Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ChromeFIX_errorMEM.exe

Overview

General Information

Sample Name:ChromeFIX_errorMEM.exe
Analysis ID:829699
MD5:74b6b35627f6453d787f1c7ea3b9ec33
SHA1:a9282e204443fed6e0be28e8e2dfe7c927706428
SHA256:51921d13908bd84b1c8fbdd77e6e29d4359ce0fc40857f6f0ad15b1b6ee74730
Tags:exe
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Writes to foreign memory regions
Tries to steal Crypto Currency Wallets
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Contains functionality to inject code into remote processes
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found evasive API chain (may stop execution after checking a module file name)
Yara detected Credential Stealer
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Enables debug privileges
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • ChromeFIX_errorMEM.exe (PID: 5764 cmdline: C:\Users\user\Desktop\ChromeFIX_errorMEM.exe MD5: 74B6B35627F6453D787F1C7EA3B9EC33)
    • conhost.exe (PID: 5772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • AppLaunch.exe (PID: 5828 cmdline: C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)
    • WerFault.exe (PID: 5884 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5764 -s 132 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
{"C2 url": ["135.181.173.163:4323"], "Authorization Header": "a909e2aaecf96137978fea4f86400b9b"}
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    SourceRuleDescriptionAuthorStrings
    00000002.00000002.304460782.0000000000402000.00000020.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      00000000.00000002.247722749.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000003.240337295.0000000000F82000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          Process Memory Space: AppLaunch.exe PID: 5828JoeSecurity_RedLineYara detected RedLine StealerJoe Security
            Process Memory Space: AppLaunch.exe PID: 5828JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              SourceRuleDescriptionAuthorStrings
              2.2.AppLaunch.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                2.2.AppLaunch.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                • 0x1a434:$pat14: , CommandLine:
                • 0x134a2:$v2_1: ListOfProcesses
                • 0x13281:$v4_3: base64str
                • 0x13e05:$v4_4: stringKey
                • 0x11b63:$v4_5: BytesToStringConverted
                • 0x10d76:$v4_6: FromBase64
                • 0x12098:$v4_8: procName
                • 0x12814:$v5_5: FileScanning
                • 0x11d6c:$v5_7: RecordHeaderField
                • 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
                0.3.ChromeFIX_errorMEM.exe.f80000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.3.ChromeFIX_errorMEM.exe.f80000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                  • 0x1a434:$pat14: , CommandLine:
                  • 0x134a2:$v2_1: ListOfProcesses
                  • 0x13281:$v4_3: base64str
                  • 0x13e05:$v4_4: stringKey
                  • 0x11b63:$v4_5: BytesToStringConverted
                  • 0x10d76:$v4_6: FromBase64
                  • 0x12098:$v4_8: procName
                  • 0x12814:$v5_5: FileScanning
                  • 0x11d6c:$v5_7: RecordHeaderField
                  • 0x11a34:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
                  0.2.ChromeFIX_errorMEM.exe.fd0000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    Click to see the 1 entries
                    No Sigma rule has matched
                    Timestamp:192.168.2.3135.181.173.1634968543232043233 03/19/23-00:27:09.983730
                    SID:2043233
                    Source Port:49685
                    Destination Port:4323
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:135.181.173.163192.168.2.34323496852043234 03/19/23-00:27:12.062612
                    SID:2043234
                    Source Port:4323
                    Destination Port:49685
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.3135.181.173.1634968543232043231 03/19/23-00:27:21.986883
                    SID:2043231
                    Source Port:49685
                    Destination Port:4323
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: ChromeFIX_errorMEM.exeReversingLabs: Detection: 38%
                    Source: ChromeFIX_errorMEM.exeVirustotal: Detection: 48%Perma Link
                    Source: ChromeFIX_errorMEM.exeJoe Sandbox ML: detected
                    Source: 2.2.AppLaunch.exe.400000.0.unpackMalware Configuration Extractor: RedLine {"C2 url": ["135.181.173.163:4323"], "Authorization Header": "a909e2aaecf96137978fea4f86400b9b"}
                    Source: ChromeFIX_errorMEM.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: ChromeFIX_errorMEM.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Source: TrafficSnort IDS: 2043233 ET TROJAN RedLine Stealer TCP CnC net.tcp Init 192.168.2.3:49685 -> 135.181.173.163:4323
                    Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.3:49685 -> 135.181.173.163:4323
                    Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 135.181.173.163:4323 -> 192.168.2.3:49685
                    Source: Malware configuration extractorURLs: 135.181.173.163:4323
                    Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                    Source: global trafficTCP traffic: 192.168.2.3:49685 -> 135.181.173.163:4323
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: unknownTCP traffic detected without corresponding DNS query: 135.181.173.163
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                    Source: AppLaunch.exe, 00000002.00000002.305624677.00000000054C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.ado/1.0/s
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultP
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FC3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006FC3000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                    Source: AppLaunch.exe, 00000002.00000002.305735344.00000000071E2000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                    Source: AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                    Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
                    Source: AppLaunch.exe, 00000002.00000002.310729821.0000000008067000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000070BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: ChromeFIX_errorMEM.exe, ChromeFIX_errorMEM.exe, 00000000.00000002.247722749.0000000000FE0000.00000004.00000001.01000000.00000003.sdmp, ChromeFIX_errorMEM.exe, 00000000.00000003.240337295.0000000000F82000.00000040.00001000.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000006FC3000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.304460782.0000000000402000.00000020.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                    Source: AppLaunch.exe, 00000002.00000002.310729821.0000000008067000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000070BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: AppLaunch.exe, 00000002.00000002.310729821.0000000008067000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000070BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: AppLaunch.exe, 00000002.00000002.310729821.0000000007FCC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.000000000838E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.00000000080C8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.00000000080E5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007499000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000007FE9000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007148000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000008371000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007409000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.000000000702B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000071D5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.000000000804A000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000008067000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000070BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: AppLaunch.exe, 00000002.00000002.310729821.0000000008067000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000070BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: AppLaunch.exe, 00000002.00000002.310729821.0000000007FCC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.000000000838E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.00000000080C8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.00000000080E5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007499000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000007FE9000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007148000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000008371000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007409000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.000000000702B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000071D5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.000000000804A000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000008067000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000070BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                    Source: AppLaunch.exe, 00000002.00000002.310729821.0000000007FCC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.000000000838E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.00000000080C8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.00000000080E5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007499000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000007FE9000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007148000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000008371000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007409000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.000000000702B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000071D5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.000000000804A000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000008067000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000070BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
                    Source: AppLaunch.exe, 00000002.00000002.310729821.000000000838E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.00000000080E5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000007FE9000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000008067000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
