Windows Analysis Report
Q9FAsn6SG6

Overview

General Information

Sample Name: Q9FAsn6SG6 (renamed file extension from none to exe)
Analysis ID: 620828
MD5: c61f9a9059f8b8bd0e69f7df4cb09786
SHA1: 70fffde0debf4559859617d49dc48c54df3c156d
SHA256: 84a5a26f1748c3ad1f0b98c438908e8dc842eacc6390484527ee1fe7e56264f5
Tags: 32exetrojan
Infos:

Detection

Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Writes to foreign memory regions
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
Injects a PE file into a foreign processes
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains sections with non-standard names
Contains capabilities to detect virtual machines
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
HTTP GET or POST without a user agent
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
Entry point lies outside standard sections
Enables debug privileges

Classification

AV Detection

barindex
Source: Q9FAsn6SG6.exe Avira: detected
Source: Q9FAsn6SG6.exe Virustotal: Detection: 69% Perma Link
Source: Q9FAsn6SG6.exe Metadefender: Detection: 31% Perma Link
Source: Q9FAsn6SG6.exe ReversingLabs: Detection: 69%
Source: Q9FAsn6SG6.exe Joe Sandbox ML: detected
Source: Q9FAsn6SG6.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Networking

barindex
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe DNS query: name: ip-api.com
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
Source: Q9FAsn6SG6.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: Q9FAsn6SG6.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Q9FAsn6SG6.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Q9FAsn6SG6.exe String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Q9FAsn6SG6.exe String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Q9FAsn6SG6.exe String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: Q9FAsn6SG6.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Q9FAsn6SG6.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Q9FAsn6SG6.exe String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: Q9FAsn6SG6.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Q9FAsn6SG6.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Q9FAsn6SG6.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Q9FAsn6SG6.exe String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: Q9FAsn6SG6.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Q9FAsn6SG6.exe String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: AppLaunch.exe, 00000002.00000002.532195437.0000000006B47000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.532225269.0000000006B5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com
Source: AppLaunch.exe, 00000002.00000002.532195437.0000000006B47000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: AppLaunch.exe, 00000002.00000002.532195437.0000000006B47000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com4
Source: Q9FAsn6SG6.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: Q9FAsn6SG6.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: Q9FAsn6SG6.exe String found in binary or memory: http://ocsp.digicert.com0L
Source: Q9FAsn6SG6.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: Q9FAsn6SG6.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: Q9FAsn6SG6.exe String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: Q9FAsn6SG6.exe String found in binary or memory: http://s2.symcb.com0
Source: AppLaunch.exe, 00000002.00000002.532195437.0000000006B47000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Q9FAsn6SG6.exe String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: Q9FAsn6SG6.exe String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: Q9FAsn6SG6.exe String found in binary or memory: http://sv.symcd.com0&
Source: Q9FAsn6SG6.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: Q9FAsn6SG6.exe String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: Q9FAsn6SG6.exe String found in binary or memory: http://www.symauth.com/cps0(
Source: Q9FAsn6SG6.exe String found in binary or memory: http://www.symauth.com/rpa00
Source: Q9FAsn6SG6.exe String found in binary or memory: http://www.vmware.com/0
Source: Q9FAsn6SG6.exe String found in binary or memory: http://www.vmware.com/0/
Source: Q9FAsn6SG6.exe String found in binary or memory: https://d.symcb.com/cps0%
Source: Q9FAsn6SG6.exe String found in binary or memory: https://d.symcb.com/rpa0
Source: Q9FAsn6SG6.exe String found in binary or memory: https://pidgin.im0
Source: Q9FAsn6SG6.exe String found in binary or memory: https://sectigo.com/CPS0
Source: Q9FAsn6SG6.exe String found in binary or memory: https://www.digicert.com/CPS0
Source: unknown DNS traffic detected: queries for: ip-api.com
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: Q9FAsn6SG6.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Q9FAsn6SG6.exe, 00000000.00000002.268728178.0000000000E33000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePennyWise.exe4 vs Q9FAsn6SG6.exe
Source: Q9FAsn6SG6.exe, 00000000.00000003.268281523.000000000314E000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePennyWise.exe4 vs Q9FAsn6SG6.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 2_2_04F21499 2_2_04F21499
