Windows Analysis Report
Zzh4Ti7eW0.exe

Overview

General Information

Sample name: Zzh4Ti7eW0.exe
renamed because original name is a hash value
Original sample name: 1590a3efb4a143305e7182fbd284a414.exe
Analysis ID: 1528879
MD5: 1590a3efb4a143305e7182fbd284a414
SHA1: 4b1910fc583442a94a7a246c5424354991e22f13
SHA256: b11ec3f1e913b4c0caeaf24b194998e7702da6c0b30afc8a147df52b26fd829f
Tags: 32exetrojan
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
One or more processes crash
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\ioibrzb.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Roaming\ioibrzb.exe Virustotal: Detection: 59% Perma Link
Multi AV Scanner detection for submitted file
Source: Zzh4Ti7eW0.exe ReversingLabs: Detection: 50%
Source: Zzh4Ti7eW0.exe Virustotal: Detection: 59% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 95.3% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\ioibrzb.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Zzh4Ti7eW0.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Zzh4Ti7eW0.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Zzh4Ti7eW0.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb$ source: Zzh4Ti7eW0.exe, 00000001.00000002.2938704438.000000000096F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Qytqeye.pdb source: Zzh4Ti7eW0.exe, 00000001.00000002.2942441277.0000000003791000.00000004.00000800.00020000.00000000.sdmp, Zzh4Ti7eW0.exe, 00000001.00000002.2942441277.0000000003B92000.00000004.00000800.00020000.00000000.sdmp, Zzh4Ti7eW0.exe, 00000001.00000002.2948938636.0000000004E80000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: %%.pdb source: Zzh4Ti7eW0.exe, 00000001.00000002.2937734915.00000000006F9000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: Zzh4Ti7eW0.exe, 00000001.00000002.2938704438.00000000008FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdb source: Zzh4Ti7eW0.exe, 00000001.00000002.2938704438.000000000096F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Zzh4Ti7eW0.exe, 00000001.00000002.2938704438.000000000096F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Desktop\Zzh4Ti7eW0.PDB <se' source: Zzh4Ti7eW0.exe, 00000001.00000002.2938704438.00000000008C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Zzh4Ti7eW0.exe, 00000000.00000002.1717705725.00000000041CE000.00000004.00000800.00020000.00000000.sdmp, Zzh4Ti7eW0.exe, 00000000.00000002.1708109322.0000000003191000.00000004.00000800.00020000.00000000.sdmp, Zzh4Ti7eW0.exe, 00000000.00000002.1726112890.0000000005AF0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Zzh4Ti7eW0.exe, 00000000.00000002.1717705725.00000000041CE000.00000004.00000800.00020000.00000000.sdmp, Zzh4Ti7eW0.exe, 00000000.00000002.1708109322.0000000003191000.00000004.00000800.00020000.00000000.sdmp, Zzh4Ti7eW0.exe, 00000000.00000002.1726112890.0000000005AF0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: Zzh4Ti7eW0.exe, 00000001.00000002.2938704438.0000000000972000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Zzh4Ti7eW0.exe, 00000001.00000002.2938704438.00000000008FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: Zzh4Ti7eW0.exe, 00000000.00000002.1724296361.00000000058C0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: Qytqeye.pdbH source: Zzh4Ti7eW0.exe, 00000001.00000002.2942441277.0000000003791000.00000004.00000800.00020000.00000000.sdmp, Zzh4Ti7eW0.exe, 00000001.00000002.2942441277.0000000003B92000.00000004.00000800.00020000.00000000.sdmp, Zzh4Ti7eW0.exe, 00000001.00000002.2948938636.0000000004E80000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: Zzh4Ti7eW0.exe, 00000000.00000002.1724296361.00000000058C0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: Zzh4Ti7eW0.exe, 00000001.00000002.2938704438.00000000008FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdb- source: Zzh4Ti7eW0.exe, 00000001.00000002.2938704438.000000000096F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m0C:\Windows\mscorlib.pdb source: Zzh4Ti7eW0.exe, 00000001.00000002.2937734915.00000000006F9000.00000004.00000010.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 4x nop then jmp 0592EA60h 0_2_0592E9A0
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 4x nop then jmp 0592EA60h 0_2_0592E9A8
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 4x nop then jmp 05926B3Dh 0_2_05926908
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 4x nop then jmp 05926B3Dh 0_2_05926958
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 4x nop then jmp 05926B3Dh 0_2_0592694B
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 4x nop then jmp 05925E8Fh 0_2_05925E30
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 4x nop then jmp 05925E8Fh 0_2_05925E23
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_059535B0
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_059535AA
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 4x nop then jmp 05955159h 0_2_05954F31
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 4x nop then jmp 05955159h 0_2_05954E30
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 4x nop then jmp 05955159h 0_2_05954E3F
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 4x nop then jmp 05955159h 0_2_05954E40
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_059BDAC0
