Source: Q9FAsn6SG6.exe |
Virustotal: Detection: 69% |
Perma Link |
Source: Q9FAsn6SG6.exe |
Metadefender: Detection: 31% |
Perma Link |
Source: Q9FAsn6SG6.exe |
ReversingLabs: Detection: 69% |
Source: Q9FAsn6SG6.exe |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
DNS query: name: ip-api.com |
Source: global traffic |
HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive |
Source: Joe Sandbox View |
IP Address: 208.95.112.1 208.95.112.1 |
Source: Q9FAsn6SG6.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0 |
Source: Q9FAsn6SG6.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: Q9FAsn6SG6.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 |
Source: Q9FAsn6SG6.exe |
String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04 |
Source: Q9FAsn6SG6.exe |
String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
Source: Q9FAsn6SG6.exe |
String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s |
Source: Q9FAsn6SG6.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: Q9FAsn6SG6.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P |
Source: Q9FAsn6SG6.exe |
String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00 |
Source: Q9FAsn6SG6.exe |
String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 |
Source: Q9FAsn6SG6.exe |
String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0 |
Source: Q9FAsn6SG6.exe |
String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: Q9FAsn6SG6.exe |
String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L |
Source: Q9FAsn6SG6.exe |
String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 |
Source: Q9FAsn6SG6.exe |
String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0# |
Source: AppLaunch.exe, 00000002.00000002.532195437.0000000006B47000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.532225269.0000000006B5A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ip-api.com |
Source: AppLaunch.exe, 00000002.00000002.532195437.0000000006B47000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ip-api.com/line/?fields=hosting |
Source: AppLaunch.exe, 00000002.00000002.532195437.0000000006B47000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ip-api.com4 |
Source: Q9FAsn6SG6.exe |
String found in binary or memory: http://ocsp.comodoca.com0 |
Source: Q9FAsn6SG6.exe |
String found in binary or memory: http://ocsp.digicert.com0C |
Source: Q9FAsn6SG6.exe |
String found in binary or memory: http://ocsp.digicert.com0L |
Source: Q9FAsn6SG6.exe |
String found in binary or memory: http://ocsp.digicert.com0O |
Source: Q9FAsn6SG6.exe |
String found in binary or memory: http://ocsp.sectigo.com0 |
Source: Q9FAsn6SG6.exe |
String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0 |
Source: Q9FAsn6SG6.exe |
String found in binary or memory: http://s2.symcb.com0 |
Source: AppLaunch.exe, 00000002.00000002.532195437.0000000006B47000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: Q9FAsn6SG6.exe |
String found in binary or memory: http://sv.symcb.com/sv.crl0a |
Source: Q9FAsn6SG6.exe |
String found in binary or memory: http://sv.symcb.com/sv.crt0 |
Source: Q9FAsn6SG6.exe |
String found in binary or memory: http://sv.symcd.com0& |
Source: Q9FAsn6SG6.exe |
String found in binary or memory: http://www.digicert.com/CPS0 |
Source: Q9FAsn6SG6.exe |
String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0 |
Source: Q9FAsn6SG6.exe |
String found in binary or memory: http://www.symauth.com/cps0( |
Source: Q9FAsn6SG6.exe |
String found in binary or memory: http://www.symauth.com/rpa00 |
Source: Q9FAsn6SG6.exe |
String found in binary or memory: http://www.vmware.com/0 |
Source: Q9FAsn6SG6.exe |
String found in binary or memory: http://www.vmware.com/0/ |
Source: Q9FAsn6SG6.exe |
String found in binary or memory: https://d.symcb.com/cps0% |
Source: Q9FAsn6SG6.exe |
String found in binary or memory: https://d.symcb.com/rpa0 |
Source: Q9FAsn6SG6.exe |
String found in binary or memory: https://pidgin.im0 |
Source: Q9FAsn6SG6.exe |
String found in binary or memory: https://sectigo.com/CPS0 |
Source: Q9FAsn6SG6.exe |
String found in binary or memory: https://www.digicert.com/CPS0 |
Source: unknown |
DNS traffic detected: queries for: ip-api.com |
Source: global traffic |
HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive |
Source: Q9FAsn6SG6.exe |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE |
Source: Q9FAsn6SG6.exe, 00000000.00000002.268728178.0000000000E33000.00000004.00000010.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamePennyWise.exe4 vs Q9FAsn6SG6.exe |
Source: Q9FAsn6SG6.exe, 00000000.00000003.268281523.000000000314E000.00000040.00001000.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamePennyWise.exe4 vs Q9FAsn6SG6.exe |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 2_2_04F21499 |
2_2_04F21499 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 2_2_04F281C0 |
2_2_04F281C0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 2_2_04F2C3D0 |
2_2_04F2C3D0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 2_2_04F2E330 |
2_2_04F2E330 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 2_2_04F2CCA0 |
2_2_04F2CCA0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 2_2_04F21DD0 |
2_2_04F21DD0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 2_2_04F20858 |
2_2_04F20858 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 2_2_04F20B38 |
2_2_04F20B38 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 2_2_04F21590 |
2_2_04F21590 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 2_2_04F21091 |
2_2_04F21091 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 2_2_04F2C088 |
2_2_04F2C088 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 2_2_04F281B0 |
2_2_04F281B0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 2_2_04F22108 |
2_2_04F22108 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 2_2_04F21E81 |
2_2_04F21E81 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 2_2_04F20B72 |
2_2_04F20B72 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 2_2_04F20B28 |
2_2_04F20B28 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 2_2_09117530 |
2_2_09117530 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Code function: 2_2_09117520 |
2_2_09117520 |
Source: Q9FAsn6SG6.exe |
Static PE information: invalid certificate |
Source: Q9FAsn6SG6.exe |
Virustotal: Detection: 69% |
Source: Q9FAsn6SG6.exe |
Metadefender: Detection: 31% |
Source: Q9FAsn6SG6.exe |
ReversingLabs: Detection: 69% |
Source: C:\Users\user\Desktop\Q9FAsn6SG6.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\Q9FAsn6SG6.exe "C:\Users\user\Desktop\Q9FAsn6SG6.exe" |
|
Source: C:\Users\user\Desktop\Q9FAsn6SG6.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\Q9FAsn6SG6.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
|
Source: C:\Users\user\Desktop\Q9FAsn6SG6.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Mutant created: \Sessions\1\BaseNamedObjects\9D16FBEF0D8A8F87529DE06A1C43C737 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6728:120:WilError_01 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
File created: C:\Users\user\AppData\Local\86fddf902dc7d50e1674857833db815d |
Jump to behavior |
Source: classification engine |
Classification label: mal88.troj.evad.winEXE@4/0@1/1 |
Source: 0.3.Q9FAsn6SG6.exe.3130000.0.unpack, u0002u2002.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: 2.2.AppLaunch.exe.400000.0.unpack, u0002u2002.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: Q9FAsn6SG6.exe |
Static file information: File size 3677592 > 1048576 |
Source: Q9FAsn6SG6.exe |
Static PE information: Raw size of JICeboQ is bigger than: 0x100000 < 0x106000 |
Source: Q9FAsn6SG6.exe |
Static PE information: Raw size of gTx1qw is bigger than: 0x100000 < 0x226000 |
Source: Q9FAsn6SG6.exe |
Static PE information: real checksum: 0x2ff should be: 0x388ceb |
Source: Q9FAsn6SG6.exe |
Static PE information: section name: JICeboQ |
Source: Q9FAsn6SG6.exe |
Static PE information: section name: zcPlt |
Source: Q9FAsn6SG6.exe |
Static PE information: section name: rrF5ta |
Source: Q9FAsn6SG6.exe |
Static PE information: section name: IKbga |
Source: Q9FAsn6SG6.exe |
Static PE information: section name: 03AAoc |
Source: Q9FAsn6SG6.exe |
Static PE information: section name: 6maTqw |
Source: Q9FAsn6SG6.exe |
Static PE information: section name: PKmYta |
Source: Q9FAsn6SG6.exe |
Static PE information: section name: gTx1qw |
Source: Q9FAsn6SG6.exe |
Static PE information: section name: 9YRtc |
Source: initial sample |
Static PE information: section where entry point is pointing to: gTx1qw |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController |
Source: C:\Users\user\Desktop\Q9FAsn6SG6.exe |
System information queried: FirmwareTableInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Q9FAsn6SG6.exe |
File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ |
Jump to behavior |
Source: C:\Users\user\Desktop\Q9FAsn6SG6.exe |
Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc |
Jump to behavior |
Source: C:\Users\user\Desktop\Q9FAsn6SG6.exe |
Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion |
Jump to behavior |
Source: C:\Users\user\Desktop\Q9FAsn6SG6.exe |
Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor |
Source: AppLaunch.exe, 00000002.00000003.277565209.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: VMware |
Source: Q9FAsn6SG6.exe |
Binary or memory string: noreply@vmware.com0 |
Source: Q9FAsn6SG6.exe |
Binary or memory string: http://www.vmware.com/0 |
Source: Q9FAsn6SG6.exe |
Binary or memory string: VMware, Inc.1!0 |
Source: AppLaunch.exe, 00000002.00000003.277565209.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Win32_VideoController(Standard display types)VMware_19TXUL2Win32_VideoControllerHW9_2_HAVideoController120060621000000.000000-00083625117display.infMSBDAZ6UOZVBZPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colors9KEWZH9_68E0 |
Source: AppLaunch.exe, 00000002.00000002.531934997.0000000004FB7000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Win32_VideoController(Standard display types)VMware_19TXUL2Win32_VideoControllerHW9_2_HAVideoController120060621000000.000000-00083625117display.infMSBDAZ6UOZVBZPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colors9KEWZH9_ |
Source: Q9FAsn6SG6.exe |
Binary or memory string: http://www.vmware.com/0/ |
Source: Q9FAsn6SG6.exe |
Binary or memory string: VMware, Inc.1 |
Source: Q9FAsn6SG6.exe |
Binary or memory string: VMware, Inc.0 |
Source: AppLaunch.exe, 00000002.00000002.531934997.0000000004FB7000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Process token adjusted: Debug |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Memory allocated: page read and write | page guard |
Jump to behavior |
Source: C:\Users\user\Desktop\Q9FAsn6SG6.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 |
Jump to behavior |
Source: C:\Users\user\Desktop\Q9FAsn6SG6.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 9B9008 |
Jump to behavior |
Source: C:\Users\user\Desktop\Q9FAsn6SG6.exe |
Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\Q9FAsn6SG6.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A |
Jump to behavior |
Source: C:\Users\user\Desktop\Q9FAsn6SG6.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |