Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1565512
MD5:0f325c99b7b2585a266cf50d88f134c8
SHA1:160551d6e6f35ab8ab7401aec1b8adc0bea94ebc
SHA256:7851c601871d56b8db41856e6dfb518f35332b5f59153fd960ba0a0e7d1a44d2
Tags:exeuser-Bitsight
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AntiVM3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
AI detected suspicious sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
One or more processes crash
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • file.exe (PID: 2312 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 0F325C99B7B2585A266CF50D88F134C8)
    • AppLaunch.exe (PID: 4080 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" MD5: 89D41E1CF478A3D3C2C701A27A5692B2)
      • WerFault.exe (PID: 3332 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1148 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000000.00000002.1680295927.00000000058A0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    00000000.00000002.1660234081.0000000002619000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      Process Memory Space: file.exe PID: 2312JoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        Process Memory Space: file.exe PID: 2312JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          Process Memory Space: AppLaunch.exe PID: 4080JoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            SourceRuleDescriptionAuthorStrings
            0.2.file.exe.58a0000.3.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              No Sigma rule has matched
              No Suricata rule has matched

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: file.exeReversingLabs: Detection: 15%
              Source: file.exeVirustotal: Detection: 19%Perma Link
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: file.exeJoe Sandbox ML: detected
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbrNv source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D93000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: oC:\Windows\Microsoft.NET\Framework\v4.0.30319\applaunch.pdbx source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D93000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004CEA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: file.exe, 00000000.00000002.1680721486.00000000059B0000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: file.exe, 00000000.00000002.1680721486.00000000059B0000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: protobuf-net.pdbSHA256}Lq source: file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\exe\applaunch.pdb]qnS* source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D6A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: protobuf-net.pdb source: file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\System.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D6A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ^symbols\exe\applaunch.pdb source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: o.pdb source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdblZ source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004CEA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: IL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: AppLaunch.exe, 00000001.00000002.2914980573.0000000009330000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: %%.pdb source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\applaunch.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\applaunch.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D93000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000001.00000002.2910684393.0000000004CEA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\exe\applaunch.pdb]q6 source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D6A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: applaunch.pdblaunch.pdbpdbnch.pdb.0.30319\applaunch.pdb source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\mscorlib.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D6A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: n4C:\Windows\applaunch.pdbA source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\exe\applaunch.pdbdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: applaunch.pdb source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp, AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000001.00000002.2910684393.0000000004CEA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Windows\applaunch.pdbpdbnch.pdbXp source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\System.pdbt source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D6A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\applaunch.pdbfo source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D93000.00000004.00000020.00020000.00000000.sdmp
              Source: file.exe, 00000000.00000002.1660234081.0000000002619000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
              Source: file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
              Source: file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
              Source: file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
              Source: file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1660234081.0000000002619000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
              Source: file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354

              System Summary

              barindex
              Source: 0.2.file.exe.3a76240.0.raw.unpack, FieldCalculator.csLarge array initialization: ValidateIntegratedCalculator: array initializer size 361008
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_05B98F98 NtResumeThread,0_2_05B98F98
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_05B96E50 NtProtectVirtualMemory,0_2_05B96E50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_05B98F90 NtResumeThread,0_2_05B98F90
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_05B96E48 NtProtectVirtualMemory,0_2_05B96E48
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0257CB3C0_2_0257CB3C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0257F3B80_2_0257F3B8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0257F3A80_2_0257F3A8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_05A200070_2_05A20007
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_05A200400_2_05A20040
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_05B935700_2_05B93570
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_05B96BC80_2_05B96BC8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_05B935600_2_05B93560
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_05B96BB90_2_05B96BB9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_05CAE7F00_2_05CAE7F0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_05CADD700_2_05CADD70
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_05C900400_2_05C90040
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_05C900060_2_05C90006
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 1_2_04B615801_2_04B61580
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 1_2_04B648F01_2_04B648F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 1_2_04B615801_2_04B61580
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 1_2_04B649001_2_04B64900
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 1_2_04B612F81_2_04B612F8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 1_2_04B612E81_2_04B612E8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 1_2_04B63FA81_2_04B63FA8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 1_2_04B63F3F1_2_04B63F3F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1148
              Source: file.exe, 00000000.00000002.1659447623.000000000078E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
              Source: file.exe, 00000000.00000002.1660234081.0000000002AA4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTniqh.exe" vs file.exe
              Source: file.exe, 00000000.00000002.1680721486.00000000059B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs file.exe
              Source: file.exe, 00000000.00000000.1650998732.0000000000332000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamez1.exez- vs file.exe
              Source: file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs file.exe
              Source: file.exe, 00000000.00000002.1660234081.00000000025A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs file.exe
              Source: file.exe, 00000000.00000002.1679440484.0000000005740000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameLajlcgecf.dll" vs file.exe
              Source: file.exeBinary or memory string: OriginalFilenamez1.exez- vs file.exe
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: file.exe, Fjbpzvxmnsr.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.file.exe.3a76240.0.raw.unpack, FieldCalculator.csCryptographic APIs: 'CreateDecryptor'
              Source: 0.2.file.exe.3a76240.0.raw.unpack, FilteredInspector.csCryptographic APIs: 'CreateDecryptor'
              Source: 0.2.file.exe.3a76240.0.raw.unpack, FilteredInspector.csCryptographic APIs: 'CreateDecryptor'
              Source: 1.2.AppLaunch.exe.7ca5aa0.3.raw.unpack, l1mI9VWxRGlEZlS2FR7.csCryptographic APIs: 'CreateDecryptor'
              Source: 1.2.AppLaunch.exe.7ca5aa0.3.raw.unpack, l1mI9VWxRGlEZlS2FR7.csCryptographic APIs: 'CreateDecryptor'
              Source: 1.2.AppLaunch.exe.7ca5aa0.3.raw.unpack, l1mI9VWxRGlEZlS2FR7.csCryptographic APIs: 'CreateDecryptor'
              Source: 1.2.AppLaunch.exe.7d45ac0.4.raw.unpack, l1mI9VWxRGlEZlS2FR7.csCryptographic APIs: 'CreateDecryptor'
              Source: 1.2.AppLaunch.exe.7d45ac0.4.raw.unpack, l1mI9VWxRGlEZlS2FR7.csCryptographic APIs: 'CreateDecryptor'
              Source: 1.2.AppLaunch.exe.7d45ac0.4.raw.unpack, l1mI9VWxRGlEZlS2FR7.csCryptographic APIs: 'CreateDecryptor'
              Source: 0.2.file.exe.59b0000.5.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
              Source: 0.2.file.exe.59b0000.5.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
              Source: 0.2.file.exe.59b0000.5.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
              Source: 0.2.file.exe.59b0000.5.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
              Source: 0.2.file.exe.59b0000.5.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.file.exe.59b0000.5.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
              Source: 0.2.file.exe.59b0000.5.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
              Source: 0.2.file.exe.59b0000.5.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
              Source: 0.2.file.exe.59b0000.5.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
              Source: 0.2.file.exe.59b0000.5.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
