Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Setup.exe

Overview

General Information

Sample Name:Setup.exe
Analysis ID:877006
MD5:3694c18f01430f213aced163c75788a0
SHA1:25a1c807d62f211e6adb38ed07e96e6bd309f8b8
SHA256:7fdba125f3d682ea8b84cdc805f574789ebc8aecca3c5e20d20c8a8cd22e2bdb
Tags:exe
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Writes to foreign memory regions
Tries to steal Crypto Currency Wallets
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Yara detected Credential Stealer
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to detect virtual machines (SLDT)
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • Setup.exe (PID: 6908 cmdline: C:\Users\user\Desktop\Setup.exe MD5: 3694C18F01430F213ACED163C75788A0)
    • conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • AppLaunch.exe (PID: 6868 cmdline: C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["94.142.138.4:80"], "Bot Id": "@naralust2", "Message": "Click Close to exit the program. Error code: 1142", "Authorization Header": "684687f1439152a73e2a8b293ee8c64e"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.351025860.0000000000562000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.351304103.000000000042A000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            00000002.00000002.406792188.0000000000402000.00000020.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Click to see the 4 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.3.Setup.exe.560000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                2.2.AppLaunch.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.3.Setup.exe.560000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                  • 0x1a08:$pat14: , CommandLine:
                  • 0x19207:$v2_1: ListOfProcesses
                  • 0x18fc4:$v4_3: base64str
                  • 0x19c62:$v4_4: stringKey
                  • 0x1760a:$v4_5: BytesToStringConverted
                  • 0x165ad:$v4_6: FromBase64
                  • 0x17b28:$v4_8: procName
                  2.2.AppLaunch.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                  • 0x1a08:$pat14: , CommandLine:
                  • 0x19207:$v2_1: ListOfProcesses
                  • 0x18fc4:$v4_3: base64str
                  • 0x19c62:$v4_4: stringKey
                  • 0x1760a:$v4_5: BytesToStringConverted
                  • 0x165ad:$v4_6: FromBase64
                  • 0x17b28:$v4_8: procName
                  0.2.Setup.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    Click to see the 1 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    Timestamp:94.142.138.4192.168.2.380496982043234 05/28/23-13:36:08.316634
                    SID:2043234
                    Source Port:80
                    Destination Port:49698
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.394.142.138.449698802043231 05/28/23-13:36:15.171936
                    SID:2043231
                    Source Port:49698
                    Destination Port:80
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.394.142.138.449698802043233 05/28/23-13:36:07.137492
                    SID:2043233
                    Source Port:49698
                    Destination Port:80
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 2.2.AppLaunch.exe.400000.0.unpackMalware Configuration Extractor: RedLine {"C2 url": ["94.142.138.4:80"], "Bot Id": "@naralust2", "Message": "Click Close to exit the program. Error code: 1142", "Authorization Header": "684687f1439152a73e2a8b293ee8c64e"}
                    Multi AV Scanner detection for submitted file
                    Source: Setup.exeVirustotal: Detection: 45%Perma Link
                    Antivirus detection for URL or domain
                    Source: 94.142.138.4:80Avira URL Cloud: Label: malware
                    Multi AV Scanner detection for domain / URL
                    Source: 94.142.138.4:80Virustotal: Detection: 17%Perma Link
                    Machine Learning detection for sample
                    Source: Setup.exeJoe Sandbox ML: detected
                    Source: Setup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 4x nop then jmp 0916DCE8h
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 4x nop then jmp 09161FA8h
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 4x nop then jmp 091624A9h
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 4x nop then jmp 09163F38h
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 4x nop then jmp 091611E9h

