Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Gta_5_Mod_Menu.exe

Overview

General Information

Sample Name:Gta_5_Mod_Menu.exe
Analysis ID:829686
MD5:35be3beaaba232f6fde781242b9c5c4b
SHA1:ce27166d42e8126a10330f5cb3d71f578f6b7ef5
SHA256:1b9192644f1912431596a1c145b7ef462d241551ff9d6782ab1f34def2f373af
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Writes to foreign memory regions
Tries to steal Crypto Currency Wallets
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Contains functionality to inject code into remote processes
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found evasive API chain (may stop execution after checking a module file name)
Yara detected Credential Stealer
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • Gta_5_Mod_Menu.exe (PID: 5924 cmdline: C:\Users\user\Desktop\Gta_5_Mod_Menu.exe MD5: 35BE3BEAABA232F6FDE781242B9C5C4B)
    • conhost.exe (PID: 5992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • AppLaunch.exe (PID: 3308 cmdline: C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)
    • WerFault.exe (PID: 5196 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5924 -s 132 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["82.115.223.46:57672"], "Authorization Header": "6ae56e1e5992d446c979c837ad9696f5"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.306737777.0000000000B50000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000003.295387303.0000000000A52000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000002.00000002.388076605.0000000000402000.00000020.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 3 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                2.2.AppLaunch.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  2.2.AppLaunch.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                  • 0xd00:$pat14: , CommandLine:
                  • 0x13a96:$v2_1: ListOfProcesses
                  • 0x13875:$v4_3: base64str
                  • 0x143d2:$v4_4: stringKey
                  • 0x1218b:$v4_5: BytesToStringConverted
                  • 0x1139e:$v4_6: FromBase64
                  • 0x126b4:$v4_8: procName
                  • 0x12e10:$v5_5: FileScanning
                  • 0x12394:$v5_7: RecordHeaderField
                  • 0x1205c:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
                  0.3.Gta_5_Mod_Menu.exe.a50000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    0.3.Gta_5_Mod_Menu.exe.a50000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                    • 0xd00:$pat14: , CommandLine:
                    • 0x13a96:$v2_1: ListOfProcesses
                    • 0x13875:$v4_3: base64str
                    • 0x143d2:$v4_4: stringKey
                    • 0x1218b:$v4_5: BytesToStringConverted
                    • 0x1139e:$v4_6: FromBase64
                    • 0x126b4:$v4_8: procName
                    • 0x12e10:$v5_5: FileScanning
                    • 0x12394:$v5_7: RecordHeaderField
                    • 0x1205c:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
                    0.2.Gta_5_Mod_Menu.exe.b40000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      Click to see the 1 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      Timestamp:192.168.2.582.115.223.4649702576722043231 03/18/23-21:08:36.493481
                      SID:2043231
                      Source Port:49702
                      Destination Port:57672
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.582.115.223.4649702576722043233 03/18/23-21:08:10.800408
                      SID:2043233
                      Source Port:49702
                      Destination Port:57672
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:82.115.223.46192.168.2.557672497022043234 03/18/23-21:08:17.271452
                      SID:2043234
                      Source Port:57672
                      Destination Port:49702
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: Gta_5_Mod_Menu.exeReversingLabs: Detection: 43%
                      Source: Gta_5_Mod_Menu.exeVirustotal: Detection: 33%Perma Link
                      Antivirus detection for URL or domain
                      Source: http://tempuri.org/Entity/Id19ResponseonURL Reputation: Label: phishing
                      Machine Learning detection for sample
                      Source: Gta_5_Mod_Menu.exeJoe Sandbox ML: detected
                      Source: 2.2.AppLaunch.exe.400000.0.unpackMalware Configuration Extractor: RedLine {"C2 url": ["82.115.223.46:57672"], "Authorization Header": "6ae56e1e5992d446c979c837ad9696f5"}
                      Source: Gta_5_Mod_Menu.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: Gta_5_Mod_Menu.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2043233 ET TROJAN RedLine Stealer TCP CnC net.tcp Init 192.168.2.5:49702 -> 82.115.223.46:57672
                      Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.5:49702 -> 82.115.223.46:57672
                      Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 82.115.223.46:57672 -> 192.168.2.5:49702
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 82.115.223.46:57672
                      Source: Joe Sandbox ViewASN Name: MIDNET-ASTK-TelecomRU MIDNET-ASTK-TelecomRU
                      Source: Joe Sandbox ViewIP Address: 82.115.223.46 82.115.223.46
                      Source: global trafficTCP traffic: 192.168.2.5:49702 -> 82.115.223.46:57672
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: unknownTCP traffic detected without corresponding DNS query: 82.115.223.46
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                      Source: AppLaunch.exe, 00000002.00000003.380043088.000000000541C000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.379963402.000000000541B000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389461893.000000000541E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.c/g
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultP
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.000000000700B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.000000000713B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                      Source: AppLaunch.exe, 00000002.00000002.389921530.000000000700B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.000000000713B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.000000000700B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.000000000713B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.000000000713B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.000000000713B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                      Source: AppLaunch.exe, 00000002.00000002.389921530.000000000713B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Responseon
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.000000000713B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                      Source: AppLaunch.exe, 00000002.00000002.389921530.000000000700B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Responseon
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4y/
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.000000000700B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.000000000713B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                      Source: AppLaunch.exe, 00000002.00000002.389921530.000000000713B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                      Source: AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.000000000713B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                      Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net
                      Source: AppLaunch.exe, 00000002.00000003.360792439.0000000008159000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000007394000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.000000000821E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.000000000712E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: Gta_5_Mod_Menu.exe, Gta_5_Mod_Menu.exe, 00000000.00000002.306737777.0000000000B50000.00000004.00000001.01000000.00000003.sdmp, Gta_5_Mod_Menu.exe, 00000000.00000003.295387303.0000000000A52000.00000040.00001000.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.388076605.0000000000402000.00000020.00000400.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                      Source: AppLaunch.exe, 00000002.00000003.360792439.0000000008159000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000007394000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.000000000821E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.000000000712E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: Gta_5_Mod_Menu.exeString found in binary or memory: https://code.visualstudio.com/0
                      Source: AppLaunch.exe, 00000002.00000003.360792439.0000000008159000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000007394000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.000000000821E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.000000000712E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: AppLaunch.exe, 00000002.00000003.362563704.000000000820D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.0000000008171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.0000000008068000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.0000000008085000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.362563704.00000000081F0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.0000000008159000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000007394000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.000000000821E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.000000000712E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: AppLaunch.exe, 00000002.00000003.360792439.0000000008159000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000007394000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.000000000821E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.000000000712E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: AppLaunch.exe, 00000002.00000003.362563704.000000000820D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.0000000008171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.0000000008068000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.0000000008085000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.362563704.00000000081F0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.0000000008159000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000007394000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.000000000821E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.000000000712E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                      Source: AppLaunch.exe, 00000002.00000003.362563704.000000000820D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.0000000008171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.0000000008068000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.0000000008085000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.362563704.00000000081F0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.0000000008159000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000007394000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.000000000821E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.000000000712E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