                    Source: AppLaunch.exe, 00000002.00000002.310729821.0000000007FCC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.000000000838E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.00000000080C8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.00000000080E5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007499000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000007FE9000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007148000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000008371000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007409000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.000000000702B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000071D5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.000000000804A000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000008067000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000070BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
                    Source: AppLaunch.exe, 00000002.00000002.310729821.0000000007FCC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.000000000838E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.00000000080C8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.00000000080E5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007499000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000007FE9000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007148000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000008371000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007409000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.000000000702B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000071D5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.000000000804A000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000008067000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000070BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                    System Summary

                    barindex
                    Source: 2.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 0.3.ChromeFIX_errorMEM.exe.f80000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 0.2.ChromeFIX_errorMEM.exe.fd0000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: ChromeFIX_errorMEM.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 2.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 0.3.ChromeFIX_errorMEM.exe.f80000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 0.2.ChromeFIX_errorMEM.exe.fd0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5764 -s 132
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeCode function: 0_2_00FDC292
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeCode function: 0_2_00FDA480
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeCode function: 0_2_00FD99F8
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeCode function: 0_2_00FDAB78
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeCode function: 0_2_00FD8741
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeCode function: 0_2_00FD9F3C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0941F7C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0941F368
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A58F550
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A585D48
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A58B318
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A58B315
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A58B308
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A58B30C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A58E67A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A58E688
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A58F541
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A589838
                    Source: ChromeFIX_errorMEM.exeBinary or memory string: OriginalFilename vs ChromeFIX_errorMEM.exe
                    Source: ChromeFIX_errorMEM.exe, 00000000.00000003.240337295.0000000000F9E000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFrowstiest.exe< vs ChromeFIX_errorMEM.exe
                    Source: ChromeFIX_errorMEM.exe, 00000000.00000000.238359186.000000000100E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameOldtimersB vs ChromeFIX_errorMEM.exe
                    Source: ChromeFIX_errorMEM.exe, 00000000.00000002.247812016.000000000100B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFrowstiest.exe< vs ChromeFIX_errorMEM.exe
                    Source: ChromeFIX_errorMEM.exeBinary or memory string: OriginalFilenameOldtimersB vs ChromeFIX_errorMEM.exe
                    Source: ChromeFIX_errorMEM.exeReversingLabs: Detection: 38%
                    Source: ChromeFIX_errorMEM.exeVirustotal: Detection: 48%
                    Source: ChromeFIX_errorMEM.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: unknownProcess created: C:\Users\user\Desktop\ChromeFIX_errorMEM.exe C:\Users\user\Desktop\ChromeFIX_errorMEM.exe
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5764 -s 132
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile created: C:\Users\user\AppData\Local\YandexJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERB77.tmpJump to behavior
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/7@0/1
                    Source: AppLaunch.exe, 00000002.00000002.305735344.000000000726D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007373000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007282000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.00000000080EC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.000000000813D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007387000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007304000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000072F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5772:120:WilError_01
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5764
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: ChromeFIX_errorMEM.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeCode function: 0_2_00FD5A19 push ecx; ret
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeCode function: 0_2_00FE0709 push es; ret
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeCode function: 0_2_00FD7E1C LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5660Thread sleep time: -4611686018427385s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5580Thread sleep count: 2645 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5856Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeRegistry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWindow / User API: threadDelayed 2645
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information queried: ProcessInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
                    Source: Amcache.hve.4.drBinary or memory string: VMware
                    Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                    Source: Amcache.hve.4.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                    Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
                    Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
                    Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                    Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.4.drBinary or memory string: VMware7,1
                    Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.me
                    Source: Amcache.hve.4.drBinary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
                    Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                    Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeCode function: 0_2_00FD6A64 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeCode function: 0_2_00FD7E1C LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeCode function: 0_2_0100BD54 mov eax, dword ptr fs:[00000030h]
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeProcess queried: DebugPort
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory allocated: page read and write | page guard
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeCode function: 0_2_00FDBAC5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeCode function: 0_2_00FD466F SetUnhandledExceptionFilter,
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeCode function: 0_2_00FD6A64 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeCode function: 0_2_00FD7594 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 4F25008
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeCode function: 0_2_0100BD89 CreateProcessW,GetThreadContext,ReadProcessMemory,VirtualAlloc,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,VirtualFree,WriteProcessMemory,SetThreadContext,ResumeThread,
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeCode function: GetLocaleInfoA,
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                    Source: C:\Users\user\Desktop\ChromeFIX_errorMEM.exeCode function: 0_2_00FD5BBC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: Amcache.hve.4.drBinary or memory string: c:\users\user\desktop\procexp.exe
                    Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: Amcache.hve.4.drBinary or memory string: procexp.exe

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 2.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.ChromeFIX_errorMEM.exe.f80000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.ChromeFIX_errorMEM.exe.fd0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.304460782.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.247722749.0000000000FE0000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.240337295.0000000000F82000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 5828, type: MEMORYSTR
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                    Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 5828, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 2.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.ChromeFIX_errorMEM.exe.f80000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.ChromeFIX_errorMEM.exe.fd0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.304460782.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.247722749.0000000000FE0000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.240337295.0000000000F82000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 5828, type: MEMORYSTR
                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts221
                    Windows Management Instrumentation
                    Path Interception411
                    Process Injection
                    1
                    Masquerading
                    1
                    OS Credential Dumping
                    1
                    System Time Discovery
                    Remote Services1
                    Archive Collected Data
                    Exfiltration Over Other Network Medium1
                    Encrypted Channel
                    Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default Accounts2
                    Native API
                    Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Disable or Modify Tools
                    LSASS Memory251
                    Security Software Discovery
                    Remote Desktop Protocol2
                    Data from Local System
                    Exfiltration Over Bluetooth1
                    Non-Standard Port
                    Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)241
                    Virtualization/Sandbox Evasion
                    Security Account Manager11
                    Process Discovery
                    SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                    Application Layer Protocol
                    Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)411
                    Process Injection
                    NTDS241
                    Virtualization/Sandbox Evasion
                    Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                    Obfuscated Files or Information
                    LSA Secrets1
                    Application Window Discovery
                    SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials1
                    Remote System Discovery
                    VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync134
                    System Information Discovery
                    Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand
                    SourceDetectionScannerLabelLink
                    ChromeFIX_errorMEM.exe38%ReversingLabsWin32.Trojan.CrypterX
                    ChromeFIX_errorMEM.exe49%VirustotalBrowse
                    ChromeFIX_errorMEM.exe100%Joe Sandbox ML
                    No Antivirus matches
                    SourceDetectionScannerLabelLinkDownload
                    2.2.AppLaunch.exe.400000.0.unpack100%AviraHEUR/AGEN.1252166Download File
                    0.3.ChromeFIX_errorMEM.exe.f80000.0.unpack100%AviraHEUR/AGEN.1252166Download File
                    No Antivirus matches
                    SourceDetectionScannerLabelLink
                    http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
                    http://tempuri.org/0%URL Reputationsafe
                    http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id90%URL Reputationsafe
                    http://tempuri.org/Entity/Id80%URL Reputationsafe
                    http://tempuri.org/Entity/Id50%URL Reputationsafe
                    http://tempuri.org/Entity/Id40%URL Reputationsafe
                    http://tempuri.org/Entity/Id70%URL Reputationsafe
                    http://tempuri.org/Entity/Id60%URL Reputationsafe
                    http://tempuri.org/Entity/Id19Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
                    https://api.ip.sb/ip0%URL Reputationsafe
                    http://tempuri.org/Entity/Id9Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id200%URL Reputationsafe
                    http://tempuri.org/Entity/Id210%URL Reputationsafe
                    http://tempuri.org/Entity/Id220%URL Reputationsafe
                    http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id100%URL Reputationsafe
                    http://tempuri.org/Entity/Id110%URL Reputationsafe
                    http://tempuri.org/Entity/Id120%URL Reputationsafe
                    http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id130%URL Reputationsafe
                    http://tempuri.org/Entity/Id140%URL Reputationsafe
                    http://tempuri.org/Entity/Id150%URL Reputationsafe
                    http://tempuri.org/Entity/Id160%URL Reputationsafe
                    http://tempuri.org/Entity/Id170%URL Reputationsafe
                    http://tempuri.org/Entity/Id180%URL Reputationsafe
                    http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id190%URL Reputationsafe
                    http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id8Response0%URL Reputationsafe
                    http://ns.ado/1.0/s0%URL Reputationsafe
                    http://tempuri.org/Entity/Id17Response0%URL Reputationsafe
                    135.181.173.163:43230%Avira URL Cloudsafe
                    135.181.173.163:43234%VirustotalBrowse
                    No contacted domains info
                    NameMaliciousAntivirus DetectionReputation
                    135.181.173.163:4323true
                    • 4%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    unknown
                    NameSourceMaliciousAntivirus DetectionReputation
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      http://schemas.xmlsoap.org/ws/2005/02/sc/sctAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        http://schemas.xmlsoap.org/ws/2004/08/addressing/faultPAppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          https://duckduckgo.com/chrome_newtabAppLaunch.exe, 00000002.00000002.310729821.0000000007FCC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.000000000838E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.00000000080C8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.00000000080E5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007499000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000007FE9000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007148000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000008371000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007409000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.000000000702B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000071D5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.000000000804A000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000008067000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000070BB000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              https://duckduckgo.com/ac/?q=AppLaunch.exe, 00000002.00000002.310729821.0000000008067000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000070BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://tempuri.org/Entity/Id12ResponseAppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://tempuri.org/AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://tempuri.org/Entity/Id2ResponseAppLaunch.exe, 00000002.00000002.305735344.0000000006FC3000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://tempuri.org/Entity/Id21ResponseAppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      http://tempuri.org/Entity/Id9AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://tempuri.org/Entity/Id8AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://tempuri.org/Entity/Id5AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          http://tempuri.org/Entity/Id4AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://tempuri.org/Entity/Id7AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://tempuri.org/Entity/Id6AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            http://tempuri.org/Entity/Id19ResponseAppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceAppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/faultAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      http://schemas.xmlsoap.org/ws/2004/10/wsatAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          http://tempuri.org/Entity/Id15ResponseAppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameAppLaunch.exe, 00000002.00000002.305735344.0000000006FC3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                http://tempuri.org/Entity/Id6ResponseAppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  https://api.ip.sb/ipChromeFIX_errorMEM.exe, ChromeFIX_errorMEM.exe, 00000000.00000002.247722749.0000000000FE0000.00000004.00000001.01000000.00000003.sdmp, ChromeFIX_errorMEM.exe, 00000000.00000003.240337295.0000000000F82000.00000040.00001000.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000006FC3000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.304460782.0000000000402000.00000020.00000400.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  http://schemas.xmlsoap.org/ws/2004/04/scAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      high
                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        http://tempuri.org/Entity/Id9ResponseAppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=AppLaunch.exe, 00000002.00000002.310729821.0000000008067000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000070BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          high
                                                                          http://tempuri.org/Entity/Id20AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          unknown
                                                                          http://tempuri.org/Entity/Id21AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          unknown
                                                                          http://tempuri.org/Entity/Id22AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          unknown
                                                                          http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                high
                                                                                http://tempuri.org/Entity/Id1ResponseAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                unknown
                                                                                https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=AppLaunch.exe, 00000002.00000002.310729821.0000000007FCC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.000000000838E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.00000000080C8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.00000000080E5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007499000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000007FE9000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007148000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000008371000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007409000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.000000000702B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000071D5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.000000000804A000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000008067000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000070BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedAppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                high
                                                                                                http://schemas.xmlsoap.org/ws/2004/08/addressingAppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  high
                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    high
                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      high
                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/trustAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        high
                                                                                                        http://tempuri.org/Entity/Id10AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        unknown
                                                                                                        http://tempuri.org/Entity/Id11AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        unknown
                                                                                                        http://tempuri.org/Entity/Id12AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        unknown
                                                                                                        http://tempuri.org/Entity/Id16ResponseAppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        unknown
                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          high
                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            high
                                                                                                            http://tempuri.org/Entity/Id13AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            unknown
                                                                                                            http://tempuri.org/Entity/Id14AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            unknown
                                                                                                            http://tempuri.org/Entity/Id15AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            unknown
                                                                                                            http://tempuri.org/Entity/Id16AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            unknown
                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/NonceAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              high
                                                                                                              http://tempuri.org/Entity/Id17AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              unknown
                                                                                                              http://tempuri.org/Entity/Id18AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              unknown
                                                                                                              http://tempuri.org/Entity/Id5ResponseAppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              unknown
                                                                                                              http://tempuri.org/Entity/Id19AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              unknown
                                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsAppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                high
                                                                                                                http://tempuri.org/Entity/Id10ResponseAppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                unknown
                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RenewAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  high
                                                                                                                  http://tempuri.org/Entity/Id8ResponseAppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  unknown
                                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    high
                                                                                                                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      high
                                                                                                                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        high
                                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          high
                                                                                                                          http://schemas.xmlsoap.org/ws/2006/02/addressingidentityAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            high
                                                                                                                            http://schemas.xmlsoap.org/soap/envelope/AppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              high
                                                                                                                              https://search.yahoo.com?fr=crmas_sfpfAppLaunch.exe, 00000002.00000002.310729821.0000000007FCC000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.000000000838E000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.00000000080C8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.00000000080E5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007499000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000007FE9000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007148000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000008371000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.0000000007409000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.000000000702B000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000071D5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.000000000804A000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.310729821.0000000008067000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.305735344.00000000070BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                high
                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  high
                                                                                                                                  http://ns.ado/1.0/sAppLaunch.exe, 00000002.00000002.305624677.00000000054C6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  unknown
                                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1AppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    high
                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trustAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      high
                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/RollbackAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        high
                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/06/addressingexAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            high
                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wscoorAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              high
                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/NonceAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                high
                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponseAppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  high
                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/RenewAppLaunch.exe, 00000002.00000002.305735344.0000000006FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    high
                                                                                                                                                    http://tempuri.org/Entity/Id17ResponseAppLaunch.exe, 00000002.00000002.305735344.0000000006F21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    unknown
                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                    • 75% < No. of IPs
                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                    135.181.173.163
                                                                                                                                                    unknownGermany
                                                                                                                                                    24940HETZNER-ASDEtrue
                                                                                                                                                    Joe Sandbox Version:37.0.0 Beryl
                                                                                                                                                    Analysis ID:829699
                                                                                                                                                    Start date and time:2023-03-19 00:26:07 +01:00
                                                                                                                                                    Joe Sandbox Product:CloudBasic
                                                                                                                                                    Overall analysis duration:0h 6m 24s
                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                    Report type:light
                                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                    Number of analysed new started processes analysed:16
                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                    Technologies:
                                                                                                                                                    • HCA enabled
                                                                                                                                                    • EGA enabled
                                                                                                                                                    • HDC enabled