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2043233 ET TROJAN RedLine Stealer TCP CnC net.tcp Init 192.168.2.3:49698 -> 94.142.138.4:80
                    Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.3:49698 -> 94.142.138.4:80
                    Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 94.142.138.4:80 -> 192.168.2.3:49698
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 94.142.138.4:80
                    Source: Joe Sandbox ViewASN Name: IHOR-ASRU IHOR-ASRU
                    Source: Joe Sandbox ViewIP Address: 94.142.138.4 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.142.138.4
                    Source: AppLaunch.exe, 00000002.00000002.426014385.000000000F399000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                    Source: AppLaunch.exe, 00000002.00000003.406634921.0000000014294000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.406524312.0000000014281000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.406581263.0000000014290000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.c/g
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007233000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                    Source: AppLaunch.exe, 00000002.00000002.412432062.0000000008C7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb
                    Source: AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                    Source: AppLaunch.exe, 00000002.00000002.412432062.0000000008C7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: AppLaunch.exe, 00000002.00000002.412432062.0000000008C7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: AppLaunch.exe, 00000002.00000002.412432062.0000000008BE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008BFE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.408509605.0000000007502000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008D77000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008B63000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008DF5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008D5A000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008DD8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008C5F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008CDD000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008B80000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008CFA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.408509605.0000000007590000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008C7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: AppLaunch.exe, 00000002.00000002.412432062.0000000008C7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: AppLaunch.exe, 00000002.00000002.412432062.0000000008BE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008BFE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.408509605.0000000007502000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008D77000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008B63000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008DF5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008D5A000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008DD8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008C5F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008CDD000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008B80000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008CFA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.408509605.0000000007590000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008C7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                    Source: AppLaunch.exe, 00000002.00000002.412432062.0000000008BE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008BFE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.408509605.0000000007502000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008D77000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008B63000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008DF5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008D5A000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008DD8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008C5F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008CDD000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008B80000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008CFA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.408509605.0000000007590000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008C7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
                    Source: AppLaunch.exe, 00000002.00000002.412432062.0000000008BFE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008D77000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008DF5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008B80000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008CFA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008C7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
                    Source: AppLaunch.exe, 00000002.00000002.412432062.0000000008BE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008BFE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.408509605.0000000007502000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008D77000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008B63000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008DF5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008D5A000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008DD8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008C5F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008CDD000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008B80000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008CFA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.408509605.0000000007590000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008C7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
                    Source: AppLaunch.exe, 00000002.00000002.412432062.0000000008BE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008BFE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.408509605.0000000007502000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008D77000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008B63000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008DF5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008D5A000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008DD8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008C5F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008CDD000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008B80000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008CFA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.408509605.0000000007590000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008C7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: unknownDNS traffic detected: queries for: api.ip.sb
                    Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00423860 GetWindowRect,IsMenu,GetSubMenu,SetDlgItemInt,GetWindowPlacement,CharLowerBuffA,EnableMenuItem,CheckMenuRadioItem,GetSysColor,KillTimer,DestroyIcon,DestroyWindow,PostQuitMessage,GetClientRect,MoveWindow,GetSystemMenu,SetTimer,SetWindowPlacement,InsertMenuItemA,GetMenu,CheckMenuItem,SetMenuItemInfoA,SetActiveWindow,DefDlgProcA,RegisterClassA,EndDialog,SetDlgItemTextA,EnumClipboardFormats,GetClipboardData,CloseClipboard,GetClassInfoA,CallWindowProcA,SetWindowLongA,IsDlgButtonChecked,SetWindowTextA,CheckDlgButton,GetActiveWindow,LoadCursorA,MessageBoxA,wsprintfA,GetDlgItemTextA,SendMessageA,GetCursorPos,TrackPopupMenu,ClientToScreen,DestroyMenu,CreatePopupMenu,AppendMenuA,SendDlgItemMessageA,GetDlgItem,
                    Source: Setup.exe, 00000000.00000002.351349391.000000000062A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.3.Setup.exe.560000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 2.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 0.2.Setup.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: Setup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.3.Setup.exe.560000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 2.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 0.2.Setup.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00415889
                    Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00406342
                    Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00415345
                    Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00405B62
                    Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_0040CBCD
                    Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_004164C5
                    Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00417531
                    Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00415DCD
                    Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00406E00
                    Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_0040568D
                    Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00406762
                    Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00405F36
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_05740448
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0574E6D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_05741EF0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_05740B73
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_057403AF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_05741EE0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_091608E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09161AF7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09163FD0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_091630F1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09161450
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0916E615
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0916B8B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0916B8A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09163FC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0916EEC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0916143F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0F0CB58F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0F0C3480
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0F0CEC68
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0F0CEC61
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0F0CC1D0
                    Source: C:\Users\user\Desktop\Setup.exeCode function: String function: 0040D194 appears 48 times
                    Source: C:\Users\user\Desktop\Setup.exeCode function: String function: 00401030 appears 34 times
                    Source: Setup.exe, 00000000.00000000.349607752.0000000000458000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameaA86qISn: vs Setup.exe
                    Source: Setup.exe, 00000000.00000002.351304103.0000000000453000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePinholes.exe4 vs Setup.exe
                    Source: Setup.exe, 00000000.00000003.351025860.000000000058D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePinholes.exe4 vs Setup.exe
                    Source: Setup.exeBinary or memory string: OriginalFilenameaA86qISn: vs Setup.exe
                    Source: Setup.exeStatic PE information: invalid certificate
                    Source: Setup.exeVirustotal: Detection: 45%
                    Source: C:\Users\user\Desktop\Setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: unknownProcess created: C:\Users\user\Desktop\Setup.exe C:\Users\user\Desktop\Setup.exe
                    Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe
                    Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile created: C:\Users\user\AppData\Local\YandexJump to behavior
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/1@2/1
                    Source: AppLaunch.exe, 00000002.00000002.412432062.0000000008AFE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008A5D000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008AAD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_01
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00407163 push ecx; ret
                    Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_0040D1D9 push ecx; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0574D040 push esp; iretd
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0F0CFF88 pushad ; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0F0CFF8A push esp; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0F0C5B60 push gs; iretd
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0F0C5BD9 push gs; iretd
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0F0C1AD2 push eax; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0F0CD198 push esp; iretd
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0F0E2AB9 push cs; ret
                    Source: Setup.exeStatic PE information: section name: .ueXxN
                    Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00414203 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5340Thread sleep count: 5986 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 6904Thread sleep time: -6456360425798339s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3076Thread sleep time: -30000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5340Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\Setup.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeRegistry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWindow / User API: threadDelayed 5986
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0574D7A0 sldt word ptr [eax]
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information queried: ProcessInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\Setup.exeAPI call chain: ExitProcess graph end node
                    Source: AppLaunch.exe, 00000002.00000003.406231569.000000000F469000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
                    Source: AppLaunch.exe, 00000002.00000003.406231569.000000000F469000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareEBYXSBAAWin32_VideoControllerU21KKRV8VideoController120060621000000.000000-00097365694display.infMSBDAKZ4AGMZ6PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsMS8FS_XZ
                    Source: AppLaunch.exe, 00000002.00000003.390825216.000000000F390000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.426014385.000000000F38E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_004050D5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                    Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00414203 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess token adjusted: Debug
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory allocated: page read and write | page guard
                    Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_004050D5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                    Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_004070B5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                    Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_0040DAC7 SetUnhandledExceptionFilter,
                    Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00403B6F _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                    Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00408C35 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\Setup.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000
                    Source: C:\Users\user\Desktop\Setup.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 515D008
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\Setup.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\Setup.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Setup.exeCode function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,
                    Source: C:\Users\user\Desktop\Setup.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
                    Source: C:\Users\user\Desktop\Setup.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
                    Source: C:\Users\user\Desktop\Setup.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,
                    Source: C:\Users\user\Desktop\Setup.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,
                    Source: C:\Users\user\Desktop\Setup.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,
                    Source: C:\Users\user\Desktop\Setup.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
                    Source: C:\Users\user\Desktop\Setup.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,
                    Source: C:\Users\user\Desktop\Setup.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
                    Source: C:\Users\user\Desktop\Setup.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,
                    Source: C:\Users\user\Desktop\Setup.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
                    Source: C:\Users\user\Desktop\Setup.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,
                    Source: C:\Users\user\Desktop\Setup.exeCode function: GetLocaleInfoA,
                    Source: C:\Users\user\Desktop\Setup.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,
                    Source: C:\Users\user\Desktop\Setup.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,
                    Source: C:\Users\user\Desktop\Setup.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,
                    Source: C:\Users\user\Desktop\Setup.exeCode function: GetLocaleInfoA,
                    Source: C:\Users\user\Desktop\Setup.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,
                    Source: C:\Users\user\Desktop\Setup.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                    Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_0040E85B GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: AppLaunch.exe, 00000002.00000002.426014385.000000000F3E5000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.407569686.000000000560F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 0.3.Setup.exe.560000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Setup.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000003.351025860.0000000000562000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.351304103.000000000042A000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.406792188.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 6868, type: MEMORYSTR
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                    Found many strings related to Crypto-Wallets (likely being stolen)
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007233000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Electrum\wallets
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007233000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q1C:\Users\user\AppData\Roaming\Electrum\wallets\*
                    Source: AppLaunch.exe, 00000002.00000002.408509605.000000000759D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007233000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007233000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\wallets
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007233000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007233000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\wallets
                    Source: AppLaunch.exe, 00000002.00000002.408509605.0000000007233000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                    Source: Yara matchFile source: 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.408509605.000000000759D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.408509605.0000000007233000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 6868, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 0.3.Setup.exe.560000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Setup.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000003.351025860.0000000000562000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.351304103.000000000042A000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.406792188.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 6868, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts221
                    Windows Management Instrumentation                    		Path Interception311
                    Process Injection                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		1
                    System Time Discovery                    		Remote Services1
                    Input Capture                    		Exfiltration Over Other Network Medium1
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default Accounts2
                    Native API                    		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Disable or Modify Tools                    		1
                    Input Capture                    		241
                    Security Software Discovery                    		Remote Desktop Protocol1
                    Archive Collected Data                    		Exfiltration Over Bluetooth1
                    Non-Application Layer Protocol                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)241
                    Virtualization/Sandbox Evasion                    		Security Account Manager11
                    Process Discovery                    		SMB/Windows Admin Shares3
                    Data from Local System                    		Automated Exfiltration11
                    Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)311
                    Process Injection                    		NTDS241
                    Virtualization/Sandbox Evasion                    		Distributed Component Object Model1
                    Clipboard Data                    		Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    Application Window Discovery                    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common3
                    Obfuscated Files or Information                    		Cached Domain Credentials1
                    Remote System Discovery                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync134
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Setup.exe45%VirustotalBrowse
                    Setup.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    api.ip.sb1%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
                    http://tempuri.org/0%URL Reputationsafe
                    http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                    http://ns.adobe.c/g0%URL Reputationsafe
                    http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id90%URL Reputationsafe
                    http://tempuri.org/Entity/Id80%URL Reputationsafe
                    http://tempuri.org/Entity/Id50%URL Reputationsafe
                    http://tempuri.org/Entity/Id40%URL Reputationsafe
                    http://tempuri.org/Entity/Id70%URL Reputationsafe
                    http://tempuri.org/Entity/Id60%URL Reputationsafe
                    http://tempuri.org/Entity/Id19Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
                    https://api.ip.sb/ip0%URL Reputationsafe
                    http://tempuri.org/Entity/Id9Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id200%URL Reputationsafe
                    http://tempuri.org/Entity/Id210%URL Reputationsafe
                    http://tempuri.org/Entity/Id220%URL Reputationsafe
                    http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id100%URL Reputationsafe
                    http://tempuri.org/Entity/Id110%URL Reputationsafe
                    http://tempuri.org/Entity/Id120%URL Reputationsafe
                    http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id130%URL Reputationsafe
                    http://tempuri.org/Entity/Id140%URL Reputationsafe
                    http://tempuri.org/Entity/Id150%URL Reputationsafe
                    http://tempuri.org/Entity/Id160%URL Reputationsafe
                    http://tempuri.org/Entity/Id170%URL Reputationsafe
                    http://tempuri.org/Entity/Id180%URL Reputationsafe
                    http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id190%URL Reputationsafe
                    http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id8Response0%URL Reputationsafe
                    http://tempuri.org/Entity/Id17Response0%URL Reputationsafe
                    94.142.138.4:80100%Avira URL Cloudmalware
                    94.142.138.4:8018%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    api.ip.sb
                    		unknown
                    		unknownfalseunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    94.142.138.4:80true
                    • 18%, Virustotal, Browse
                    • Avira URL Cloud: malware
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/02/sc/sctAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://duckduckgo.com/chrome_newtabAppLaunch.exe, 00000002.00000002.412432062.0000000008BE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008BFE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.408509605.0000000007502000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008D77000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008B63000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008DF5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008D5A000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008DD8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008C5F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008CDD000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008B80000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008CFA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.408509605.0000000007590000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008C7C000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://duckduckgo.com/ac/?q=AppLaunch.exe, 00000002.00000002.412432062.0000000008C7C000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://tempuri.org/Entity/Id12ResponseAppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://tempuri.org/AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://tempuri.org/Entity/Id2ResponseAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://ns.adobe.c/gAppLaunch.exe, 00000002.00000003.406634921.0000000014294000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.406524312.0000000014281000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000003.406581263.0000000014290000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id21ResponseAppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id9AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id8AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://tempuri.org/Entity/Id5AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id4AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://tempuri.org/Entity/Id7AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://tempuri.org/Entity/Id6AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2004/08/addressing/faultpAppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://tempuri.org/Entity/Id19ResponseAppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceAppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/faultAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2004/10/wsatAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://tempuri.org/Entity/Id15ResponseAppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://tempuri.org/Entity/Id6ResponseAppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://api.ip.sb/ipAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2004/04/scAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://tempuri.org/Entity/Id9ResponseAppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=AppLaunch.exe, 00000002.00000002.412432062.0000000008C7C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id20AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://tempuri.org/Entity/Id21AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://tempuri.org/Entity/Id22AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://tempuri.org/Entity/Id1ResponseAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=AppLaunch.exe, 00000002.00000002.412432062.0000000008BE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008BFE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.408509605.0000000007502000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008D77000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008B63000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008DF5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008D5A000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008DD8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008C5F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008CDD000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008B80000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008CFA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.408509605.0000000007590000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008C7C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedAppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2004/08/addressingAppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/trustAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://tempuri.org/Entity/Id10AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id11AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id12AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id16ResponseAppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://tempuri.org/Entity/Id13AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id14AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id15AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id16AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/NonceAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://tempuri.org/Entity/Id17AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id18AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id5ResponseAppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id19AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsAppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://tempuri.org/Entity/Id10ResponseAppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RenewAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://tempuri.org/Entity/Id8ResponseAppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://schemas.xmlsoap.org/ws/2006/02/addressingidentityAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://schemas.xmlsoap.org/soap/envelope/AppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://search.yahoo.com?fr=crmas_sfpfAppLaunch.exe, 00000002.00000002.412432062.0000000008BE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008BFE000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.408509605.0000000007502000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008D77000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008B63000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008DF5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008D5A000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008DD8000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008C5F000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008CDD000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008B80000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008CFA000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.408509605.0000000007590000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.412432062.0000000008C7C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1AppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trustAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/RollbackAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/06/addressingexAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wscoorAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/NonceAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponseAppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/RenewAppLaunch.exe, 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://tempuri.org/Entity/Id17ResponseAppLaunch.exe, 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    		unknown

                                                                                                                                                    World Map of Contacted IPs

                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                    Public IPs

                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                    94.142.138.4
                                                                                                                                                    		unknownRussian Federation
                                                                                                                                                    		35196IHOR-ASRUtrue

                                                                                                                                                    General Information

                                                                                                                                                    Joe Sandbox Version:37.1.0 Beryl
                                                                                                                                                    Analysis ID:877006
                                                                                                                                                    Start date and time:2023-05-28 13:35:07 +02:00
                                                                                                                                                    Joe Sandbox Product:CloudBasic
                                                                                                                                                    Overall analysis duration:0h 6m 3s
                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                    Report type:light
                                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                    Number of analysed new started processes analysed:5
                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                    Technologies:
                                                                                                                                                    • HCA enabled
                                                                                                                                                    • EGA enabled
                                                                                                                                                    • HDC enabled
                                                                                                                                                    • AMSI enabled
                                                                                                                                                    Analysis Mode:default
                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                    Sample file name:Setup.exe
                                                                                                                                                    Detection:MAL
                                                                                                                                                    Classification:mal100.troj.spyw.evad.winEXE@4/1@2/1
                                                                                                                                                    EGA Information:
                                                                                                                                                    • Successful, ratio: 50%
                                                                                                                                                    HDC Information:
                                                                                                                                                    • Successful, ratio: 99.5% (good quality ratio 97.4%)
                                                                                                                                                    • Quality average: 82.9%
                                                                                                                                                    • Quality standard deviation: 23.3%
                                                                                                                                                    HCA Information:
                                                                                                                                                    • Successful, ratio: 96%
                                                                                                                                                    • Number of executed functions: 0
                                                                                                                                                    • Number of non-executed functions: 0
                                                                                                                                                    Cookbook Comments:
                                                                                                                                                    • Found application associated with file extension: .exe
                                                                                                                                                    • Stop behavior analysis, all processes terminated

                                                                                                                                                    Warnings

                                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, conhost.exe
                                                                                                                                                    • TCP Packets have been reduced to 100
                                                                                                                                                    • Excluded IPs from analysis (whitelisted): 104.26.12.31, 172.67.75.172, 104.26.13.31
                                                                                                                                                    • Excluded domains from analysis (whitelisted): api.ip.sb.cdn.cloudflare.net
                                                                                                                                                    • Execution Graph export aborted for target AppLaunch.exe, PID 6868 because it is empty
                                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                    Simulations

                                                                                                                                                    Behavior and APIs

                                                                                                                                                    TimeTypeDescription
                                                                                                                                                    13:36:17API Interceptor31x Sleep call for process: AppLaunch.exe modified

                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                    IPs

                                                                                                                                                    No context

                                                                                                                                                    Domains

                                                                                                                                                    No context

                                                                                                                                                    ASNs

                                                                                                                                                    No context

                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                    No context

                                                                                                                                                    Dropped Files

                                                                                                                                                    No context

                                                                                                                                                    Created / dropped Files

                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):2843
                                                                                                                                                    Entropy (8bit):5.3371553026862095
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:48:MxHKXeHKlEHU0YHKhQnouHIWUfHKdHKBtBHK7HK5AHKzvQTHmtHoxHImHKoLHG1J:iqXeqm00YqhQnouOqdqxq7q2qzcGtIx+
                                                                                                                                                    MD5:325E4B0634C6C9578C7D7D8197BD5BCA
                                                                                                                                                    SHA1:1AD114002B0DDFF9C7C5175B0DA9E9FB40DD6BF0
                                                                                                                                                    SHA-256:1B4A2571C8CD6A81820D851AF94A52502BEE6E4802EF4ADBF77F9F1E20F26601
                                                                                                                                                    SHA-512:F03FC25705C318A8A26CD446B09A5FDD18EA8976854EECF26F7F02E9EF794C8A14711A556AA523DBC4FAFEA1377F1B46713554573C78A6471B490FE933751E52
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

                                                                                                                                                    Static File Info

                                                                                                                                                    General

                                                                                                                                                    File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                    Entropy (8bit):7.461973899099257
                                                                                                                                                    TrID:
                                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                    File name:Setup.exe
                                                                                                                                                    File size:359160
                                                                                                                                                    MD5:3694c18f01430f213aced163c75788a0
                                                                                                                                                    SHA1:25a1c807d62f211e6adb38ed07e96e6bd309f8b8
                                                                                                                                                    SHA256:7fdba125f3d682ea8b84cdc805f574789ebc8aecca3c5e20d20c8a8cd22e2bdb
                                                                                                                                                    SHA512:9f718f0ef0bb7c8d4e779a8e94ebf84600ccfb0896dc9e33718f4ef09a40434b4f98cde43dfa53781b40654209fcd9fcc4290b5bec58024a366d84f43ce478b2
                                                                                                                                                    SSDEEP:6144:yBmM2uzmMmVvV2KtLMMeWj286qoOEStQZ4lol3+uOD:KlzmRRYKtLMMx96NOESlK4zD
                                                                                                                                                    TLSH:0374E1113248C13AF4AB347189E9DA79A6B9B5701B6F60DBFBC41A6D4F313D17A3021B
                                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J)...Hk..Hk..Hk......Hk.....6Hk......Hk.)....Hk..G6..Hk..Hj..Hk..0...Hk......Hk..0...Hk.Rich.Hk.........................PE..L..

                                                                                                                                                    File Icon

                                                                                                                                                    Icon Hash:90cececece8e8eb0

                                                                                                                                                    Static PE Info

                                                                                                                                                    General

                                                                                                                                                    Entrypoint:0x4070ab
                                                                                                                                                    Entrypoint Section:.text
                                                                                                                                                    Digitally signed:true
                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                    Subsystem:windows cui
                                                                                                                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                    DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                                                    Time Stamp:0x64726F2F [Sat May 27 20:59:27 2023 UTC]
                                                                                                                                                    TLS Callbacks:
                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                    OS Version Major:5
                                                                                                                                                    OS Version Minor:0
                                                                                                                                                    File Version Major:5
                                                                                                                                                    File Version Minor:0
                                                                                                                                                    Subsystem Version Major:5
                                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                                    Import Hash:ccf3d145fef27c23a1356d2673054011

                                                                                                                                                    Authenticode Signature

                                                                                                                                                    Signature Valid:false
                                                                                                                                                    Signature Issuer:CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                                                                                                    Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                    Error Number:-2146869232
                                                                                                                                                    Not Before, Not After
                                                                                                                                                    • 5/12/2022 1:45:59 PM 5/11/2023 1:45:59 PM
                                                                                                                                                    Subject Chain
                                                                                                                                                    • CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                                                                                                    Version:3
                                                                                                                                                    Thumbprint MD5:EAF99B1CDFF361CB066EC1CDB5FD68ED
                                                                                                                                                    Thumbprint SHA-1:F372C27F6E052A6BE8BAB3112B465C692196CD6F
                                                                                                                                                    Thumbprint SHA-256:6DFB94C073BA075667FCC19AB327AE679D84F2A2BCF76CC21ABFC9B93FEE61A5
                                                                                                                                                    Serial:33000002CBB77539FB027142360000000002CB

                                                                                                                                                    Entrypoint Preview

                                                                                                                                                    Instruction
                                                                                                                                                    call 00007FA65C6433A0h
                                                                                                                                                    jmp 00007FA65C63BA99h
                                                                                                                                                    cmp ecx, dword ptr [00454B30h]
                                                                                                                                                    jne 00007FA65C63BBF4h
                                                                                                                                                    rep ret
                                                                                                                                                    jmp 00007FA65C643422h
                                                                                                                                                    push eax
                                                                                                                                                    push dword ptr fs:[00000000h]
                                                                                                                                                    lea eax, dword ptr [esp+0Ch]
                                                                                                                                                    sub esp, dword ptr [esp+0Ch]
                                                                                                                                                    push ebx
                                                                                                                                                    push esi
                                                                                                                                                    push edi
                                                                                                                                                    mov dword ptr [eax], ebp
                                                                                                                                                    mov ebp, eax
                                                                                                                                                    mov eax, dword ptr [00454B30h]
                                                                                                                                                    xor eax, ebp
                                                                                                                                                    push eax
                                                                                                                                                    push dword ptr [ebp-04h]
                                                                                                                                                    mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                                                                                    lea eax, dword ptr [ebp-0Ch]
                                                                                                                                                    mov dword ptr fs:[00000000h], eax
                                                                                                                                                    ret
                                                                                                                                                    push eax
                                                                                                                                                    push dword ptr fs:[00000000h]
                                                                                                                                                    lea eax, dword ptr [esp+0Ch]
                                                                                                                                                    sub esp, dword ptr [esp+0Ch]
                                                                                                                                                    push ebx
                                                                                                                                                    push esi
                                                                                                                                                    push edi
                                                                                                                                                    mov dword ptr [eax], ebp
                                                                                                                                                    mov ebp, eax
                                                                                                                                                    mov eax, dword ptr [00454B30h]
                                                                                                                                                    xor eax, ebp
                                                                                                                                                    push eax
                                                                                                                                                    mov dword ptr [ebp-10h], esp
                                                                                                                                                    push dword ptr [ebp-04h]
                                                                                                                                                    mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                                                                                    lea eax, dword ptr [ebp-0Ch]
                                                                                                                                                    mov dword ptr fs:[00000000h], eax
                                                                                                                                                    ret
                                                                                                                                                    push eax
                                                                                                                                                    push dword ptr fs:[00000000h]
                                                                                                                                                    lea eax, dword ptr [esp+0Ch]
                                                                                                                                                    sub esp, dword ptr [esp+0Ch]
                                                                                                                                                    push ebx
                                                                                                                                                    push esi
                                                                                                                                                    push edi
                                                                                                                                                    mov dword ptr [eax], ebp
                                                                                                                                                    mov ebp, eax
                                                                                                                                                    mov eax, dword ptr [00454B30h]
                                                                                                                                                    xor eax, ebp
                                                                                                                                                    push eax
                                                                                                                                                    mov dword ptr [ebp-10h], eax
                                                                                                                                                    push dword ptr [ebp-04h]
                                                                                                                                                    mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                                                                                    lea eax, dword ptr [ebp-0Ch]
                                                                                                                                                    mov dword ptr fs:[00000000h], eax
                                                                                                                                                    ret
                                                                                                                                                    mov ecx, dword ptr [ebp-0Ch]
                                                                                                                                                    mov dword ptr fs:[00000000h], ecx
                                                                                                                                                    pop ecx
                                                                                                                                                    pop edi
                                                                                                                                                    pop edi
                                                                                                                                                    pop esi
                                                                                                                                                    pop ebx

                                                                                                                                                    Rich Headers

                                                                                                                                                    Programming Language:
                                                                                                                                                    • [ASM] VS2008 build 21022
                                                                                                                                                    • [C++] VS2008 build 21022
                                                                                                                                                    • [ C ] VS2008 build 21022
                                                                                                                                                    • [IMP] VS2005 build 50727
                                                                                                                                                    • [C++] VS2008 SP1 build 30729
                                                                                                                                                    • [RES] VS2008 build 21022
                                                                                                                                                    • [LNK] VS2008 SP1 build 30729

                                                                                                                                                    Data Directories

                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x28aec0x50.rdata
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x580000x610.rsrc
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x54c000x2ef8.data
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x272800x40.rdata
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x240000x220.rdata
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                    Sections

                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                    .text0x10000x16d0f0x16e00False0.5724363900273224data6.631366328323876IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                    .ueXxN0x180000xbc1a0xbe00False0.4510896381578947data6.220063968239562IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                    .rdata0x240000x56ae0x5800False0.37113813920454547data5.257116704784325IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                    .data0x2a0000x2db480x2bc00False0.9570368303571428data7.824578655735343IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                    .rsrc0x580000x6100x800False0.33251953125data3.3303604724010856IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                    Resources

                                                                                                                                                    NameRVASizeTypeLanguageCountry
                                                                                                                                                    RT_VERSION0x582000x410dataEnglishUnited States
                                                                                                                                                    RT_MANIFEST0x580a00x15aASCII text, with CRLF line terminatorsEnglishUnited States

                                                                                                                                                    Imports

                                                                                                                                                    DLLImport
                                                                                                                                                    KERNEL32.dllGetLocaleInfoW, SetStdHandle, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, LoadLibraryA, InitializeCriticalSectionAndSpinCount, GetStringTypeW, GetStringTypeA, IsValidLocale, EnumSystemLocalesA, GetLocaleInfoA, GetUserDefaultLCID, IsValidCodePage, GetOEMCP, GetACP, HeapSize, CloseHandle, CreateFileA, ReadFile, FlushFileBuffers, GetConsoleMode, GetConsoleCP, GetSystemTimeAsFileTime, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter, GetStartupInfoA, GetFileType, SetHandleCount, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, GetModuleFileNameA, GetStdHandle, WriteFile, ExitProcess, HeapReAlloc, VirtualAlloc, VirtualFree, HeapCreate, GetEnvironmentStringsW, MultiByteToWideChar, GetModuleHandleA, SetFilePointer, GetProcAddress, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, Sleep, InterlockedExchange, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, RtlUnwind, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RaiseException, GetLastError, HeapFree, GetCommandLineA, LCMapStringA, LCMapStringW, GetCPInfo, GetModuleHandleW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, HeapAlloc
                                                                                                                                                    USER32.dllGetWindowRect, IsMenu, GetSubMenu, SetDlgItemInt, GetWindowPlacement, CharLowerBuffA, EnableMenuItem, CheckMenuRadioItem, GetSysColor, KillTimer, DestroyIcon, DestroyWindow, PostQuitMessage, GetClientRect, MoveWindow, GetSystemMenu, SetTimer, SetWindowPlacement, InsertMenuItemA, GetMenu, CheckMenuItem, SetMenuItemInfoA, SetActiveWindow, DefDlgProcA, RegisterClassA, EndDialog, SetDlgItemTextA, EnumClipboardFormats, GetClipboardData, CloseClipboard, GetClassInfoA, CallWindowProcA, SetWindowLongA, IsDlgButtonChecked, SetWindowTextA, CheckDlgButton, GetActiveWindow, LoadCursorA, MessageBoxA, wsprintfA, GetDlgItemTextA, SendMessageA, GetCursorPos, TrackPopupMenu, ClientToScreen, DestroyMenu, CreatePopupMenu, AppendMenuA, SendDlgItemMessageA, GetDlgItem
                                                                                                                                                    GDI32.dllGetStockObject, DeleteObject, SetBkMode, SetTextColor, CreateFontIndirectA, SelectObject, GetObjectA

                                                                                                                                                    Possible Origin

                                                                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                                                                    EnglishUnited States

                                                                                                                                                    Network Behavior

                                                                                                                                                    Snort IDS Alerts

                                                                                                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                    94.142.138.4192.168.2.380496982043234 05/28/23-13:36:08.316634TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response804969894.142.138.4192.168.2.3
                                                                                                                                                    192.168.2.394.142.138.449698802043231 05/28/23-13:36:15.171936TCP2043231ET TROJAN Redline Stealer TCP CnC Activity4969880192.168.2.394.142.138.4
                                                                                                                                                    192.168.2.394.142.138.449698802043233 05/28/23-13:36:07.137492TCP2043233ET TROJAN RedLine Stealer TCP CnC net.tcp Init4969880192.168.2.394.142.138.4