                      Source: AppLaunch.exe, 00000002.00000003.362563704.000000000820D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.0000000008171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.0000000008085000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.0000000008159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
                      Source: AppLaunch.exe, 00000002.00000003.362563704.000000000820D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.0000000008171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.0000000008068000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.0000000008085000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.362563704.00000000081F0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.0000000008159000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000007394000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.000000000821E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.000000000712E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
                      Source: AppLaunch.exe, 00000002.00000003.362563704.000000000820D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.0000000008171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.0000000008068000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.0000000008085000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.362563704.00000000081F0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.0000000008159000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000007394000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.000000000821E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.000000000712E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 2.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 0.3.Gta_5_Mod_Menu.exe.a50000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 0.2.Gta_5_Mod_Menu.exe.b40000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: Gta_5_Mod_Menu.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 2.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 0.3.Gta_5_Mod_Menu.exe.a50000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 0.2.Gta_5_Mod_Menu.exe.b40000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: C:\Users\user\Desktop\Gta_5_Mod_Menu.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5924 -s 132
                      Source: C:\Users\user\Desktop\Gta_5_Mod_Menu.exeCode function: 0_2_00B4C2B2
                      Source: C:\Users\user\Desktop\Gta_5_Mod_Menu.exeCode function: 0_2_00B4A4A0
                      Source: C:\Users\user\Desktop\Gta_5_Mod_Menu.exeCode function: 0_2_00B49A18
                      Source: C:\Users\user\Desktop\Gta_5_Mod_Menu.exeCode function: 0_2_00B4AB98
                      Source: C:\Users\user\Desktop\Gta_5_Mod_Menu.exeCode function: 0_2_00B48761
                      Source: C:\Users\user\Desktop\Gta_5_Mod_Menu.exeCode function: 0_2_00B49F5C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0540F7C8
                      Source: Gta_5_Mod_Menu.exeBinary or memory string: OriginalFilename vs Gta_5_Mod_Menu.exe
                      Source: Gta_5_Mod_Menu.exe, 00000000.00000000.293559766.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCooperation assist> vs Gta_5_Mod_Menu.exe
                      Source: Gta_5_Mod_Menu.exe, 00000000.00000002.306737777.0000000000B50000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePeeler.exe< vs Gta_5_Mod_Menu.exe
                      Source: Gta_5_Mod_Menu.exe, 00000000.00000003.295387303.0000000000A52000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePeeler.exe< vs Gta_5_Mod_Menu.exe
                      Source: Gta_5_Mod_Menu.exeBinary or memory string: OriginalFilenameCooperation assist> vs Gta_5_Mod_Menu.exe
                      Source: Gta_5_Mod_Menu.exeStatic PE information: invalid certificate
                      Source: Gta_5_Mod_Menu.exeReversingLabs: Detection: 43%
                      Source: Gta_5_Mod_Menu.exeVirustotal: Detection: 33%
                      Source: Gta_5_Mod_Menu.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Gta_5_Mod_Menu.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\Gta_5_Mod_Menu.exe C:\Users\user\Desktop\Gta_5_Mod_Menu.exe
                      Source: C:\Users\user\Desktop\Gta_5_Mod_Menu.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Gta_5_Mod_Menu.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe
                      Source: C:\Users\user\Desktop\Gta_5_Mod_Menu.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5924 -s 132
                      Source: C:\Users\user\Desktop\Gta_5_Mod_Menu.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile created: C:\Users\user\AppData\Local\YandexJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF111.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/7@0/1
                      Source: AppLaunch.exe, 00000002.00000003.359712244.0000000008197000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5992:120:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5924
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Gta_5_Mod_Menu.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: C:\Users\user\Desktop\Gta_5_Mod_Menu.exeCode function: 0_2_00B45A39 push ecx; ret
                      Source: C:\Users\user\Desktop\Gta_5_Mod_Menu.exeCode function: 0_2_00B47E3C LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,
                      Source: Gta_5_Mod_Menu.exeStatic PE information: real checksum: 0x3e094 should be: 0x4f1ec
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 6008Thread sleep time: -17524406870024063s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5984Thread sleep count: 7915 > 30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 2316Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\Gta_5_Mod_Menu.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeRegistry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWindow / User API: threadDelayed 7915
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Gta_5_Mod_Menu.exeAPI call chain: ExitProcess graph end node
                      Source: AppLaunch.exe, 00000002.00000002.399548708.000000000A240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMware7ZT6FR_XWin32_VideoControllerLSPLDTT8VideoController120060621000000.000000-00018810137display.infMSBDAUUUUG7NFPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colors2BPO3373p
                      Source: Amcache.hve.5.drBinary or memory string: VMware
                      Source: Amcache.hve.5.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: Amcache.hve.5.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.5.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.
                      Source: AppLaunch.exe, 00000002.00000002.388307227.00000000010A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllO
                      Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                      Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.5.drBinary or memory string: VMware7,1
                      Source: Amcache.hve.5.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.5.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.5.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.me
                      Source: Amcache.hve.5.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.5.drBinary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
                      Source: Amcache.hve.5.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: Amcache.hve.5.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1g
                      Source: C:\Users\user\Desktop\Gta_5_Mod_Menu.exeCode function: 0_2_00B46A84 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\Desktop\Gta_5_Mod_Menu.exeCode function: 0_2_00B47E3C LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Gta_5_Mod_Menu.exeCode function: 0_2_00B7B354 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\Gta_5_Mod_Menu.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\Gta_5_Mod_Menu.exeProcess queried: DebugPort
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory allocated: page read and write | page guard
                      Source: C:\Users\user\Desktop\Gta_5_Mod_Menu.exeCode function: 0_2_00B46A84 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\Desktop\Gta_5_Mod_Menu.exeCode function: 0_2_00B4468F SetUnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\Gta_5_Mod_Menu.exeCode function: 0_2_00B4BAE5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\Gta_5_Mod_Menu.exeCode function: 0_2_00B475B4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\Gta_5_Mod_Menu.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000
                      Source: C:\Users\user\Desktop\Gta_5_Mod_Menu.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: CD5008
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\Gta_5_Mod_Menu.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\Gta_5_Mod_Menu.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A
                      Contains functionality to inject code into remote processes
                      Source: C:\Users\user\Desktop\Gta_5_Mod_Menu.exeCode function: 0_2_00B7B389 CreateProcessW,GetThreadContext,ReadProcessMemory,VirtualAlloc,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,VirtualFree,WriteProcessMemory,SetThreadContext,ResumeThread,
                      Source: C:\Users\user\Desktop\Gta_5_Mod_Menu.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Gta_5_Mod_Menu.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Users\user\Desktop\Gta_5_Mod_Menu.exeCode function: 0_2_00B45BDC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                      Source: Amcache.hve.5.drBinary or memory string: msmpeng.exe
                      Source: Amcache.hve.5.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                      Source: AppLaunch.exe, 00000002.00000002.388307227.0000000001096000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.399548708.000000000A222000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.388307227.00000000010DD000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.399548708.000000000A240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                      Stealing of Sensitive Information