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 2_2_04F281C0 2_2_04F281C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 2_2_04F2C3D0 2_2_04F2C3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 2_2_04F2E330 2_2_04F2E330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 2_2_04F2CCA0 2_2_04F2CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 2_2_04F21DD0 2_2_04F21DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 2_2_04F20858 2_2_04F20858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 2_2_04F20B38 2_2_04F20B38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 2_2_04F21590 2_2_04F21590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 2_2_04F21091 2_2_04F21091
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 2_2_04F2C088 2_2_04F2C088
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 2_2_04F281B0 2_2_04F281B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 2_2_04F22108 2_2_04F22108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 2_2_04F21E81 2_2_04F21E81
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 2_2_04F20B72 2_2_04F20B72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 2_2_04F20B28 2_2_04F20B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 2_2_09117530 2_2_09117530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 2_2_09117520 2_2_09117520
Source: Q9FAsn6SG6.exe Static PE information: invalid certificate
Source: Q9FAsn6SG6.exe Virustotal: Detection: 69%
Source: Q9FAsn6SG6.exe Metadefender: Detection: 31%
Source: Q9FAsn6SG6.exe ReversingLabs: Detection: 69%
Source: C:\Users\user\Desktop\Q9FAsn6SG6.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Q9FAsn6SG6.exe "C:\Users\user\Desktop\Q9FAsn6SG6.exe"
Source: C:\Users\user\Desktop\Q9FAsn6SG6.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Q9FAsn6SG6.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Users\user\Desktop\Q9FAsn6SG6.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Mutant created: \Sessions\1\BaseNamedObjects\9D16FBEF0D8A8F87529DE06A1C43C737
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6728:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File created: C:\Users\user\AppData\Local\86fddf902dc7d50e1674857833db815d Jump to behavior
Source: classification engine Classification label: mal88.troj.evad.winEXE@4/0@1/1
Source: 0.3.Q9FAsn6SG6.exe.3130000.0.unpack, u0002u2002.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.AppLaunch.exe.400000.0.unpack, u0002u2002.cs Cryptographic APIs: 'CreateDecryptor'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Q9FAsn6SG6.exe Static file information: File size 3677592 > 1048576
Source: Q9FAsn6SG6.exe Static PE information: Raw size of JICeboQ is bigger than: 0x100000 < 0x106000
Source: Q9FAsn6SG6.exe Static PE information: Raw size of gTx1qw is bigger than: 0x100000 < 0x226000
Source: Q9FAsn6SG6.exe Static PE information: real checksum: 0x2ff should be: 0x388ceb
Source: Q9FAsn6SG6.exe Static PE information: section name: JICeboQ
Source: Q9FAsn6SG6.exe Static PE information: section name: zcPlt
Source: Q9FAsn6SG6.exe Static PE information: section name: rrF5ta
Source: Q9FAsn6SG6.exe Static PE information: section name: IKbga
Source: Q9FAsn6SG6.exe Static PE information: section name: 03AAoc
Source: Q9FAsn6SG6.exe Static PE information: section name: 6maTqw
Source: Q9FAsn6SG6.exe Static PE information: section name: PKmYta
Source: Q9FAsn6SG6.exe Static PE information: section name: gTx1qw
Source: Q9FAsn6SG6.exe Static PE information: section name: 9YRtc
Source: initial sample Static PE information: section where entry point is pointing to: gTx1qw
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Q9FAsn6SG6.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\Desktop\Q9FAsn6SG6.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\Desktop\Q9FAsn6SG6.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\Q9FAsn6SG6.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\Q9FAsn6SG6.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: AppLaunch.exe, 00000002.00000003.277565209.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware
Source: Q9FAsn6SG6.exe Binary or memory string: noreply@vmware.com0
Source: Q9FAsn6SG6.exe Binary or memory string: http://www.vmware.com/0
Source: Q9FAsn6SG6.exe Binary or memory string: VMware, Inc.1!0
Source: AppLaunch.exe, 00000002.00000003.277565209.0000000004FF8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Win32_VideoController(Standard display types)VMware_19TXUL2Win32_VideoControllerHW9_2_HAVideoController120060621000000.000000-00083625117display.infMSBDAZ6UOZVBZPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colors9KEWZH9_68E0
Source: AppLaunch.exe, 00000002.00000002.531934997.0000000004FB7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Win32_VideoController(Standard display types)VMware_19TXUL2Win32_VideoControllerHW9_2_HAVideoController120060621000000.000000-00083625117display.infMSBDAZ6UOZVBZPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colors9KEWZH9_
Source: Q9FAsn6SG6.exe Binary or memory string: http://www.vmware.com/0/
Source: Q9FAsn6SG6.exe Binary or memory string: VMware, Inc.1
Source: Q9FAsn6SG6.exe Binary or memory string: VMware, Inc.0
Source: AppLaunch.exe, 00000002.00000002.531934997.0000000004FB7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\Desktop\Q9FAsn6SG6.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Q9FAsn6SG6.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 9B9008 Jump to behavior
Source: C:\Users\user\Desktop\Q9FAsn6SG6.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Q9FAsn6SG6.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\Q9FAsn6SG6.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs