File name:

launcher.exe

Full analysis: https://app.any.run/tasks/11b95b4f-5eb0-471a-a36b-316b6088089a
Verdict: Malicious activity
Analysis date: November 05, 2024, 13:44:35
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 8 sections
MD5:

6D2B48280AB4522A10AE87C019AA913F

SHA1:

0A5BFB0B7D8E6D167B7E3ACCFAD47092A3CA1630

SHA256:

C9C29A7A889025B1F291599BFDE8732C9BD96CAAEA1953B1DA21893C5F887C1A

SSDEEP:

98304:WeR1tA7qGRplv9X+RVr8M/5z+c+7LMpto8vM/69w42UMOv96oeCB+13bGYIwPRe9:1i4NAin

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • tar.exe (PID: 5748)
      • InstDrv.exe (PID: 3648)

    • Starts CMD.EXE for commands execution

      • launcher.exe (PID: 4792)

    • Drops a system driver (possible attempt to evade defenses)

      • tar.exe (PID: 5748)
      • InstDrv.exe (PID: 3648)

    • The executable file from the user directory is run by the CMD process

      • InstDrv.exe (PID: 3648)

    • Executes as Windows Service

      • AsusCertService.exe (PID: 6740)

    • The process deletes folder without confirmation

      • launcher.exe (PID: 4792)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 5332)

  • INFO

    • Reads the computer name

      • launcher.exe (PID: 4792)

    • Create files in a temporary directory

      • launcher.exe (PID: 4792)

    • Checks supported languages

      • launcher.exe (PID: 4792)

    • Creates a new folder

      • cmd.exe (PID: 5332)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2082:12:30 07:58:44+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 2591232
InitializedDataSize: 2930688
UninitializedDataSize: -
EntryPoint: 0x7099fb
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
15
Malicious processes
0
Suspicious processes
4

Behavior graph

Click at the process to see the details
start launcher.exe cmd.exe no specs conhost.exe no specs tar.exe instdrv.exe asuscertservice.exe no specs conhost.exe no specs asuscertservice.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs timeout.exe no specs rundll32.exe no specs launcher.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1572\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3608C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
3648"C:\Users\admin\AppData\Local\Temp\AsIO3_1.02.22\InstDrv.exe" -iC:\Users\admin\AppData\Local\Temp\AsIO3_1.02.22\InstDrv.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\asio3_1.02.22\instdrv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
4792"C:\Users\admin\AppData\Local\Temp\launcher.exe" C:\Users\admin\AppData\Local\Temp\launcher.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\launcher.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\ucrtbase.dll
5084\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeAsusCertService.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5276\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5332cmd.exe /c timeout /t 8 & rmdir "C:\WINDOWS\Prefetch" /s /q & md "C:\WINDOWS\Prefetch"C:\Windows\System32\cmd.exelauncher.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
5584cmd /cC:\Windows\System32\cmd.exelauncher.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
5748tar -xf "C:\Users\admin\AppData\Local\Temp\AsIO3_1.02.22.tar" -C "C:\Users\admin\AppData\Local\Temp" C:\Windows\System32\tar.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
bsdtar archive tool
Exit code:
0
Version:
3.5.2 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\archiveint.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\kernel.appcore.dll
5896"C:\Program Files (x86)\ASUS\AsusCertService\AsusCertService.exe" installC:\Program Files (x86)\ASUS\AsusCertService\AsusCertService.exeInstDrv.exe
User:
admin
Company:
Asustek Computer Inc.
Integrity Level:
HIGH
Description:
AsIO3 Driver
Exit code:
0
Version:
1.02.22
Modules
Images
c:\program files (x86)\asus\asuscertservice\asuscertservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
5 272
Read events
374
Write events
4
Delete events
4 894

Modification events

(PID) Process:(4792) launcher.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Operation:delete valueName:NodeSlot
Value:

(PID) Process:(4792) launcher.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Operation:delete valueName:MRUListEx
Value:
￿￿
(PID) Process:(4792) launcher.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Operation:delete keyName:(default)
Value:
(PID) Process:(4792) launcher.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1
Operation:delete valueName:NodeSlot
Value:

(PID) Process:(4792) launcher.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1
Operation:delete valueName:MRUListEx
Value:
￿￿
(PID) Process:(4792) launcher.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1
Operation:delete keyName:(default)
Value:
(PID) Process:(4792) launcher.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2
Operation:delete valueName:NodeSlot
Value:
&
(PID) Process:(4792) launcher.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2
Operation:delete valueName:MRUListEx
Value:
￿￿
(PID) Process:(4792) launcher.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2
Operation:delete keyName:(default)
Value:
(PID) Process:(4792) launcher.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\3
Operation:delete valueName:NodeSlot
Value:
Q
Executable files
10
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
5748tar.exeC:\Users\admin\AppData\Local\Temp\AsIO3_1.02.22\AsusCertService.exeexecutable
MD5:57E80B6482948B40E18BBB47C8416846
SHA256:8889C43F3A2E9D3E31E62C3C5C5476F464F16542267D69A6889B39AD4BA81575
5748tar.exeC:\Users\admin\AppData\Local\Temp\AsIO3_1.02.22\AsIO3_64.dllexecutable
MD5:A100CCC4673180BA3BEF43093F170ECA
SHA256:4F7580F0A573B59893DC6567FE2FBA6515DB138525F39B4CBFF5C41985614F34
5748tar.exeC:\Users\admin\AppData\Local\Temp\AsIO3_1.02.22\AsIO3_32.sysexecutable
MD5:3A5DD76E0AD7AC6D14DD4044513F892E
SHA256:B67DD68F59135A5FEF8B1620D346BEF961241D261433D3804BDDCFD4986C8FAD
3648InstDrv.exeC:\Windows\System32\drivers\AsIO3.sysexecutable
MD5:9A5D25C5868C0F5F8742EABD23DADB6C
SHA256:B8F8D07CC25F7B187F787E350018C9A8F1581E0299D070AB0EE8701D2C9743AA
5748tar.exeC:\Users\admin\AppData\Local\Temp\AsIO3_1.02.22\AsIO3_64.sysexecutable
MD5:9A5D25C5868C0F5F8742EABD23DADB6C
SHA256:B8F8D07CC25F7B187F787E350018C9A8F1581E0299D070AB0EE8701D2C9743AA
5748tar.exeC:\Users\admin\AppData\Local\Temp\AsIO3_1.02.22\Version.initext
MD5:B9584559EC791FB0CCAEF43D1EC3416A
SHA256:3FF5F72DF57B8AF3008014BB2D98749C1B72E340031FDC6E8905A00DAAE32888
3648InstDrv.exeC:\Windows\SysWOW64\AsIO3.dllexecutable
MD5:25AEACA8EB0665DD73A45F5A0A0BC658
SHA256:601003A4CCB1EFCA92E091BC4896D2F9177B170AF1EB64D9F0E512E22AA9D94A
5748tar.exeC:\Users\admin\AppData\Local\Temp\AsIO3_1.02.22\AsIO3_32.dllexecutable
MD5:25AEACA8EB0665DD73A45F5A0A0BC658
SHA256:601003A4CCB1EFCA92E091BC4896D2F9177B170AF1EB64D9F0E512E22AA9D94A
5748tar.exeC:\Users\admin\AppData\Local\Temp\AsIO3_1.02.22\InstDrv.exeexecutable
MD5:75280CEAED097E2890E61571D6C9F89D
SHA256:B1FD1BE648F6A2DA3FBE637162501155307CDAE06E820ACDF2159608332968D1
3648InstDrv.exeC:\ProgramData\ASUS\ARMOURY CRATE Diagnosis\install\AsIO3.logtext
MD5:9A801B9C5E9E922AB77D560ADB741F62
SHA256:0F45CE190A78C36359BE0BACBA951EEB98EDCB0F88D1906E9D75F4470757BEEA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
34
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6944
svchost.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
23.32.185.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5232
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3276
SIHClient.exe
GET
200
23.32.185.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
3276
SIHClient.exe
GET
200
23.32.185.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6944
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6944
svchost.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
6944
svchost.exe
23.32.185.131:80
www.microsoft.com
AKAMAI-AS
BR
whitelisted
5488
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4020
svchost.exe
239.255.255.250:1900
whitelisted
4360
SearchApp.exe
2.23.209.162:443
www.bing.com
Akamai International B.V.
GB
whitelisted
4360
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.106
  • 2.16.164.9
whitelisted
www.microsoft.com
  • 23.32.185.131
whitelisted
www.bing.com
  • 2.23.209.162
  • 2.23.209.161
  • 2.23.209.160
  • 2.23.209.166
  • 2.23.209.156
  • 2.23.209.158
  • 2.23.209.149
  • 2.23.209.150
  • 2.23.209.154
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.31.73
  • 40.126.31.69
  • 20.190.159.73
  • 40.126.31.67
  • 20.190.159.68
  • 20.190.159.64
  • 20.190.159.75
  • 20.190.159.71
whitelisted
th.bing.com
  • 2.23.209.141
  • 2.23.209.148
  • 2.23.209.135
  • 2.23.209.142
  • 2.23.209.144
  • 2.23.209.143
  • 2.23.209.140
  • 2.23.209.137
  • 2.23.209.149
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
launcher.exe