                      barindex
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 2.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.Gta_5_Mod_Menu.exe.a50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Gta_5_Mod_Menu.exe.b40000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.306737777.0000000000B50000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.295387303.0000000000A52000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.388076605.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 3308, type: MEMORYSTR
                      Tries to steal Crypto Currency Wallets
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                      Found many strings related to Crypto-Wallets (likely being stolen)
                      Source: AppLaunch.exe, 00000002.00000002.389921530.000000000700B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Electrum\wallets
                      Source: AppLaunch.exe, 00000002.00000002.389921530.000000000700B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q2C:\Users\user\AppData\Roaming\Electrum\wallets\*
                      Source: AppLaunch.exe, 00000002.00000002.389921530.000000000700B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q-cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty
                      Source: AppLaunch.exe, 00000002.00000002.399548708.000000000A240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*k
                      Source: AppLaunch.exe, 00000002.00000002.389921530.000000000700B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\wallets
                      Source: AppLaunch.exe, 00000002.00000002.399548708.000000000A240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*k
                      Source: AppLaunch.exe, 00000002.00000002.389921530.000000000700B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\wallets
                      Source: AppLaunch.exe, 00000002.00000002.399548708.000000000A240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*k
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: Yara matchFile source: 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.389921530.000000000700B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 3308, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 2.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.Gta_5_Mod_Menu.exe.a50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Gta_5_Mod_Menu.exe.b40000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.306737777.0000000000B50000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.295387303.0000000000A52000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.388076605.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 3308, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts221
                      Windows Management Instrumentation                      		Path Interception411
                      Process Injection                      		1
                      Masquerading                      		1
                      OS Credential Dumping                      		1
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		Exfiltration Over Other Network Medium1
                      Encrypted Channel                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default Accounts2
                      Native API                      		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                      Disable or Modify Tools                      		LSASS Memory251
                      Security Software Discovery                      		Remote Desktop Protocol3
                      Data from Local System                      		Exfiltration Over Bluetooth1
                      Non-Standard Port                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)241
                      Virtualization/Sandbox Evasion                      		Security Account Manager11
                      Process Discovery                      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                      Application Layer Protocol                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)411
                      Process Injection                      		NTDS241
                      Virtualization/Sandbox Evasion                      		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Obfuscated Files or Information                      		LSA Secrets1
                      Application Window Discovery                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials1
                      Remote System Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync134
                      System Information Discovery                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Gta_5_Mod_Menu.exe44%ReversingLabsWin32.Trojan.RecordBreaker
                      Gta_5_Mod_Menu.exe34%VirustotalBrowse
                      Gta_5_Mod_Menu.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      2.2.AppLaunch.exe.400000.0.unpack100%AviraHEUR/AGEN.1252166Download File
                      0.3.Gta_5_Mod_Menu.exe.a50000.0.unpack100%AviraHEUR/AGEN.1252166Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://tempuri.org/Entity/Id19Responseon100%URL Reputationphishing
                      http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
                      http://tempuri.org/0%URL Reputationsafe
                      http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                      http://ns.adobe.c/g0%URL Reputationsafe
                      http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id90%URL Reputationsafe
                      http://tempuri.org/Entity/Id80%URL Reputationsafe
                      http://tempuri.org/Entity/Id50%URL Reputationsafe
                      http://tempuri.org/Entity/Id70%URL Reputationsafe
                      http://tempuri.org/Entity/Id60%URL Reputationsafe
                      http://tempuri.org/Entity/Id19Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
                      https://api.ip.sb/ip0%URL Reputationsafe
                      http://tempuri.org/Entity/Id9Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id9Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id200%URL Reputationsafe
                      http://tempuri.org/Entity/Id200%URL Reputationsafe
                      http://tempuri.org/Entity/Id210%URL Reputationsafe
                      http://tempuri.org/Entity/Id210%URL Reputationsafe
                      http://tempuri.org/Entity/Id220%URL Reputationsafe
                      http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id100%URL Reputationsafe
                      http://tempuri.org/Entity/Id110%URL Reputationsafe
                      http://tempuri.org/Entity/Id120%URL Reputationsafe
                      http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id130%URL Reputationsafe
                      http://tempuri.org/Entity/Id140%URL Reputationsafe
                      http://tempuri.org/Entity/Id150%URL Reputationsafe
                      http://tempuri.org/Entity/Id160%URL Reputationsafe
                      http://tempuri.org/Entity/Id170%URL Reputationsafe
                      http://tempuri.org/Entity/Id180%URL Reputationsafe
                      http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id190%URL Reputationsafe
                      http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id8Response0%URL Reputationsafe
                      http://tempuri.org/Entity/Id17Response0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/02/sc/sctAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2004/08/addressing/faultPAppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://duckduckgo.com/chrome_newtabAppLaunch.exe, 00000002.00000003.362563704.000000000820D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.0000000008171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.0000000008068000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.0000000008085000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.362563704.00000000081F0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.0000000008159000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000007394000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.000000000821E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.000000000712E000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://duckduckgo.com/ac/?q=AppLaunch.exe, 00000002.00000003.360792439.0000000008159000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000007394000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.000000000821E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.000000000712E000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id19ResponseonAppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmptrue
                                    • URL Reputation: phishing
                                    		unknown
                                    http://tempuri.org/Entity/Id12ResponseAppLaunch.exe, 00000002.00000002.389921530.000000000700B000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://tempuri.org/AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://tempuri.org/Entity/Id2ResponseAppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://ns.adobe.c/gAppLaunch.exe, 00000002.00000003.380043088.000000000541C000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.379963402.000000000541B000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389461893.000000000541E000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id21ResponseAppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id9AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id8AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://tempuri.org/Entity/Id5AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://tempuri.org/Entity/Id7AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.000000000713B000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://tempuri.org/Entity/Id6AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://tempuri.org/Entity/Id19ResponseAppLaunch.exe, 00000002.00000002.389921530.000000000713B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceAppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/faultAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2004/10/wsatAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://tempuri.org/Entity/Id15ResponseAppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.000000000700B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://tempuri.org/Entity/Id6ResponseAppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.000000000700B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://api.ip.sb/ipGta_5_Mod_Menu.exe, Gta_5_Mod_Menu.exe, 00000000.00000002.306737777.0000000000B50000.00000004.00000001.01000000.00000003.sdmp, Gta_5_Mod_Menu.exe, 00000000.00000003.295387303.0000000000A52000.00000040.00001000.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.388076605.0000000000402000.00000020.00000400.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://schemas.xmlsoap.org/ws/2004/04/scAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id9ResponseAppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.000000000713B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=AppLaunch.exe, 00000002.00000003.360792439.0000000008159000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000007394000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.000000000821E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.000000000712E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://tempuri.org/Entity/Id20AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://tempuri.org/Entity/Id21AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://tempuri.org/Entity/Id22AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://tempuri.org/Entity/Id1ResponseAppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=AppLaunch.exe, 00000002.00000003.362563704.000000000820D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.0000000008171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.0000000008068000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.0000000008085000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.362563704.00000000081F0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.0000000008159000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000007394000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.000000000821E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.000000000712E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedAppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2004/08/addressingAppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/trustAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://tempuri.org/Entity/Id10AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id11AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id12AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id16ResponseAppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.000000000713B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://tempuri.org/Entity/Id13AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id14AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id15AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id16AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/NonceAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://tempuri.org/Entity/Id17AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id18AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id5ResponseAppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id19AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsAppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://tempuri.org/Entity/Id10ResponseAppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.000000000700B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RenewAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://code.visualstudio.com/0Gta_5_Mod_Menu.exefalse
                                                                                                                      		high
                                                                                                                      http://tempuri.org/Entity/Id8ResponseAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://schemas.xmlsoap.org/ws/2006/02/addressingidentityAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://schemas.xmlsoap.org/soap/envelope/AppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://search.yahoo.com?fr=crmas_sfpfAppLaunch.exe, 00000002.00000003.362563704.000000000820D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.0000000008171000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.0000000008068000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.0000000008085000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.362563704.00000000081F0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.0000000008159000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000007394000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.360792439.000000000821E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.000000000712E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trustAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/RollbackAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/06/addressingexAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wscoorAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/NonceAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponseAppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/RenewAppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://tempuri.org/Entity/Id17ResponseAppLaunch.exe, 00000002.00000002.389921530.0000000006EE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.000000000713B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        		unknown

