        inc ebp
                                                                                                                                                        pop ds
                                                                                                                                                        loop 00007FF638CB82FEh
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        add byte ptr [eax-57h], al
                                                                                                                                                        aas
                                                                                                                                                        add byte ptr [esi], bh
                                                                                                                                                        jo 00007FF638CB827Ch
                                                                                                                                                        or al, byte ptr fs:[eax]
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        std
                                                                                                                                                        cmp al, byte ptr [esi+2Bh]
                                                                                                                                                        dec ebx
                                                                                                                                                        insb
                                                                                                                                                        mov eax, 00000AB1h
                                                                                                                                                        add byte ptr [esi], ah
                                                                                                                                                        adc al, BCh
                                                                                                                                                        or al, 00h
                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                        and byte ptr [ecx+0000003Fh], ch

                                                                                                                                                        Data Directories

                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x400540x6c.idata
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x2360000x10.reloc
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x410280x18.tls
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                        Sections

                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                        .text0x10000x1d240x1e00False0.5569010416666667data6.054044461251658IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                        .data0x30000x1640x200False0.373046875data2.729672208063066IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                        .rdata0x40000x2bdb80x2be00False0.4238782051282051data5.415603949330128IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                        /40x300000x8880xa00False0.36953125data4.2134988586234785IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                        .bss0x310000xc80x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                        .idata0x320000xd040xe00False0.07645089285714286data2.0019826662308464IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                        .CRT0x330000x300x200False0.064453125data0.2155331448570176IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                        .tls0x340000x80x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                        .reloc0x350000x3680x400False0.7939453125data5.923114034562793IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                        /140x360000x380x200False0.068359375Matlab v4 mat-file (little endian) *, rows 2, columns 2621440.2162069074398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                        /290x370000xf800x1000False0.398193359375Matlab v4 mat-file (little endian) \352)@, rows 2, columns 170393605.305604300716136IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                        /410x380000xaf0x200False0.29296875data2.108183273083511IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                        /550x390000x1080x200False0.306640625data3.0368320791647787IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                        /670x3a0000x380x200False0.1171875data0.6745765448489234IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                        /800x3b0000x9c0x200False0.267578125data2.3466189565208464IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                        .JVWQ0x3c0000x40000x4000False0.06585693359375data1.2058197341399253IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                        .idata0x400000x10000x200False0.220703125data1.4991760490521846IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                        .tls0x410000x10000x200False0.05078125data0.18571932838821048IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                        .JVWQ0x420000x1f40000x1f4000False0.364736328125data5.728302692103189IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                        .reloc0x2360000x10000x10False1.5GLS_BINARY_LSB_FIRST2.423794940695399IMAGE_SCN_MEM_READ

                                                                                                                                                        Imports

                                                                                                                                                        DLLImport
                                                                                                                                                        kernel32.dllGetModuleHandleA
                                                                                                                                                        msvcrt.dll__getmainargs
                                                                                                                                                        USER32.dllAppendMenuA

                                                                                                                                                        Network Behavior

                                                                                                                                                        Snort IDS Alerts

                                                                                                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                        82.115.223.46192.168.2.457672496972043234 01/25/23-09:37:20.266410TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response576724969782.115.223.46192.168.2.4
                                                                                                                                                        192.168.2.482.115.223.4649697576722043233 01/25/23-09:37:15.679519TCP2043233ET TROJAN RedLine Stealer TCP CnC net.tcp Init4969757672192.168.2.482.115.223.46
                                                                                                                                                        192.168.2.482.115.223.4649697576722043231 01/25/23-09:37:33.121439TCP2043231ET TROJAN Redline Stealer TCP CnC Activity4969757672192.168.2.482.115.223.46