Source: Zzh4Ti7eW0.exe, ioibrzb.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Zzh4Ti7eW0.exe, ioibrzb.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Zzh4Ti7eW0.exe, ioibrzb.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Zzh4Ti7eW0.exe, ioibrzb.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Zzh4Ti7eW0.exe, ioibrzb.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Zzh4Ti7eW0.exe, ioibrzb.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Zzh4Ti7eW0.exe, ioibrzb.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ioibrzb.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Zzh4Ti7eW0.exe, ioibrzb.exe.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: Zzh4Ti7eW0.exe, ioibrzb.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: Zzh4Ti7eW0.exe, ioibrzb.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: Zzh4Ti7eW0.exe, ioibrzb.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: Zzh4Ti7eW0.exe, ioibrzb.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: Zzh4Ti7eW0.exe, 00000000.00000002.1708109322.0000000003191000.00000004.00000800.00020000.00000000.sdmp, Zzh4Ti7eW0.exe, 00000000.00000002.1708109322.0000000002D41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Zzh4Ti7eW0.exe, ioibrzb.exe.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: Zzh4Ti7eW0.exe, 00000000.00000002.1724296361.00000000058C0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: Zzh4Ti7eW0.exe, 00000000.00000002.1724296361.00000000058C0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: Zzh4Ti7eW0.exe, 00000000.00000002.1724296361.00000000058C0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: Zzh4Ti7eW0.exe, 00000000.00000002.1724296361.00000000058C0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Zzh4Ti7eW0.exe, 00000000.00000002.1724296361.00000000058C0000.00000004.08000000.00040000.00000000.sdmp, Zzh4Ti7eW0.exe, 00000000.00000002.1708109322.0000000002D41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Zzh4Ti7eW0.exe, 00000000.00000002.1724296361.00000000058C0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354

System Summary
barindex
.NET source code contains very large array initializations
Source: 0.2.Zzh4Ti7eW0.exe.48a6280.3.raw.unpack, Proxy.cs Large array initialization: CallServer: array initializer size 654531
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_05950708 NtProtectVirtualMemory, 0_2_05950708
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_05951BB8 NtResumeThread, 0_2_05951BB8
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_05950700 NtProtectVirtualMemory, 0_2_05950700
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_05951BB0 NtResumeThread, 0_2_05951BB0
Detected potential crypto function
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_02B5C124 0_2_02B5C124
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_02B50B88 0_2_02B50B88
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_02B50E60 0_2_02B50E60
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_02B54CF8 0_2_02B54CF8
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_02B58CC0 0_2_02B58CC0
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_02B52D30 0_2_02B52D30
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_02B5AD28 0_2_02B5AD28
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_02B55330 0_2_02B55330
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_02B55340 0_2_02B55340
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_02B5E0E0 0_2_02B5E0E0
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_02B53068 0_2_02B53068
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_02B50E9A 0_2_02B50E9A
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_02B50E52 0_2_02B50E52
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_02B50F0E 0_2_02B50F0E
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_02B58CB0 0_2_02B58CB0
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_02B54CE8 0_2_02B54CE8
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_02B52DE1 0_2_02B52DE1
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_057B8CC8 0_2_057B8CC8
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_057B7438 0_2_057B7438
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_057B7428 0_2_057B7428
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_057B8CB9 0_2_057B8CB9
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_057B0040 0_2_057B0040
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_057B003F 0_2_057B003F
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_057B92E2 0_2_057B92E2
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_0591F140 0_2_0591F140
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_05912CA1 0_2_05912CA1
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_059142B8 0_2_059142B8
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_05912FD7 0_2_05912FD7
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_0592D0C0 0_2_0592D0C0
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_05929FE0 0_2_05929FE0
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_05922AB8 0_2_05922AB8
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_05928638 0_2_05928638
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_05926DB8 0_2_05926DB8
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_0592DD5F 0_2_0592DD5F
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_0592DD70 0_2_0592DD70
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_0592D0B0 0_2_0592D0B0
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_0592F008 0_2_0592F008
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_0592F051 0_2_0592F051
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_0592F060 0_2_0592F060
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_05929FA8 0_2_05929FA8