              Source: classification engineClassification label: mal96.evad.winEXE@4/0@0/0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMutant created: NULL
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3332:64:WilError_03
              Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\040cfe38-ff78-4976-89f4-70185a321158Jump to behavior
              Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exeReversingLabs: Detection: 15%
              Source: file.exeVirustotal: Detection: 19%
              Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1148
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"Jump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: wtsapi32.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: winsta.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: file.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: file.exeStatic file information: File size 1473536 > 1048576
              Source: file.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x15ec00
              Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbrNv source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D93000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: oC:\Windows\Microsoft.NET\Framework\v4.0.30319\applaunch.pdbx source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D93000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004CEA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: file.exe, 00000000.00000002.1680721486.00000000059B0000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: file.exe, 00000000.00000002.1680721486.00000000059B0000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: protobuf-net.pdbSHA256}Lq source: file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\exe\applaunch.pdb]qnS* source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D6A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: protobuf-net.pdb source: file.exe, 00000000.00000002.1680588817.0000000005960000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\System.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D6A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ^symbols\exe\applaunch.pdb source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: o.pdb source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdblZ source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004CEA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: IL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: AppLaunch.exe, 00000001.00000002.2914980573.0000000009330000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: %%.pdb source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\applaunch.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\applaunch.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D93000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000001.00000002.2910684393.0000000004CEA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\exe\applaunch.pdb]q6 source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D6A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: applaunch.pdblaunch.pdbpdbnch.pdb.0.30319\applaunch.pdb source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\mscorlib.pdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D6A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: n4C:\Windows\applaunch.pdbA source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\exe\applaunch.pdbdb source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: applaunch.pdb source: AppLaunch.exe, 00000001.00000002.2909855431.00000000005E8000.00000004.00000010.00020000.00000000.sdmp, AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000001.00000002.2910684393.0000000004CEA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Windows\applaunch.pdbpdbnch.pdbXp source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D34000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\System.pdbt source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D6A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\applaunch.pdbfo source: AppLaunch.exe, 00000001.00000002.2910684393.0000000004D93000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Source: 0.2.file.exe.3a76240.0.raw.unpack, FilteredInspector.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
              Source: 1.2.AppLaunch.exe.7ca5aa0.3.raw.unpack, l1mI9VWxRGlEZlS2FR7.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
              Source: 1.2.AppLaunch.exe.7d45ac0.4.raw.unpack, l1mI9VWxRGlEZlS2FR7.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
              Source: 0.2.file.exe.5960000.4.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
              Source: 0.2.file.exe.5960000.4.raw.unpack, ListDecorator.cs.Net Code: Read
              Source: 0.2.file.exe.5960000.4.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
              Source: 0.2.file.exe.5960000.4.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
              Source: 0.2.file.exe.5960000.4.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
              Source: 0.2.file.exe.3a76240.0.raw.unpack, FieldCalculator.cs.Net Code: CalculateInterruptibleCalculator System.AppDomain.Load(byte[])
              Source: 0.2.file.exe.59b0000.5.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
              Source: 0.2.file.exe.59b0000.5.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
              Source: 0.2.file.exe.59b0000.5.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
              Source: Yara matchFile source: 0.2.file.exe.58a0000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1680295927.00000000058A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1660234081.0000000002619000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 2312, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 4080, type: MEMORYSTR
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0257EE82 pushad ; retf 0_2_0257EE85
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0257EE80 pushfd ; retf 0_2_0257EE81
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_05C964FF push ebx; iretd 0_2_05C9650A
              Source: file.exeStatic PE information: section name: .text entropy: 7.945671182559719
              Source: 0.2.file.exe.5740000.2.raw.unpack, asXkdacxwMNyu0Oyerq.csHigh entropy of concatenated method names: 'NTwZu9ZRgC', 'icGyu4GKsds5wJKvHYY', 'cTCRSxGtnAXV86jeErZ', 'I6XQDo3yO8mwH4krEjW', 'uhBHhL3AmI1h0DwFiAR'
              Source: 1.2.AppLaunch.exe.7ca5aa0.3.raw.unpack, l1mI9VWxRGlEZlS2FR7.csHigh entropy of concatenated method names: 'd3r12FfPlROKris5kd5', 'Dy2fgvf13Ttq9W2HyGy', 'L0ZDGctTRZ', 'vh0ry9Sq2v', 'kNxD5JF74r', 'QomDFb1AZl', 'vZqDUefvMl', 'sMFDQmmNes', 'mg9bPkQUJR', 'vEiWWHIOXA'
              Source: 1.2.AppLaunch.exe.7ca5aa0.3.raw.unpack, CYZLnWjtrLQ88n28yrv.csHigh entropy of concatenated method names: 'aYCjTbU6MH', 'VM5jPV6Rm5', 'nMdj1Hch4a', 'MZ2jSj1NIh', 'vQPjr4KsGi', 'Jlgjqxc2Dh', 'hSWjYWAejI', 'pRJjmxFYGu', 'Xphj2If8pf', 'Y59jKkKT5A'
              Source: 1.2.AppLaunch.exe.7ca5aa0.3.raw.unpack, d7OgCi5UloRlxyvSUa.csHigh entropy of concatenated method names: 'U8pUTTqy4', 'PaJQnjdvf', 'UMjHWePCb', 'tiMi1WRud', 'fnZ9cO576', 'SxhaciWaT', 'WF2JlGUQc', 'cQxePyr2l', 'Q2nhxl3Bw', 'vLDy2hKqqVNpvOhrSea'
              Source: 1.2.AppLaunch.exe.7ca5aa0.3.raw.unpack, xJPnJRjl4fjI8X2Ou3h.csHigh entropy of concatenated method names: 'kQW1PIwwZj', 'lWm11ecZPO', 'pbb1SRVWXd', 'env1ramKIg', 'HN41qfgkgj', 'MOv1YhVkcd', 'Rkx1mrTXER', 's3SjQr0NIy', 'oYL12HIWq4', 'Fxh1Kvlx9C'
              Source: 1.2.AppLaunch.exe.7ca5aa0.3.raw.unpack, ls10XCqKLD6JpYxt1c.csHigh entropy of concatenated method names: 'VfrXRxXV0', 'w64bh5hID', 'u2LEecY64', 'oR6pmFDHU', 'Q9KmqALhv', 'Hgx2MEqde', 'wNQKrxTT2', 'xHKl9IIc3', 'S19fwGV7H', 'HMTCaKRD3'
              Source: 1.2.AppLaunch.exe.7d45ac0.4.raw.unpack, l1mI9VWxRGlEZlS2FR7.csHigh entropy of concatenated method names: 'd3r12FfPlROKris5kd5', 'Dy2fgvf13Ttq9W2HyGy', 'L0ZDGctTRZ', 'vh0ry9Sq2v', 'kNxD5JF74r', 'QomDFb1AZl', 'vZqDUefvMl', 'sMFDQmmNes', 'mg9bPkQUJR', 'vEiWWHIOXA'
              Source: 1.2.AppLaunch.exe.7d45ac0.4.raw.unpack, CYZLnWjtrLQ88n28yrv.csHigh entropy of concatenated method names: 'aYCjTbU6MH', 'VM5jPV6Rm5', 'nMdj1Hch4a', 'MZ2jSj1NIh', 'vQPjr4KsGi', 'Jlgjqxc2Dh', 'hSWjYWAejI', 'pRJjmxFYGu', 'Xphj2If8pf', 'Y59jKkKT5A'
              Source: 1.2.AppLaunch.exe.7d45ac0.4.raw.unpack, d7OgCi5UloRlxyvSUa.csHigh entropy of concatenated method names: 'U8pUTTqy4', 'PaJQnjdvf', 'UMjHWePCb', 'tiMi1WRud', 'fnZ9cO576', 'SxhaciWaT', 'WF2JlGUQc', 'cQxePyr2l', 'Q2nhxl3Bw', 'vLDy2hKqqVNpvOhrSea'
              Source: 1.2.AppLaunch.exe.7d45ac0.4.raw.unpack, xJPnJRjl4fjI8X2Ou3h.csHigh entropy of concatenated method names: 'kQW1PIwwZj', 'lWm11ecZPO', 'pbb1SRVWXd', 'env1ramKIg', 'HN41qfgkgj', 'MOv1YhVkcd', 'Rkx1mrTXER', 's3SjQr0NIy', 'oYL12HIWq4', 'Fxh1Kvlx9C'
              Source: 1.2.AppLaunch.exe.7d45ac0.4.raw.unpack, ls10XCqKLD6JpYxt1c.csHigh entropy of concatenated method names: 'VfrXRxXV0', 'w64bh5hID', 'u2LEecY64', 'oR6pmFDHU', 'Q9KmqALhv', 'Hgx2MEqde', 'wNQKrxTT2', 'xHKl9IIc3', 'S19fwGV7H', 'HMTCaKRD3'
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 2312, type: MEMORYSTR
              Source: file.exe, 00000000.00000002.1660234081.0000000002619000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Users\user\Desktop\file.exeMemory allocated: C60000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory allocated: 25A0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory allocated: 45A0000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory allocated: 4B60000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory allocated: 6A60000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory allocated: 67C0000 memory reserve | memory write watchJump to behavior
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: file.exe, 00000000.00000002.1660234081.0000000002619000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
              Source: file.exe, 00000000.00000002.1660234081.0000000002619000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Source: file.exe, GRGlInterface.csReference to suspicious API methods: GetProcAddress(libGLESv2, name)
              Source: 0.2.file.exe.59b0000.5.raw.unpack, NativeMethods.csReference to suspicious API methods: OpenProcessToken(hProcess, desiredAccess, out var TokenHandle)
              Source: 0.2.file.exe.59b0000.5.raw.unpack, ResourceReferenceValue.csReference to suspicious API methods: NativeMethods.LoadLibrary(ResourceFilePath)
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 820000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 820000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 822000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 88A000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 88C000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 783008Jump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"Jump to behavior