                                                                                                                                                        Network Port Distribution

                                                                                                                                                        TCP Packets

                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                        Jan 25, 2023 09:37:15.235409975 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:15.257797003 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:15.258042097 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:15.679518938 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:15.701868057 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:15.728616953 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:15.774672985 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:20.216226101 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:20.238780022 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:20.266410112 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:20.465269089 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:27.680440903 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:27.703799963 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:27.732309103 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:27.732345104 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:27.732363939 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:27.732379913 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:27.732574940 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:27.732657909 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:29.084013939 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:29.134885073 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:29.182065010 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:29.328614950 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:29.378184080 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:29.432074070 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:29.541886091 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:29.593553066 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:29.598830938 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:29.650290012 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:29.651782036 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:29.700717926 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:29.744592905 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:29.756341934 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:29.806044102 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:29.853971958 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:29.860924006 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:29.883431911 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:29.883474112 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:29.913157940 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:29.963356972 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:30.000190973 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:30.049391985 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:30.104712963 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:30.168443918 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:30.193572998 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:30.193619967 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:30.232552052 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:30.240502119 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:30.291512966 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:31.471393108 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:31.494369984 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:31.520937920 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:31.536365032 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:31.562525034 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:31.588820934 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:31.635809898 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:31.710989952 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:31.733499050 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:31.733556032 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:31.760567904 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:31.793221951 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:31.843404055 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:31.885500908 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:32.148407936 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:32.172787905 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:32.172852993 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:32.173083067 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:32.173317909 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:32.173357964 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:32.173398018 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:32.173435926 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:32.173449993 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:32.173449993 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:32.173522949 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:32.173522949 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:32.173912048 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:32.174010038 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:32.174017906 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:32.174058914 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:32.174096107 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:32.174097061 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:32.174132109 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:32.174196959 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:32.195640087 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:32.195679903 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:32.195698977 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:32.195856094 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:32.195909977 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:32.195956945 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:32.196129084 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:32.196191072 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:32.196229935 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:32.196280003 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:32.196355104 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:32.196405888 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:32.196479082 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:32.196532965 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:32.196576118 CET576724969782.115.223.46192.168.2.4
                                                                                                                                                        Jan 25, 2023 09:37:32.196620941 CET4969757672192.168.2.482.115.223.46
                                                                                                                                                        Jan 25, 2023 09:37:32.196754932 CET576724969782.115.223.46192.168.2.4

                                                                                                                                                        Statistics

                                                                                                                                                        Behavior

                                                                                                                                                        Click to jump to process

                                                                                                                                                        System Behavior

                                                                                                                                                        General

                                                                                                                                                        Target ID:0
                                                                                                                                                        Start time:09:37:01
                                                                                                                                                        Start date:25/01/2023
                                                                                                                                                        Path:C:\Users\user\Desktop\Installer.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:C:\Users\user\Desktop\Installer.exe
                                                                                                                                                        Imagebase:0x120000
                                                                                                                                                        File size:2306455 bytes
                                                                                                                                                        MD5 hash:F62872FE4592273ABDA6F704FB27B3EC
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Yara matches:
                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.304751719.0000000001432000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.306753398.00000000013D5000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        Reputation:low

                                                                                                                                                        General

                                                                                                                                                        Target ID:1
                                                                                                                                                        Start time:09:37:02
                                                                                                                                                        Start date:25/01/2023
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                        Imagebase:0x7ff7c72c0000
                                                                                                                                                        File size:625664 bytes
                                                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high

                                                                                                                                                        General

                                                                                                                                                        Target ID:2
                                                                                                                                                        Start time:09:37:03
                                                                                                                                                        Start date:25/01/2023
                                                                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                        Imagebase:0x40000
                                                                                                                                                        File size:98912 bytes
                                                                                                                                                        MD5 hash:6807F903AC06FF7E1670181378690B22
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                                                                        Yara matches:
                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.370528626.00000000041C2000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.373473272.00000000066E3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.373473272.0000000006782000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        Reputation:high

                                                                                                                                                        Disassembly

                                                                                                                                                        No disassembly