                                                                                                                                                    Network Port Distribution

                                                                                                                                                    TCP Packets

                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                    May 28, 2023 13:36:06.782174110 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:06.820288897 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:06.820545912 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:07.137491941 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:07.175606966 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:07.215883970 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:07.269748926 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:08.237550020 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:08.275533915 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:08.316633940 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:08.363522053 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:15.171936035 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:15.209758043 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:15.252471924 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:15.252507925 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:15.252528906 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:15.252549887 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:15.252639055 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:15.252701044 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:21.073013067 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:21.111099005 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.111161947 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.111196041 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.111231089 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.111263037 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.111293077 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:21.111295938 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.111293077 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:21.111293077 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:21.111330032 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.111392021 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:21.111392021 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:21.111392021 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:21.111430883 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:21.149200916 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.149267912 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.149301052 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.149369955 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:21.149369955 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:21.149369955 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:21.149606943 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.149641037 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.149674892 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.149705887 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.149736881 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.149749041 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:21.149770021 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.149802923 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.149826050 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:21.149826050 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:21.149895906 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.149897099 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:21.149897099 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:21.149976969 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:21.187588930 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.187645912 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.187684059 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.187716007 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.187748909 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.187815905 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:21.187815905 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:21.187815905 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:21.187941074 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.188739061 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.188774109 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.188807011 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.188839912 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.188967943 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.189002037 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.189174891 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.225701094 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.225815058 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.226106882 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.226140976 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.226428986 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:21.264386892 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.264441013 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.264473915 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.264486074 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:21.264508009 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.264542103 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:21.264542103 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:21.264548063 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.264580965 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.264580965 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:21.264609098 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:21.264614105 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.264633894 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:21.264647961 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.264663935 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:21.264683962 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.264713049 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:21.264772892 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:21.264812946 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.264846087 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.264877081 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.264882088 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:21.264909029 CEST804969894.142.138.4192.168.2.3
                                                                                                                                                    May 28, 2023 13:36:21.264923096 CEST4969880192.168.2.394.142.138.4
                                                                                                                                                    May 28, 2023 13:36:21.264923096 CEST4969880192.168.2.394.142.138.4

                                                                                                                                                    UDP Packets

                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                    May 28, 2023 13:36:16.433954000 CEST5692453192.168.2.38.8.8.8
                                                                                                                                                    May 28, 2023 13:36:16.476177931 CEST6062553192.168.2.38.8.8.8

                                                                                                                                                    DNS Queries

                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                    May 28, 2023 13:36:16.433954000 CEST192.168.2.38.8.8.80x3b27Standard query (0)api.ip.sbA (IP address)IN (0x0001)false
                                                                                                                                                    May 28, 2023 13:36:16.476177931 CEST192.168.2.38.8.8.80x28e5Standard query (0)api.ip.sbA (IP address)IN (0x0001)false

                                                                                                                                                    DNS Answers

                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                    May 28, 2023 13:36:16.468082905 CEST8.8.8.8192.168.2.30x3b27No error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                    May 28, 2023 13:36:16.511054039 CEST8.8.8.8192.168.2.30x28e5No error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)false

                                                                                                                                                    Statistics

                                                                                                                                                    Behavior

                                                                                                                                                    Click to jump to process

                                                                                                                                                    System Behavior

                                                                                                                                                    General

                                                                                                                                                    Target ID:0
                                                                                                                                                    Start time:13:35:56
                                                                                                                                                    Start date:28/05/2023
                                                                                                                                                    Path:C:\Users\user\Desktop\Setup.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\Users\user\Desktop\Setup.exe
                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                    File size:359160 bytes
                                                                                                                                                    MD5 hash:3694C18F01430F213ACED163C75788A0
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.351025860.0000000000562000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.351304103.000000000042A000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                    Reputation:low

                                                                                                                                                    General

                                                                                                                                                    Target ID:1
                                                                                                                                                    Start time:13:35:56
                                                                                                                                                    Start date:28/05/2023
                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                    Imagebase:0x7ff745070000
                                                                                                                                                    File size:625664 bytes
                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    General

                                                                                                                                                    Target ID:2
                                                                                                                                                    Start time:13:35:56
                                                                                                                                                    Start date:28/05/2023
                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe
                                                                                                                                                    Imagebase:0x130000
                                                                                                                                                    File size:98912 bytes
                                                                                                                                                    MD5 hash:6807F903AC06FF7E1670181378690B22
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.408509605.00000000071A3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.408509605.0000000007111000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.406792188.0000000000402000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.408509605.000000000759D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.408509605.0000000007233000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    Reputation:high

                                                                                                                                                    Disassembly

                                                                                                                                                    No disassembly