                                                                                                                                                    • AMSI enabled
                                                                                                                                                    Analysis Mode:default
                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                    Sample file name:ChromeFIX_errorMEM.exe
                                                                                                                                                    Detection:MAL
                                                                                                                                                    Classification:mal100.troj.spyw.evad.winEXE@5/7@0/1
                                                                                                                                                    EGA Information:
                                                                                                                                                    • Successful, ratio: 50%
                                                                                                                                                    HDC Information:
                                                                                                                                                    • Successful, ratio: 90.7% (good quality ratio 87%)
                                                                                                                                                    • Quality average: 82.8%
                                                                                                                                                    • Quality standard deviation: 25.7%
                                                                                                                                                    HCA Information:
                                                                                                                                                    • Successful, ratio: 96%
                                                                                                                                                    • Number of executed functions: 0
                                                                                                                                                    • Number of non-executed functions: 0
                                                                                                                                                    Cookbook Comments:
                                                                                                                                                    • Found application associated with file extension: .exe
                                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                                                    • TCP Packets have been reduced to 100
                                                                                                                                                    • Excluded IPs from analysis (whitelisted): 20.189.173.22
                                                                                                                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, watson.telemetry.microsoft.com
                                                                                                                                                    • Execution Graph export aborted for target AppLaunch.exe, PID 5828 because it is empty
                                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                    • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                    TimeTypeDescription
                                                                                                                                                    00:27:01API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                                                                                    00:27:26API Interceptor15x Sleep call for process: AppLaunch.exe modified
                                                                                                                                                    No context
                                                                                                                                                    No context
                                                                                                                                                    No context
                                                                                                                                                    No context
                                                                                                                                                    No context
                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):65536
                                                                                                                                                    Entropy (8bit):0.8431639159677459
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:96:aFeMHFau7TeecwtoI7Rj6tpXIQcQvc6QcEDMcw3Db+HbHg/8BRTf3OFL9iVffYEs:QMu7fwHBUZMXYjJSq/u7sWS274ItJz
                                                                                                                                                    MD5:932664183AA0A32C0E1B63E46AA0FFDA
                                                                                                                                                    SHA1:DFD33ECC6A7B5717CDCE2947D4BC682678A35BB7
                                                                                                                                                    SHA-256:731413517DFB42E2D12A6D01BA9A60A14F85A9916A1CB27DD8E97C9CEB9BD63C
                                                                                                                                                    SHA-512:F47A833A117DE80992809E0307A34C0FD5F63D2B0261ECB2F65EC6DB52C5B905776DE066B8AB66C21E71B33030438CADBE994331063941E2DB9C465659D3942B
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:low
                                                                                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.3.6.8.4.4.1.9.1.8.4.0.5.8.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.3.6.8.4.4.1.9.7.3.0.9.4.9.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.f.2.5.d.5.3.a.-.a.9.1.c.-.4.9.8.6.-.a.a.1.4.-.f.0.a.2.6.e.9.a.1.a.3.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.1.5.5.1.d.e.3.-.1.7.3.c.-.4.8.a.3.-.8.0.f.5.-.d.e.e.0.3.0.7.c.2.6.0.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.C.h.r.o.m.e.F.I.X._.e.r.r.o.r.M.E.M...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.8.4.-.0.0.0.1.-.0.0.1.f.-.2.0.7.e.-.d.d.2.f.3.4.5.a.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.2.0.4.c.f.7.6.6.2.8.a.2.9.3.7.7.5.9.c.3.b.1.8.0.8.0.e.c.d.3.e.0.0.0.0.1.a.0.8.!.0.0.0.0.a.9.2.8.2.e.2.0.4.4.4.3.f.e.d.6.e.0.b.e.2.8.e.8.e.2.d.f.e.7.c.9.2.7.7.0.6.4.2.8.!.C.h.r.o.m.e.F.I.X._.e.r.r.o.r.M.E.M...e.x.e.
                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                    File Type:Mini DuMP crash report, 14 streams, Sun Mar 19 07:26:59 2023, 0x1205a4 type
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):45376
                                                                                                                                                    Entropy (8bit):1.8124432683259049
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:192:PYNhZ7wO64/9+6J1QxS7obbS4Eu83YQO:o6y+gCJ/Eu8I5
                                                                                                                                                    MD5:41DB3C3E47377B047B1DE1E5FFD5C8BC
                                                                                                                                                    SHA1:88191D097E0AAEA3EDA8E129CD653EC4C576FFC8
                                                                                                                                                    SHA-256:EE0194B9F7BDF480A5581080E7E50708F4936A3AA4E5D9FF89E6699FFD08CBD4
                                                                                                                                                    SHA-512:39892083ACD433A09CFC584E5B28C9B9A23AFB0A802684A66610AC4E07C559DDBEC1DCCF48A5B87FF6171CF188E7169F9C033D4391C41A8DE6FF9046DA6D82F7
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:low
                                                                                                                                                    Preview:MDMP....... .......C..d.........................................)..........T.......8...........T...............@............................................................................................U...........B......h.......GenuineIntelW...........T...........A..d.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):8434
                                                                                                                                                    Entropy (8bit):3.700284113308964
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:192:Rrl7r3GLNiK2646YqASUOMvgmfaxmSxCpr/89blLsf+U3m:RrlsNir646YtSUdgmfrShlQfU
                                                                                                                                                    MD5:63F6B02D4E232F69FC8F56115D6D36E7
                                                                                                                                                    SHA1:8AC18D6573CFE28C82C1DCE437D9C86AC1C7B551
                                                                                                                                                    SHA-256:B32C3C77A4D4EFC30FA5695A2AD1C04D0C7D3675BAA9132C433075F3C753E540
                                                                                                                                                    SHA-512:5064063B7DE8EA497A026C614B521C99CFA64811CEE8A909D8031E27998C6F966006AEF4903722ECE476877F29A3DA823FB77274429DB96E38CDFBF9EFB19CDE
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:low
                                                                                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.7.6.4.<./.P.i.d.>.......
