Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1565512
MD5: 0f325c99b7b2585a266cf50d88f134c8
SHA1: 160551d6e6f35ab8ab7401aec1b8adc0bea94ebc
SHA256: 7851c601871d56b8db41856e6dfb518f35332b5f59153fd960ba0a0e7d1a44d2
Tags: exeuser-Bitsight
Infos:

Detection

Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AntiVM3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
AI detected suspicious sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
One or more processes crash
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 15%
Source: file.exe Virustotal: Detection: 19% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbrNv source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D93000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: oC:\Windows\Microsoft.NET\Framework\v4.0.30319\applaunch.pdbx source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D93000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004CEA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: file.exe, 00000000.00000002.1680721486.00000000059B0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: file.exe, 00000000.00000002.1680721486.00000000059B0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\applaunch.pdb]qnS* source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D6A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D6A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ^symbols\exe\applaunch.pdb source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: o.pdb source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdblZ source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004CEA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: IL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: AppLaunch.exe, 00000001.00000002.2914980573.0000000009330000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: %%.pdb source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\applaunch.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\applaunch.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D93000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000001.00000002.2910684393.0000000004CEA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\applaunch.pdb]q6 source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D6A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: applaunch.pdblaunch.pdbpdbnch.pdb.0.30319\applaunch.pdb source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D6A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n4C:\Windows\applaunch.pdbA source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\applaunch.pdbdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: applaunch.pdb source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp, AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000001.00000002.2910684393.0000000004CEA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\applaunch.pdbpdbnch.pdbXp source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.pdbt source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D6A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\applaunch.pdbfo source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D93000.00000004.00000020.00020000.00000000.sdmp
Source: file.exe, 00000000.00000002.1660234081.0000000002619000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1660234081.0000000002619000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354

System Summary
barindex
.NET source code contains very large array initializations
Source: 0.2.file.exe.3a76240.0.raw.unpack, FieldCalculator.cs Large array initialization: ValidateIntegratedCalculator: array initializer size 361008
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05B98F98 NtResumeThread, 0_2_05B98F98
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05B96E50 NtProtectVirtualMemory, 0_2_05B96E50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05B98F90 NtResumeThread, 0_2_05B98F90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05B96E48 NtProtectVirtualMemory, 0_2_05B96E48
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0257CB3C 0_2_0257CB3C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0257F3B8 0_2_0257F3B8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0257F3A8 0_2_0257F3A8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05A20007 0_2_05A20007
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05A20040 0_2_05A20040
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05B93570 0_2_05B93570
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05B96BC8 0_2_05B96BC8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05B93560 0_2_05B93560
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05B96BB9 0_2_05B96BB9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05CAE7F0 0_2_05CAE7F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05CADD70 0_2_05CADD70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05C90040 0_2_05C90040
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05C90006 0_2_05C90006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 1_2_04B61580 1_2_04B61580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 1_2_04B648F0 1_2_04B648F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 1_2_04B61580 1_2_04B61580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 1_2_04B64900 1_2_04B64900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 1_2_04B612F8 1_2_04B612F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 1_2_04B612E8 1_2_04B612E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 1_2_04B63FA8 1_2_04B63FA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 1_2_04B63F3F 1_2_04B63F3F
One or more processes crash
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1148
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.1659447623.000000000078E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000002.1660234081.0000000002AA4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTniqh.exe" vs file.exe
Source: file.exe, 00000000.00000002.1680721486.00000000059B0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs file.exe
Source: file.exe, 00000000.00000000.1650998732.0000000000332000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamez1.exez- vs file.exe
Source: file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs file.exe