                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                        Public IPs

                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                        82.115.223.46
                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                        		209821MIDNET-ASTK-TelecomRUtrue

                                                                                                                                                        General Information

                                                                                                                                                        Joe Sandbox Version:37.0.0 Beryl
                                                                                                                                                        Analysis ID:829686
                                                                                                                                                        Start date and time:2023-03-18 21:07:04 +01:00
                                                                                                                                                        Joe Sandbox Product:CloudBasic
                                                                                                                                                        Overall analysis duration:0h 6m 36s
                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                        Report type:light
                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                        Number of analysed new started processes analysed:9
                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                        Technologies:
                                                                                                                                                        • HCA enabled
                                                                                                                                                        • EGA enabled
                                                                                                                                                        • HDC enabled
                                                                                                                                                        • AMSI enabled
                                                                                                                                                        Analysis Mode:default
                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                        Sample file name:Gta_5_Mod_Menu.exe
                                                                                                                                                        Detection:MAL
                                                                                                                                                        Classification:mal100.troj.spyw.evad.winEXE@5/7@0/1
                                                                                                                                                        EGA Information:
                                                                                                                                                        • Successful, ratio: 50%
                                                                                                                                                        HDC Information:
                                                                                                                                                        • Successful, ratio: 91.8% (good quality ratio 88.1%)
                                                                                                                                                        • Quality average: 83.2%
                                                                                                                                                        • Quality standard deviation: 25.7%
                                                                                                                                                        HCA Information:
                                                                                                                                                        • Successful, ratio: 97%
                                                                                                                                                        • Number of executed functions: 0
                                                                                                                                                        • Number of non-executed functions: 0
                                                                                                                                                        Cookbook Comments:
                                                                                                                                                        • Found application associated with file extension: .exe

                                                                                                                                                        Warnings

                                                                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                                                                                                                                        • TCP Packets have been reduced to 100
                                                                                                                                                        • Excluded IPs from analysis (whitelisted): 52.182.143.212
                                                                                                                                                        • Excluded domains from analysis (whitelisted): onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, watson.telemetry.microsoft.com
                                                                                                                                                        • Execution Graph export aborted for target AppLaunch.exe, PID 3308 because it is empty
                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                        Simulations

                                                                                                                                                        Behavior and APIs

                                                                                                                                                        TimeTypeDescription
                                                                                                                                                        21:08:02API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                                                                                        21:08:26API Interceptor40x Sleep call for process: AppLaunch.exe modified

                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                        IPs

                                                                                                                                                        No context

                                                                                                                                                        Domains

                                                                                                                                                        No context

                                                                                                                                                        ASNs

                                                                                                                                                        No context

                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                        No context

                                                                                                                                                        Dropped Files

                                                                                                                                                        No context

                                                                                                                                                        Created / dropped Files

                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Gta_5_Mod_Menu.e_9a3653fd351b6f67b678151a3e6c91e5fc7_e9b9f6a7_1416ff49\Report.wer

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):65536
                                                                                                                                                        Entropy (8bit):0.8401074420951166
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:96:XCvFDMRMtMzvgMMNwoI7RW6tpXIQcQvc6QcEDMcw3DvMWM6+HbHg/8BRTf3OFL9g:Svy1HBUZMXIjluq/u7sVS274Itt
                                                                                                                                                        MD5:14BAFDB24431A9E6A6E5B01B0C0AB874
                                                                                                                                                        SHA1:476CF6A5F3EFE366D7ABFAF69A887583D59C1EA5
                                                                                                                                                        SHA-256:F1FD1E8515EDB62121A6FD74CBD8D2D5A8997B4AACCF77517665313ED7DA2EA9
                                                                                                                                                        SHA-512:87AA774515F1181DF8017050691A828ED9E474AE0A9C866273C3B930BED73D21248438326D11679F4566569FE9CAFF4D7F545717ABC130290198371366EBCA21
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:low
                                                                                                                                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.3.6.7.2.4.7.9.3.1.9.4.8.0.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.3.6.7.2.4.8.0.4.6.0.1.2.1.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.3.f.d.7.3.7.e.-.0.b.8.4.-.4.f.e.b.-.b.8.f.d.-.e.f.1.2.b.f.f.6.9.4.3.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.c.6.4.d.b.f.1.-.c.9.3.1.-.4.e.e.f.-.9.5.8.4.-.d.c.c.0.e.7.4.8.0.4.a.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.G.t.a._.5._.M.o.d._.M.e.n.u...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.2.4.-.0.0.0.1.-.0.0.1.9.-.4.7.5.7.-.e.d.6.2.1.8.5.a.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.a.4.7.5.4.c.e.0.7.c.e.a.b.b.3.8.d.b.9.8.4.b.e.8.d.6.9.d.8.1.8.0.0.0.0.1.a.0.8.!.0.0.0.0.c.e.2.7.1.6.6.d.4.2.e.8.1.2.6.a.1.0.3.3.0.f.5.c.b.3.d.7.1.f.5.7.8.f.6.b.7.e.f.5.!.G.t.a._.5._.M.o.d._.M.e.n.u...e.x.e.....T.a.r.g.e.t.

                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERF111.tmp.dmp

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                        File Type:Mini DuMP crash report, 14 streams, Sun Mar 19 04:07:59 2023, 0x1205a4 type
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):40164
                                                                                                                                                        Entropy (8bit):1.884683204606578
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:KJuvH2jyaiUO64EKQJXPmajkktidZgU0GGaXFDxzeW+AW:au36ZKGPmawwisUFjCW6
                                                                                                                                                        MD5:60F33FDB80F7869D87D818CFF6623A20
                                                                                                                                                        SHA1:A266BB367029FA2ED5271500F90B7AA3D187BF82
                                                                                                                                                        SHA-256:209EECCD923262FB0079FA01FF80B135F0E63E4591A5625FDB288441DDCD4F02
                                                                                                                                                        SHA-512:83D518A320A99B9F36D3D77867F79320CF98742146AFDADD7E9481EA1A98BBB0B81AA281317A2547C9AB92BA14009769CAC4147250EF03132C4406BD76227F1B
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:low
                                                                                                                                                        Preview:MDMP....... ..........d.........................................&..........T.......8...........T...........................................................................................................U...........B......8.......GenuineIntelW...........T.......$......d.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERF269.tmp.WERInternalMetadata.xml

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):8412
                                                                                                                                                        Entropy (8bit):3.7027281111213677
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:192:Rrl7r3GLNipgc6h6YBSvSUngmfzS0Cpra89bn9rsf5dlm:RrlsNipb6h6YB6SUngmfzSvn9wfzo
                                                                                                                                                        MD5:CF45C898B5D086A5808CC687BD543A81
                                                                                                                                                        SHA1:972BF1A9FF72593FA46838FE088B7BE65CBD2DDC
                                                                                                                                                        SHA-256:CBE552C3105BE3870201AD191D58A90C10B1E07987A6B48B2433E9DD435C1F07
                                                                                                                                                        SHA-512:FC9F2E7046F68AC3CF31E1BA0D0AA7AB672D8BE3ED72923A66B503800E5FCC058EDFB3DD61EC7A512783895C54723F67374CECD5FC2823C1283C06E05BD77896
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:low
                                                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.9.2.4.<./.P.i.d.>.......

                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2D8.tmp.xml

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):4734
                                                                                                                                                        Entropy (8bit):4.498836159978724
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:48:cvIwSD8zsMJgtWI9cCtWgc8sqYjV8fm8M4JLPMFk+q8v9PaLoBnizdd:uITfKrCcgrsqYWJzpKlauizdd
                                                                                                                                                        MD5:A9046676DF97E0420E3660EDAED9A7AE
                                                                                                                                                        SHA1:C908E89CB2C4CF1299052B36E10B6E206C80F27A
                                                                                                                                                        SHA-256:601E2BBB1DA03F3020264A49E372F1D8FFFE277305674465F132EBBAAF30A692
                                                                                                                                                        SHA-512:4B2B1FA7C76EC6A4AE78CB957B9367D0B620587D5E409AD91ECC71687D8DD1CF2383EBB68FF2E4E6B69EAA14C9D3CBC3C4F2A13CD088FF0976E3DE50CA6CB135
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:low
                                                                                                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1959198" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):2843
                                                                                                                                                        Entropy (8bit):5.3371553026862095
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:48:MxHKXeHKlEHU0YHKhQnouHIWUfHKhBHKdHKBfHK5AHKzvQTHmtHoxHImHK1HjHKg:iqXeqm00YqhQnouOqLqdqNq2qzcGtIxU
                                                                                                                                                        MD5:DCF12DDFCA2FD2701AE5EA0012964E90
                                                                                                                                                        SHA1:AB37B70FB4E34C888BEFFFF54BA5AE34373C816B
                                                                                                                                                        SHA-256:3B28B517A00543FA53ADC147DB9996DF6FF59D002FF65823D5625B44B2D1A406
                                                                                                                                                        SHA-512:5D35EA912835CEB875896F9971225643642245BC6E356AF0D1B370CF4488CE7390D525E526256B9231511DACF4762094D219F20129D96C59778CEF91DDF06538
                                                                                                                                                        Malicious:false
                                                                                                                                                        Reputation:moderate, very likely benign file
                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

                                                                                                                                                        C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                        File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):1572864
                                                                                                                                                        Entropy (8bit):4.340519568673646
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:12288:ri8GQXFTEDXIRXnMA8adOIZqHcTrIgNvFpe4CRt1TaFNF/z8FDXE05:+8GQXFTEDXIRXnMYR7E
                                                                                                                                                        MD5:5329154E8AA80CB491DA57667FA0A0A9
                                                                                                                                                        SHA1:E63DE714CC83CE5E4CEF69DAEE4E1A20D2DE280C
                                                                                                                                                        SHA-256:35130EC6461CAC33A3A2081535B79C13DDC2BD2CAF16DB72C8F2DDB0F2BB19E9
                                                                                                                                                        SHA-512:653D4DD4C0B968BACD8FFE3F8CF4A6FF3135B7CE3BE33B94D00AA9191293EC928478A2FA78A1E00B1C8908BA1C4A5ACBAD2E3EE8F0BE22D823F4BAB92135D055
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:regfY...Y...p.\..,.................. ....P......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.#.c.Z...............................................................................................................................................................................................................................................................................................................................................J.>........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                        C:\Windows\appcompat\Programs\Amcache.hve.LOG1

                                                                                                                                                        Download File
                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                        File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                        Category:dropped
                                                                                                                                                        Size (bytes):24576
                                                                                                                                                        Entropy (8bit):4.112763655721122
                                                                                                                                                        Encrypted:false
                                                                                                                                                        SSDEEP:384:U5u5+XtnxSC4LK3XJWGV6ypsmcJOosfi4RjYq2xehhfue16abmqDWV:mgqMC4LK3XJWGgyemcJOosfi4RjV2xeL
                                                                                                                                                        MD5:3DDA0D5A6056346F936AE9802CF4DAAA
                                                                                                                                                        SHA1:4BCE21D5649FC72B4CD79D9710FBCC91C284F4FD
                                                                                                                                                        SHA-256:7E7B3E64B4B4504A91F3D3F5EA0517393547564128C36277951A5212487E3E24
                                                                                                                                                        SHA-512:600977B73302178963DBAACDB5F8E99D5647D6737BD25992CFB5F9C72D1CAAEBB6303CFB364D95763058A8B6E5796778F9451B2EC2BE76B1C265E3DDA514A6F5
                                                                                                                                                        Malicious:false
                                                                                                                                                        Preview:regfX...X...p.\..,.................. ....P......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.#.c.Z...............................................................................................................................................................................................................................................................................................................................................J.>HvLE.^......X....P......Xjw..A...@................... ...0..hbin................p.\..,..........nk,..#.c.Z.................................. ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..#.c.Z...... ...........P............... .......Z.......................Root........lf......Root....nk ..#.c.Z...................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...

                                                                                                                                                        Static File Info

                                                                                                                                                        General

                                                                                                                                                        File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                        Entropy (8bit):6.498918006835838
                                                                                                                                                        TrID:
                                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                        File name:Gta_5_Mod_Menu.exe
                                                                                                                                                        File size:262040
                                                                                                                                                        MD5:35be3beaaba232f6fde781242b9c5c4b
                                                                                                                                                        SHA1:ce27166d42e8126a10330f5cb3d71f578f6b7ef5
                                                                                                                                                        SHA256:1b9192644f1912431596a1c145b7ef462d241551ff9d6782ab1f34def2f373af
                                                                                                                                                        SHA512:9928f1f169d3bcec521c1484533834fc5bbb58fd610d9c067077668c86709a4cafc358a574acd4ae56e97cc9d3a5648c2e1e77c384db5a2fd1ca03fe294aab37
                                                                                                                                                        SSDEEP:3072:9i3kTLikhiGldyOSAmY6AHmSC0xA6t5PHN/rD7FFK/ykXw1wUpZ9jN:M4ukiyn6AH1C0uoU6feiL
                                                                                                                                                        TLSH:A644C538261446E4E4BAD83C2D90B4E070B67533EB87B8FF4E1D3726963119F75A067A
                                                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c-.H.C.H.C.H.C.VP..[.C.VP....C.VP..m.C.o.8.L.C.....K.C.H.B...C.Az..I.C.VP..I.C.Az..I.C.RichH.C.........PE..L...D..d...........

                                                                                                                                                        File Icon

                                                                                                                                                        Icon Hash:00828e8e8686b000

                                                                                                                                                        Static PE Info

                                                                                                                                                        General

                                                                                                                                                        Entrypoint:0x40372b
                                                                                                                                                        Entrypoint Section:.text
                                                                                                                                                        Digitally signed:true
                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                        Subsystem:windows cui
                                                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                        Time Stamp:0x6414BA44 [Fri Mar 17 19:06:44 2023 UTC]
                                                                                                                                                        TLS Callbacks:
                                                                                                                                                        CLR (.Net) Version:
                                                                                                                                                        OS Version Major:5
                                                                                                                                                        OS Version Minor:0
                                                                                                                                                        File Version Major:5
                                                                                                                                                        File Version Minor:0
                                                                                                                                                        Subsystem Version Major:5
                                                                                                                                                        Subsystem Version Minor:0
                                                                                                                                                        Import Hash:df35d969e1568731b4c070bee6bd7122

                                                                                                                                                        Authenticode Signature

                                                                                                                                                        Signature Valid:false
                                                                                                                                                        Signature Issuer:CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                                                                                                        Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                        Error Number:-2146869232
                                                                                                                                                        Not Before, Not After
                                                                                                                                                        • 5/12/2022 1:46:02 PM 5/11/2023 1:46:02 PM
                                                                                                                                                        Subject Chain
                                                                                                                                                        • CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                                                                                                        Version:3
                                                                                                                                                        Thumbprint MD5:D03E1ED3E72F64CC6C5A636BE32C29AD
                                                                                                                                                        Thumbprint SHA-1:97221B97098F37A135DCC212E2B41E452BCE51F2
                                                                                                                                                        Thumbprint SHA-256:AAE358FD90D5500110EE8BF3BD2C668F834559710DA7D75C266018BB9506F2F6
                                                                                                                                                        Serial:33000002CDF364BFF8D44C5D510000000002CD

                                                                                                                                                        Entrypoint Preview

                                                                                                                                                        Instruction
                                                                                                                                                        call 00007FE5487725C1h
                                                                                                                                                        jmp 00007FE54876FFB9h
                                                                                                                                                        mov edi, edi
                                                                                                                                                        push esi
                                                                                                                                                        push 00000001h
                                                                                                                                                        push 0043B9E4h
                                                                                                                                                        mov esi, ecx
                                                                                                                                                        call 00007FE548772641h
                                                                                                                                                        mov dword ptr [esi], 0040D8D4h
                                                                                                                                                        mov eax, esi
                                                                                                                                                        pop esi
                                                                                                                                                        ret
                                                                                                                                                        mov dword ptr [ecx], 0040D8D4h
                                                                                                                                                        jmp 00007FE5487726A6h
                                                                                                                                                        mov edi, edi
                                                                                                                                                        push ebp
                                                                                                                                                        mov ebp, esp
                                                                                                                                                        push esi
                                                                                                                                                        mov esi, ecx
                                                                                                                                                        mov dword ptr [esi], 0040D8D4h
                                                                                                                                                        call 00007FE548772693h
                                                                                                                                                        test byte ptr [ebp+08h], 00000001h
                                                                                                                                                        je 00007FE548770119h
                                                                                                                                                        push esi
                                                                                                                                                        call 00007FE548770FDDh
                                                                                                                                                        pop ecx
                                                                                                                                                        mov eax, esi
                                                                                                                                                        pop esi
                                                                                                                                                        pop ebp
                                                                                                                                                        retn 0004h
                                                                                                                                                        mov edi, edi
                                                                                                                                                        push ebp
                                                                                                                                                        mov ebp, esp
                                                                                                                                                        push esi
                                                                                                                                                        push dword ptr [ebp+08h]
                                                                                                                                                        mov esi, ecx
                                                                                                                                                        call 00007FE548772612h
                                                                                                                                                        mov dword ptr [esi], 0040D8D4h
                                                                                                                                                        mov eax, esi
                                                                                                                                                        pop esi
                                                                                                                                                        pop ebp
                                                                                                                                                        retn 0004h
                                                                                                                                                        mov edi, edi
                                                                                                                                                        push ebp
                                                                                                                                                        mov ebp, esp
                                                                                                                                                        sub esp, 0Ch
                                                                                                                                                        jmp 00007FE54877011Fh
                                                                                                                                                        push dword ptr [ebp+08h]
                                                                                                                                                        call 00007FE54877292Bh
                                                                                                                                                        pop ecx
                                                                                                                                                        test eax, eax
                                                                                                                                                        je 00007FE548770121h
                                                                                                                                                        push dword ptr [ebp+08h]
                                                                                                                                                        call 00007FE548772845h
                                                                                                                                                        pop ecx
                                                                                                                                                        test eax, eax
                                                                                                                                                        je 00007FE5487700F8h
                                                                                                                                                        leave
                                                                                                                                                        ret
                                                                                                                                                        test byte ptr [0043CA20h], 00000001h
                                                                                                                                                        mov esi, 0043CA14h
                                                                                                                                                        jne 00007FE54877012Bh
                                                                                                                                                        or dword ptr [0043CA20h], 01h
                                                                                                                                                        mov ecx, esi
                                                                                                                                                        call 00007FE548770069h
                                                                                                                                                        push 0040C9DBh
                                                                                                                                                        call 00007FE5487727B2h
                                                                                                                                                        pop ecx
                                                                                                                                                        push esi
                                                                                                                                                        lea ecx, dword ptr [ebp-0Ch]
                                                                                                                                                        call 00007FE5487800A2h

                                                                                                                                                        Rich Headers

                                                                                                                                                        Programming Language:
                                                                                                                                                        • [ASM] VS2008 build 21022
                                                                                                                                                        • [ C ] VS2008 build 21022
                                                                                                                                                        • [C++] VS2008 build 21022
                                                                                                                                                        • [IMP] VS2005 build 50727
                                                                                                                                                        • [C++] VS2008 SP1 build 30729
                                                                                                                                                        • [RES] VS2008 build 21022
                                                                                                                                                        • [LNK] VS2008 SP1 build 30729

                                                                                                                                                        Data Directories

                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xf5f40x50.rdata
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x3e0000x640.rsrc
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x3d8000x2798
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x3f0000xd48.reloc
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0xd0000x10c.rdata
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                        Sections

                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                        .text0x10000xb9ef0xba00False0.5593287970430108Matlab v4 mat-file (little endian) \354\010VW\307E\374, numeric, rows 0, columns 06.74235183795128IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                        .rdata0xd0000x2c1a0x2e00False0.454398777173913data5.8872406447459396IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                        .data0x100000x2d5fc0x2ca00False0.5094318977591037data6.047903459156929IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                        .rsrc0x3e0000x6400x800False0.353515625data3.288698491356012IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                        .reloc0x3f0000x19400x1a00False0.4343449519230769data4.294613327745058IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                        Resources

                                                                                                                                                        NameRVASizeTypeLanguageCountry
                                                                                                                                                        RT_VERSION0x3e2000x43cdataEnglishUnited States
                                                                                                                                                        RT_MANIFEST0x3e0a00x15aASCII text, with CRLF line terminatorsEnglishUnited States

                                                                                                                                                        Imports

                                                                                                                                                        DLLImport
                                                                                                                                                        KERNEL32.dllGetNativeSystemInfo, IsValidCodePage, GetModuleHandleA, FreeConsole, MultiByteToWideChar, GetProcAddress, GetCommandLineA, SetUnhandledExceptionFilter, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetLastError, GetEnvironmentStringsW, SetHandleCount, GetFileType, GetStartupInfoA, DeleteCriticalSection, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, HeapCreate, VirtualFree, HeapFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapAlloc, RaiseException, GetCPInfo, GetACP, GetOEMCP, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, IsDebuggerPresent, LeaveCriticalSection, EnterCriticalSection, LoadLibraryA, InitializeCriticalSectionAndSpinCount, VirtualAlloc, HeapReAlloc, RtlUnwind, HeapSize, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA
                                                                                                                                                        USER32.dllShowScrollBar
                                                                                                                                                        COMDLG32.dllGetSaveFileNameA, GetOpenFileNameA

                                                                                                                                                        Possible Origin

                                                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                                                        EnglishUnited States

                                                                                                                                                        Network Behavior

                                                                                                                                                        Snort IDS Alerts

                                                                                                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                        192.168.2.582.115.223.4649702576722043231 03/18/23-21:08:36.493481TCP2043231ET TROJAN Redline Stealer TCP CnC Activity4970257672192.168.2.582.115.223.46
                                                                                                                                                        192.168.2.582.115.223.4649702576722043233 03/18/23-21:08:10.800408TCP2043233ET TROJAN RedLine Stealer TCP CnC net.tcp Init4970257672192.168.2.582.115.223.46
                                                                                                                                                        82.115.223.46192.168.2.557672497022043234 03/18/23-21:08:17.271452TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response576724970282.115.223.46192.168.2.5

                                                                                                                                                        Network Port Distribution

                                                                                                                                                        TCP Packets

                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                        Mar 18, 2023 21:08:10.409373045 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:10.450601101 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:10.450761080 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:10.800407887 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:10.869298935 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:10.924046040 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:16.963551998 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:17.004424095 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:17.127687931 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:17.271451950 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:17.271528959 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:24.290375948 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:24.335110903 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:24.335145950 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:24.335171938 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:24.335274935 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:24.378298998 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:25.688733101 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:25.730191946 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:25.776598930 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:29.940876007 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:29.982038975 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:30.011507034 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:30.051670074 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:30.097543955 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:30.220794916 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:30.260781050 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:30.261393070 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:30.316317081 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:30.426809072 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:30.467431068 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:30.519529104 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:30.578352928 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:30.621465921 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:30.626569986 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:30.667372942 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:30.669123888 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:30.719435930 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:30.769529104 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:30.804426908 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:30.844351053 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:30.844722986 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:30.846446991 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:30.886729956 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:30.930843115 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:30.972645998 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:31.839720011 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:31.879996061 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:31.880155087 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:31.880271912 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:31.880367994 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:31.880403042 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:31.880496979 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:31.880831957 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:31.880932093 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:31.919970036 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:31.920170069 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:31.920243025 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:31.920391083 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:31.920597076 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:31.920741081 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:31.921220064 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:31.921241999 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:31.921344042 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:31.921842098 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:31.922189951 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:31.922471046 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:31.923208952 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:31.923357964 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:31.960102081 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:31.960396051 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:31.960792065 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:31.961306095 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:31.961800098 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:31.962002993 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:31.962584019 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:31.963124037 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:31.963125944 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:31.963265896 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:31.963465929 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:31.963587046 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:31.963939905 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:31.964416981 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:31.964668989 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:31.964757919 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:31.965110064 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:31.965209007 CET4970257672192.168.2.582.115.223.46
                                                                                                                                                        Mar 18, 2023 21:08:32.004133940 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:32.004273891 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:32.004314899 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:32.005147934 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:32.005208015 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:32.005717039 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:32.006462097 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:32.006546974 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:32.007570982 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:32.008021116 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:32.008088112 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:32.008769989 CET576724970282.115.223.46192.168.2.5
                                                                                                                                                        Mar 18, 2023 21:08:32.009454966 CET576724970282.115.223.46192.168.2.5

                                                                                                                                                        Statistics

                                                                                                                                                        Behavior

                                                                                                                                                        Click to jump to process

                                                                                                                                                        System Behavior

                                                                                                                                                        General

                                                                                                                                                        Target ID:0
                                                                                                                                                        Start time:21:07:56
                                                                                                                                                        Start date:18/03/2023
                                                                                                                                                        Path:C:\Users\user\Desktop\Gta_5_Mod_Menu.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:C:\Users\user\Desktop\Gta_5_Mod_Menu.exe
                                                                                                                                                        Imagebase:0xb40000
                                                                                                                                                        File size:262040 bytes
                                                                                                                                                        MD5 hash:35BE3BEAABA232F6FDE781242B9C5C4B
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Yara matches:
                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.306737777.0000000000B50000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.295387303.0000000000A52000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        Reputation:low

                                                                                                                                                        General

                                                                                                                                                        Target ID:1
                                                                                                                                                        Start time:21:07:57
                                                                                                                                                        Start date:18/03/2023
                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                        Imagebase:0x7ff7fcd70000
                                                                                                                                                        File size:625664 bytes
                                                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high

                                                                                                                                                        General

                                                                                                                                                        Target ID:2
                                                                                                                                                        Start time:21:07:57
                                                                                                                                                        Start date:18/03/2023
                                                                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe
                                                                                                                                                        Imagebase:0x1190000
                                                                                                                                                        File size:98912 bytes
                                                                                                                                                        MD5 hash:6807F903AC06FF7E1670181378690B22
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                                                                        Yara matches:
                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.388076605.0000000000402000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.389921530.0000000006F6F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.389921530.000000000700B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                        Reputation:high

                                                                                                                                                        General

                                                                                                                                                        Target ID:5
                                                                                                                                                        Start time:21:07:58
                                                                                                                                                        Start date:18/03/2023
                                                                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5924 -s 132
                                                                                                                                                        Imagebase:0x360000
                                                                                                                                                        File size:434592 bytes
                                                                                                                                                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                        Reputation:high

                                                                                                                                                        Disassembly

                                                                                                                                                        No disassembly