                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):4756
                                                                                                                                                    Entropy (8bit):4.505325155750122
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:48:cvIwSD8zsrJgtWI9/iVSWgc8sqYjf8fm8M4JA2gGMF6+q8vLgGYOvSWdutItfd:uITfFIiVzgrsqYoJpDKnYAUefd
                                                                                                                                                    MD5:8E71765A94A747E842E3E511ACA1C481
                                                                                                                                                    SHA1:1BCF6F023AEDD246F13084E27DECF3891F65C13D
                                                                                                                                                    SHA-256:5C5939271ACBBAF82A589CCF7307A8C541F1449F556EA5BFE2C37FE2BA36CD29
                                                                                                                                                    SHA-512:B0B682AB135A1272D22A308F847CCB0E5B607B883DAEFAE7B3184EB2C172BE7243FC01E46EE0212DFBDC0D09C8A2653455BF9DCCB8B196E8C90B603DE44DBFCF
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:low
                                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1959397" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):2752
                                                                                                                                                    Entropy (8bit):5.335270411216887
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:48:MxHKXeHKlEHU0YHKhQnouHIWUfHKhBHKdHKBfHK5AHKzvQTHmtHoxHImHKx1qHjq:iqXeqm00YqhQnouOqLqdqNq2qzcGtIx4
                                                                                                                                                    MD5:325ECAAB191D9F741B127964E978A5D3
                                                                                                                                                    SHA1:B5E61B16E9399D102A00613323001CD69AC3E97A
                                                                                                                                                    SHA-256:38B47B7B5BA6D77CED448D8396426AC9B6C722A12F61793D3FD79E3AD1615123
                                                                                                                                                    SHA-512:D5017FC87DA83B8A1B336B3FBF779CB5040F3C0AD4FD4D9D661E7D953C816648D09D24A46B8C3A75F65CE717E237E350F0489EC3491844D791D4AFE2E8368BD4
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi
                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                    File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):1572864
                                                                                                                                                    Entropy (8bit):4.288770781817703
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12288:XcJvy5zN1sUbP5nASQw0IQYVA17eAVAG1HxbZC30pr1ci+fDDLnbwOzb:Wvy5zN1sUbP5nA6yWX
                                                                                                                                                    MD5:D94238BC69165D83EFA7BFAF027528CE
                                                                                                                                                    SHA1:84D7B17EE2B4E6171B8D500B0CA61531DF6A5DE6
                                                                                                                                                    SHA-256:095DDD91051AF1AD2181EBF7C5874B59944E777880FBC8F10BAB2321AF26C14E
                                                                                                                                                    SHA-512:2CECCA35BD98A5F35FF4D206D073BA02E618F10E94A0C3C47171FE0AD42743B75D288C372066621FF73945D6B453E092CE51CE852D680CC789FE086AC5D2B6C2
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:regfj...j...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.N.04Z...............................................................................................................................................................................................................................................................................................................................................w.m........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                    File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):28672
                                                                                                                                                    Entropy (8bit):3.8172451480315845
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:768:qCeRftx1sJ4JnHFAJfXqp+pkkqIDSC9OeMYUC5Wf:++im6i
                                                                                                                                                    MD5:7C21FF446BEB27DAE44DA9E1C7DB0C2E
                                                                                                                                                    SHA1:53A45C582CD93E62AB52026AAEECE59C72CA8F6C
                                                                                                                                                    SHA-256:AD4F07B60AA90C2EB8809688E529F537603C98B591E545298CEFB57CAD61EE68
                                                                                                                                                    SHA-512:4583C8355106D5050974D3E6B4F982910F5800DB71F81EF4DB94C2F6D1AFB6405F14F0962B2BF33D0C9DFD25CBDEDF51DE3950A0B5005B4FC203F15E5C1E4799
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview:regfi...i...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.N.04Z...............................................................................................................................................................................................................................................................................................................................................w.mHvLE.n......i....................8.t............0...................0..hbin................p.\..,..........nk,.:..04Z.................................. ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .:..04Z...... ........................... .......Z.......................Root........lf......Root....nk .:..04Z...................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...
                                                                                                                                                    File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                    Entropy (8bit):7.228703310847611
                                                                                                                                                    TrID:
                                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                    File name:ChromeFIX_errorMEM.exe
                                                                                                                                                    File size:253952
                                                                                                                                                    MD5:74b6b35627f6453d787f1c7ea3b9ec33
                                                                                                                                                    SHA1:a9282e204443fed6e0be28e8e2dfe7c927706428
                                                                                                                                                    SHA256:51921d13908bd84b1c8fbdd77e6e29d4359ce0fc40857f6f0ad15b1b6ee74730
                                                                                                                                                    SHA512:da3758d999b7a593987aa8e9d708b0b3215a442dc1f3470a81f3ddc221b7875d6c9ecb1c53fce5e7ee795a20e7267d21e8fac804089bb1b65e838c0ed9530996
                                                                                                                                                    SSDEEP:3072:W1jGFFPBsryKxPUBnIZ/C9FUYHwKLLgQmsbVVTjC3r7wcLl2byii5DzrIlu:ug3iPUZIAFUYHDPaQVXC3xR2/iNo
                                                                                                                                                    TLSH:9B441813311F3E60E1FA69B8889DF3865516E3710A6DDB5D73AB0E2E4D09DC39920B36
                                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c-.H.C.H.C.H.C.VP..[.C.VP....C.VP..m.C.o.8.L.C.....K.C.H.B...C.Az..I.C.VP..I.C.Az..I.C.RichH.C.........PE..L...jp.d...........