Source: file.exe, 00000000.00000002.1660234081.00000000025A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000002.1679440484.0000000005740000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameLajlcgecf.dll" vs file.exe
Source: file.exe Binary or memory string: OriginalFilenamez1.exez- vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: file.exe, Fjbpzvxmnsr.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.file.exe.3a76240.0.raw.unpack, FieldCalculator.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.3a76240.0.raw.unpack, FilteredInspector.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.3a76240.0.raw.unpack, FilteredInspector.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.AppLaunch.exe.7ca5aa0.3.raw.unpack, l1mI9VWxRGlEZlS2FR7.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.AppLaunch.exe.7ca5aa0.3.raw.unpack, l1mI9VWxRGlEZlS2FR7.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.AppLaunch.exe.7ca5aa0.3.raw.unpack, l1mI9VWxRGlEZlS2FR7.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.AppLaunch.exe.7d45ac0.4.raw.unpack, l1mI9VWxRGlEZlS2FR7.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.AppLaunch.exe.7d45ac0.4.raw.unpack, l1mI9VWxRGlEZlS2FR7.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.AppLaunch.exe.7d45ac0.4.raw.unpack, l1mI9VWxRGlEZlS2FR7.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.59b0000.5.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.file.exe.59b0000.5.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.file.exe.59b0000.5.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.file.exe.59b0000.5.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: 0.2.file.exe.59b0000.5.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.59b0000.5.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.file.exe.59b0000.5.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.file.exe.59b0000.5.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.file.exe.59b0000.5.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.file.exe.59b0000.5.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: classification engine Classification label: mal96.evad.winEXE@4/0@0/0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3332:64:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\040cfe38-ff78-4976-89f4-70185a321158 Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: file.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe ReversingLabs: Detection: 15%
Source: file.exe Virustotal: Detection: 19%
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1148
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: file.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: file.exe Static file information: File size 1473536 > 1048576
Source: file.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x15ec00
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbrNv source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D93000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: oC:\Windows\Microsoft.NET\Framework\v4.0.30319\applaunch.pdbx source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D93000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004CEA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: file.exe, 00000000.00000002.1680721486.00000000059B0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: file.exe, 00000000.00000002.1680721486.00000000059B0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\applaunch.pdb]qnS* source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D6A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D6A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ^symbols\exe\applaunch.pdb source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: o.pdb source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdblZ source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004CEA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: IL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: AppLaunch.exe, 00000001.00000002.2914980573.0000000009330000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: %%.pdb source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\applaunch.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\applaunch.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D93000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000001.00000002.2910684393.0000000004CEA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\applaunch.pdb]q6 source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D6A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: applaunch.pdblaunch.pdbpdbnch.pdb.0.30319\applaunch.pdb source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D6A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n4C:\Windows\applaunch.pdbA source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\applaunch.pdbdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: applaunch.pdb source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp, AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000001.00000002.2910684393.0000000004CEA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\applaunch.pdbpdbnch.pdbXp source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.pdbt source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D6A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\applaunch.pdbfo source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D93000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.file.exe.3a76240.0.raw.unpack, FilteredInspector.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 1.2.AppLaunch.exe.7ca5aa0.3.raw.unpack, l1mI9VWxRGlEZlS2FR7.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 1.2.AppLaunch.exe.7d45ac0.4.raw.unpack, l1mI9VWxRGlEZlS2FR7.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
.NET source code contains potential unpacker
Source: 0.2.file.exe.5960000.4.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 0.2.file.exe.5960000.4.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 0.2.file.exe.5960000.4.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 0.2.file.exe.5960000.4.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 0.2.file.exe.5960000.4.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Source: 0.2.file.exe.3a76240.0.raw.unpack, FieldCalculator.cs .Net Code: CalculateInterruptibleCalculator System.AppDomain.Load(byte[])
Source: 0.2.file.exe.59b0000.5.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.file.exe.59b0000.5.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.file.exe.59b0000.5.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Yara detected Costura Assembly Loader
Source: Yara match File source: 0.2.file.exe.58a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1680295927.00000000058A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1660234081.0000000002619000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 2312, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AppLaunch.exe PID: 4080, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0257EE82 pushad ; retf 0_2_0257EE85
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0257EE80 pushfd ; retf 0_2_0257EE81
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05C964FF push ebx; iretd 0_2_05C9650A
Source: file.exe Static PE information: section name: .text entropy: 7.945671182559719
Source: 0.2.file.exe.5740000.2.raw.unpack, asXkdacxwMNyu0Oyerq.cs High entropy of concatenated method names: 'NTwZu9ZRgC', 'icGyu4GKsds5wJKvHYY', 'cTCRSxGtnAXV86jeErZ', 'I6XQDo3yO8mwH4krEjW', 'uhBHhL3AmI1h0DwFiAR'
Source: 1.2.AppLaunch.exe.7ca5aa0.3.raw.unpack, l1mI9VWxRGlEZlS2FR7.cs High entropy of concatenated method names: 'd3r12FfPlROKris5kd5', 'Dy2fgvf13Ttq9W2HyGy', 'L0ZDGctTRZ', 'vh0ry9Sq2v', 'kNxD5JF74r', 'QomDFb1AZl', 'vZqDUefvMl', 'sMFDQmmNes', 'mg9bPkQUJR', 'vEiWWHIOXA'
Source: 1.2.AppLaunch.exe.7ca5aa0.3.raw.unpack, CYZLnWjtrLQ88n28yrv.cs High entropy of concatenated method names: 'aYCjTbU6MH', 'VM5jPV6Rm5', 'nMdj1Hch4a', 'MZ2jSj1NIh', 'vQPjr4KsGi', 'Jlgjqxc2Dh', 'hSWjYWAejI', 'pRJjmxFYGu', 'Xphj2If8pf', 'Y59jKkKT5A'
Source: 1.2.AppLaunch.exe.7ca5aa0.3.raw.unpack, d7OgCi5UloRlxyvSUa.cs High entropy of concatenated method names: 'U8pUTTqy4', 'PaJQnjdvf', 'UMjHWePCb', 'tiMi1WRud', 'fnZ9cO576', 'SxhaciWaT', 'WF2JlGUQc', 'cQxePyr2l', 'Q2nhxl3Bw', 'vLDy2hKqqVNpvOhrSea'
Source: 1.2.AppLaunch.exe.7ca5aa0.3.raw.unpack, xJPnJRjl4fjI8X2Ou3h.cs High entropy of concatenated method names: 'kQW1PIwwZj', 'lWm11ecZPO', 'pbb1SRVWXd', 'env1ramKIg', 'HN41qfgkgj', 'MOv1YhVkcd', 'Rkx1mrTXER', 's3SjQr0NIy', 'oYL12HIWq4', 'Fxh1Kvlx9C'
Source: 1.2.AppLaunch.exe.7ca5aa0.3.raw.unpack, ls10XCqKLD6JpYxt1c.cs High entropy of concatenated method names: 'VfrXRxXV0', 'w64bh5hID', 'u2LEecY64', 'oR6pmFDHU', 'Q9KmqALhv', 'Hgx2MEqde', 'wNQKrxTT2', 'xHKl9IIc3', 'S19fwGV7H', 'HMTCaKRD3'
Source: 1.2.AppLaunch.exe.7d45ac0.4.raw.unpack, l1mI9VWxRGlEZlS2FR7.cs High entropy of concatenated method names: 'd3r12FfPlROKris5kd5', 'Dy2fgvf13Ttq9W2HyGy', 'L0ZDGctTRZ', 'vh0ry9Sq2v', 'kNxD5JF74r', 'QomDFb1AZl', 'vZqDUefvMl', 'sMFDQmmNes', 'mg9bPkQUJR', 'vEiWWHIOXA'
Source: 1.2.AppLaunch.exe.7d45ac0.4.raw.unpack, CYZLnWjtrLQ88n28yrv.cs High entropy of concatenated method names: 'aYCjTbU6MH', 'VM5jPV6Rm5', 'nMdj1Hch4a', 'MZ2jSj1NIh', 'vQPjr4KsGi', 'Jlgjqxc2Dh', 'hSWjYWAejI', 'pRJjmxFYGu', 'Xphj2If8pf', 'Y59jKkKT5A'
Source: 1.2.AppLaunch.exe.7d45ac0.4.raw.unpack, d7OgCi5UloRlxyvSUa.cs High entropy of concatenated method names: 'U8pUTTqy4', 'PaJQnjdvf', 'UMjHWePCb', 'tiMi1WRud', 'fnZ9cO576', 'SxhaciWaT', 'WF2JlGUQc', 'cQxePyr2l', 'Q2nhxl3Bw', 'vLDy2hKqqVNpvOhrSea'
Source: 1.2.AppLaunch.exe.7d45ac0.4.raw.unpack, xJPnJRjl4fjI8X2Ou3h.cs High entropy of concatenated method names: 'kQW1PIwwZj', 'lWm11ecZPO', 'pbb1SRVWXd', 'env1ramKIg', 'HN41qfgkgj', 'MOv1YhVkcd', 'Rkx1mrTXER', 's3SjQr0NIy', 'oYL12HIWq4', 'Fxh1Kvlx9C'
Source: 1.2.AppLaunch.exe.7d45ac0.4.raw.unpack, ls10XCqKLD6JpYxt1c.cs High entropy of concatenated method names: 'VfrXRxXV0', 'w64bh5hID', 'u2LEecY64', 'oR6pmFDHU', 'Q9KmqALhv', 'Hgx2MEqde', 'wNQKrxTT2', 'xHKl9IIc3', 'S19fwGV7H', 'HMTCaKRD3'
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: file.exe PID: 2312, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: file.exe, 00000000.00000002.1660234081.0000000002619000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\file.exe Memory allocated: C60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 25A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 45A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Memory allocated: 4B60000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Memory allocated: 6A60000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Memory allocated: 67C0000 memory reserve | memory write watch Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: file.exe, 00000000.00000002.1660234081.0000000002619000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: file.exe, 00000000.00000002.1660234081.0000000002619000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: model0Microsoft|VMWare|Virtual
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\file.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process token adjusted: Debug Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\file.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: file.exe, GRGlInterface.cs Reference to suspicious API methods: GetProcAddress(libGLESv2, name)
Source: 0.2.file.exe.59b0000.5.raw.unpack, NativeMethods.cs Reference to suspicious API methods: OpenProcessToken(hProcess, desiredAccess, out var TokenHandle)
Source: 0.2.file.exe.59b0000.5.raw.unpack, ResourceReferenceValue.cs Reference to suspicious API methods: NativeMethods.LoadLibrary(ResourceFilePath)
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 820000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 820000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 822000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 88A000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 88C000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 783008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1565512 Sample: file.exe Startdate: 30/11/2024 Architecture: WINDOWS Score: 96 14 Multi AV Scanner detection for submitted file 2->14 16 Yara detected AntiVM3 2->16 18 .NET source code contains potential unpacker 2->18 20 6 other signatures 2->20 7 file.exe 2 2->7         started        process3 signatures4 22 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->22 24 Writes to foreign memory regions 7->24 26 Injects a PE file into a foreign processes 7->26 10 AppLaunch.exe 2 7->10         started        process5 process6 12 WerFault.exe 4 10->12         started       
No contacted IP infos