                                                                                                                                                    Icon Hash:00828e8e8686b000
                                                                                                                                                    Entrypoint:0x40370b
                                                                                                                                                    Entrypoint Section:.text
                                                                                                                                                    Digitally signed:false
                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                    Subsystem:windows cui
                                                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                    Time Stamp:0x6415706A [Sat Mar 18 08:03:54 2023 UTC]
                                                                                                                                                    TLS Callbacks:
                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                    OS Version Major:5
                                                                                                                                                    OS Version Minor:0
                                                                                                                                                    File Version Major:5
                                                                                                                                                    File Version Minor:0
                                                                                                                                                    Subsystem Version Major:5
                                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                                    Import Hash:df35d969e1568731b4c070bee6bd7122
                                                                                                                                                    Instruction
                                                                                                                                                    call 00007F01BC9D1301h
                                                                                                                                                    jmp 00007F01BC9CECF9h
                                                                                                                                                    mov edi, edi
                                                                                                                                                    push esi
                                                                                                                                                    push 00000001h
                                                                                                                                                    push 0043C3E4h
                                                                                                                                                    mov esi, ecx
                                                                                                                                                    call 00007F01BC9D1381h
                                                                                                                                                    mov dword ptr [esi], 0040D8D4h
                                                                                                                                                    mov eax, esi
                                                                                                                                                    pop esi
                                                                                                                                                    ret
                                                                                                                                                    mov dword ptr [ecx], 0040D8D4h
                                                                                                                                                    jmp 00007F01BC9D13E6h
                                                                                                                                                    mov edi, edi
                                                                                                                                                    push ebp
                                                                                                                                                    mov ebp, esp
                                                                                                                                                    push esi
                                                                                                                                                    mov esi, ecx
                                                                                                                                                    mov dword ptr [esi], 0040D8D4h
                                                                                                                                                    call 00007F01BC9D13D3h
                                                                                                                                                    test byte ptr [ebp+08h], 00000001h
                                                                                                                                                    je 00007F01BC9CEE59h
                                                                                                                                                    push esi
                                                                                                                                                    call 00007F01BC9CFD1Dh
                                                                                                                                                    pop ecx
                                                                                                                                                    mov eax, esi
                                                                                                                                                    pop esi
                                                                                                                                                    pop ebp
                                                                                                                                                    retn 0004h
                                                                                                                                                    mov edi, edi
                                                                                                                                                    push ebp
                                                                                                                                                    mov ebp, esp
                                                                                                                                                    push esi
                                                                                                                                                    push dword ptr [ebp+08h]
                                                                                                                                                    mov esi, ecx
                                                                                                                                                    call 00007F01BC9D1352h
                                                                                                                                                    mov dword ptr [esi], 0040D8D4h
                                                                                                                                                    mov eax, esi
                                                                                                                                                    pop esi
                                                                                                                                                    pop ebp
                                                                                                                                                    retn 0004h
                                                                                                                                                    mov edi, edi
                                                                                                                                                    push ebp
                                                                                                                                                    mov ebp, esp
                                                                                                                                                    sub esp, 0Ch
                                                                                                                                                    jmp 00007F01BC9CEE5Fh
                                                                                                                                                    push dword ptr [ebp+08h]
                                                                                                                                                    call 00007F01BC9D166Bh
                                                                                                                                                    pop ecx
                                                                                                                                                    test eax, eax
                                                                                                                                                    je 00007F01BC9CEE61h
                                                                                                                                                    push dword ptr [ebp+08h]
                                                                                                                                                    call 00007F01BC9D1585h
                                                                                                                                                    pop ecx
                                                                                                                                                    test eax, eax
                                                                                                                                                    je 00007F01BC9CEE38h
                                                                                                                                                    leave
                                                                                                                                                    ret
                                                                                                                                                    test byte ptr [0043D420h], 00000001h
                                                                                                                                                    mov esi, 0043D414h
                                                                                                                                                    jne 00007F01BC9CEE6Bh
                                                                                                                                                    or dword ptr [0043D420h], 01h
                                                                                                                                                    mov ecx, esi
                                                                                                                                                    call 00007F01BC9CEDA9h
                                                                                                                                                    push 0040C9BBh
                                                                                                                                                    call 00007F01BC9D14F2h
                                                                                                                                                    pop ecx
                                                                                                                                                    push esi
                                                                                                                                                    lea ecx, dword ptr [ebp-0Ch]
                                                                                                                                                    call 00007F01BC9DEDE2h
                                                                                                                                                    Programming Language:
                                                                                                                                                    • [ASM] VS2008 build 21022
                                                                                                                                                    • [ C ] VS2008 build 21022
                                                                                                                                                    • [C++] VS2008 build 21022
                                                                                                                                                    • [IMP] VS2005 build 50727
                                                                                                                                                    • [C++] VS2008 SP1 build 30729
                                                                                                                                                    • [RES] VS2008 build 21022
                                                                                                                                                    • [LNK] VS2008 SP1 build 30729
                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xf5f40x50.rdata
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x3e0000x5c8.rsrc
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x3f0000xd44.reloc
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0xd0000x10c.rdata
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                    .text0x10000xb9cf0xba00False0.5594758064516129data6.743605377395388IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                    .rdata0xd0000x2c1a0x2e00False0.45541779891304346data5.897601757940328IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                    .data0x100000x2dffc0x2d400False0.5448355490331491data7.176585474224499IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                    .rsrc0x3e0000x5c80x600False0.44921875data3.9110725913804987IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                    .reloc0x3f0000x19400x1a00False0.43704927884615385data4.306560145331581IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                    NameRVASizeTypeLanguageCountry
                                                                                                                                                    RT_VERSION0x3e2000x3c8dataEnglishUnited States
                                                                                                                                                    RT_MANIFEST0x3e0a00x15aASCII text, with CRLF line terminatorsEnglishUnited States
                                                                                                                                                    DLLImport
                                                                                                                                                    KERNEL32.dllGetNativeSystemInfo, IsValidCodePage, GetModuleHandleA, FreeConsole, MultiByteToWideChar, GetProcAddress, GetCommandLineA, SetUnhandledExceptionFilter, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetLastError, GetEnvironmentStringsW, SetHandleCount, GetFileType, GetStartupInfoA, DeleteCriticalSection, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, HeapCreate, VirtualFree, HeapFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapAlloc, RaiseException, GetCPInfo, GetACP, GetOEMCP, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, IsDebuggerPresent, LeaveCriticalSection, EnterCriticalSection, LoadLibraryA, InitializeCriticalSectionAndSpinCount, VirtualAlloc, HeapReAlloc, RtlUnwind, HeapSize, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA
                                                                                                                                                    USER32.dllShowScrollBar
                                                                                                                                                    COMDLG32.dllGetSaveFileNameA, GetOpenFileNameA
                                                                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                                                                    EnglishUnited States
                                                                                                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                    192.168.2.3135.181.173.1634968543232043233 03/19/23-00:27:09.983730TCP2043233ET TROJAN RedLine Stealer TCP CnC net.tcp Init496854323192.168.2.3135.181.173.163
                                                                                                                                                    135.181.173.163192.168.2.34323496852043234 03/19/23-00:27:12.062612TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response432349685135.181.173.163192.168.2.3
                                                                                                                                                    192.168.2.3135.181.173.1634968543232043231 03/19/23-00:27:21.986883TCP2043231ET TROJAN Redline Stealer TCP CnC Activity496854323192.168.2.3135.181.173.163
                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                    Mar 19, 2023 00:27:09.580728054 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:09.620574951 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:09.620807886 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:09.983730078 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:10.022506952 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:10.073775053 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:12.021528006 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:12.062612057 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:12.105101109 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:21.986882925 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:22.028717995 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:22.028784037 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:22.028834105 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:22.028870106 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:22.028879881 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:22.028928995 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:22.028963089 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:22.028975964 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:22.029021978 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:22.029045105 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:22.029067993 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:22.029112101 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:22.029135942 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:22.029179096 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:22.029259920 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:22.067349911 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:22.067409039 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:22.067455053 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:22.067471027 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:22.067502022 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:22.067550898 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:22.067560911 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:22.067599058 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:22.067647934 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:27.756911039 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:27.795286894 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:27.795412064 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:27.795428038 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:27.795505047 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:27.795744896 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:27.795902967 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:27.833750010 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:27.833802938 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:27.833991051 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:27.834032059 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:27.834178925 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:27.834249020 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:27.834317923 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:27.872215986 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:27.872273922 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:27.872312069 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:27.872431993 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:27.872531891 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:27.872695923 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:27.872868061 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:27.872890949 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:27.873018026 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:27.873039007 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:27.873148918 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:27.873179913 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:27.873322010 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:27.873339891 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:27.873512983 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:27.873699903 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:27.873703003 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:27.873814106 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:27.874046087 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:27.874164104 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:27.911107063 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:27.911156893 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:27.911194086 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:27.911226988 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:27.911408901 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:27.911408901 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:27.911484003 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:27.911611080 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:27.911679029 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:27.911715031 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:27.911822081 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:27.911822081 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:27.911865950 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:27.911940098 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:27.912010908 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:27.912112951 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:27.912363052 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:27.912436008 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:27.912502050 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:27.912569046 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:27.912797928 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:27.912961006 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:27.912981033 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:27.913053989 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:27.913086891 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:27.913158894 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:27.913357973 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:27.913427114 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:27.913539886 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:27.913635015 CET496854323192.168.2.3135.181.173.163
                                                                                                                                                    Mar 19, 2023 00:27:27.913680077 CET432349685135.181.173.163192.168.2.3
                                                                                                                                                    Mar 19, 2023 00:27:27.913739920 CET496854323192.168.2.3135.181.173.163

                                                                                                                                                    Click to jump to process

                                                                                                                                                    Target ID:0
                                                                                                                                                    Start time:00:26:57
                                                                                                                                                    Start date:19/03/2023
                                                                                                                                                    Path:C:\Users\user\Desktop\ChromeFIX_errorMEM.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\Users\user\Desktop\ChromeFIX_errorMEM.exe
                                                                                                                                                    Imagebase:0xfd0000
                                                                                                                                                    File size:253952 bytes
                                                                                                                                                    MD5 hash:74B6B35627F6453D787F1C7EA3B9EC33
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.247722749.0000000000FE0000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.240337295.0000000000F82000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    Reputation:low

                                                                                                                                                    Target ID:1
                                                                                                                                                    Start time:00:26:57
                                                                                                                                                    Start date:19/03/2023
                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                    Imagebase:0x7ff745070000
                                                                                                                                                    File size:625664 bytes
                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    Target ID:2
                                                                                                                                                    Start time:00:26:58
                                                                                                                                                    Start date:19/03/2023
                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe
                                                                                                                                                    Imagebase:0x40000
                                                                                                                                                    File size:98912 bytes
                                                                                                                                                    MD5 hash:6807F903AC06FF7E1670181378690B22
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.304460782.0000000000402000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    Reputation:high

                                                                                                                                                    Target ID:4
                                                                                                                                                    Start time:00:26:58
                                                                                                                                                    Start date:19/03/2023
                                                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5764 -s 132
                                                                                                                                                    Imagebase:0xf40000
                                                                                                                                                    File size:434592 bytes
                                                                                                                                                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    No disassembly