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_05928629 0_2_05928629
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_0595B590 0_2_0595B590
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_05958930 0_2_05958930
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_0595D398 0_2_0595D398
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_0595B580 0_2_0595B580
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_0595D453 0_2_0595D453
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_0595E63F 0_2_0595E63F
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_0595E650 0_2_0595E650
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_05954878 0_2_05954878
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_05954868 0_2_05954868
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_0595C380 0_2_0595C380
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_0595D388 0_2_0595D388
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_0595C370 0_2_0595C370
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_059B0007 0_2_059B0007
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_059B0040 0_2_059B0040
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_05C3D1F8 0_2_05C3D1F8
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_05C20040 0_2_05C20040
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_05C2003B 0_2_05C2003B
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 1_2_026A22D7 1_2_026A22D7
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 1_2_026A4E9F 1_2_026A4E9F
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 1_2_026A2300 1_2_026A2300
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 1_2_026A4F10 1_2_026A4F10
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 1_2_026A2310 1_2_026A2310
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 1_2_026A5520 1_2_026A5520
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 1_2_026A5511 1_2_026A5511
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\ioibrzb.exe B11EC3F1E913B4C0CAEAF24B194998E7702DA6C0B30AFC8A147DF52B26FD829F
One or more processes crash
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7344 -s 996
PE / OLE file has an invalid certificate
Source: Zzh4Ti7eW0.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: Zzh4Ti7eW0.exe, 00000000.00000002.1701686213.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Zzh4Ti7eW0.exe
Source: Zzh4Ti7eW0.exe, 00000000.00000000.1686704835.00000000008CE000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamedocii.exeF vs Zzh4Ti7eW0.exe
Source: Zzh4Ti7eW0.exe, 00000000.00000002.1717705725.00000000041CE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Zzh4Ti7eW0.exe
Source: Zzh4Ti7eW0.exe, 00000000.00000002.1708109322.0000000003191000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Zzh4Ti7eW0.exe
Source: Zzh4Ti7eW0.exe, 00000000.00000002.1724296361.00000000058C0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Zzh4Ti7eW0.exe
Source: Zzh4Ti7eW0.exe, 00000000.00000002.1726112890.0000000005AF0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Zzh4Ti7eW0.exe
Source: Zzh4Ti7eW0.exe, 00000000.00000002.1708109322.0000000002D41000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs Zzh4Ti7eW0.exe
Source: Zzh4Ti7eW0.exe, 00000000.00000002.1708109322.0000000002E49000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUhcdf.exe" vs Zzh4Ti7eW0.exe
Source: Zzh4Ti7eW0.exe, 00000001.00000002.2942441277.0000000003791000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameQytqeye.dll" vs Zzh4Ti7eW0.exe
Source: Zzh4Ti7eW0.exe, 00000001.00000002.2942441277.0000000003B92000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameQytqeye.dll" vs Zzh4Ti7eW0.exe
Source: Zzh4Ti7eW0.exe, 00000001.00000002.2948938636.0000000004E80000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameQytqeye.dll" vs Zzh4Ti7eW0.exe
Source: Zzh4Ti7eW0.exe Binary or memory string: OriginalFilenamedocii.exeF vs Zzh4Ti7eW0.exe
Uses 32bit PE files
Source: Zzh4Ti7eW0.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Zzh4Ti7eW0.exe, -.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Zzh4Ti7eW0.exe.4463480.1.raw.unpack, -.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Zzh4Ti7eW0.exe.48a6280.3.raw.unpack, ContextRepositoryMock.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Zzh4Ti7eW0.exe.48a6280.3.raw.unpack, ContextRepositoryMock.cs Cryptographic APIs: 'CreateDecryptor'
Source: Zzh4Ti7eW0.exe, -.cs Base64 encoded string: 'ijUvAmes9x45EG6kujg1GWzvmD8vE2+jtTVnMWe1nCIoBHuAqj85G2CtoHc7E3aenzkwGkygtClnGXKekCI5B3egtSUoDzmmvDgDOmevvjg0TUWkrRglBmeHqyMxPmOvvSA5TWWkrRMSF2+k4gUyEme5lipnJGegvR8oBGuvvncdEmb6vikoKVKuqiUoH22v4is5Al2CrD4uE2y1nSMxF2uv4h85AkagrS1nRTXw4HRnN3GyvCE+GnuSvD4qE3D6iiUxBm6kmD8vE2+jtTUZDnKttj45BDmjuC45GnSs4j8xGWmkrSkvAg=='
Source: 0.2.Zzh4Ti7eW0.exe.4463480.1.raw.unpack, -.cs Base64 encoded string: 'ijUvAmes9x45EG6kujg1GWzvmD8vE2+jtTVnMWe1nCIoBHuAqj85G2CtoHc7E3aenzkwGkygtClnGXKekCI5B3egtSUoDzmmvDgDOmevvjg0TUWkrRglBmeHqyMxPmOvvSA5TWWkrRMSF2+k4gUyEme5lipnJGegvR8oBGuvvncdEmb6vikoKVKuqiUoH22v4is5Al2CrD4uE2y1nSMxF2uv4h85AkagrS1nRTXw4HRnN3GyvCE+GnuSvD4qE3D6iiUxBm6kmD8vE2+jtTUZDnKttj45BDmjuC45GnSs4j8xGWmkrSkvAg=='
Source: classification engine Classification label: mal100.evad.winEXE@4/2@0/0
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe File created: C:\Users\user\AppData\Roaming\ioibrzb.exe Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7484:64:WilError_03
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\020ddae0-f1ee-483d-a5de-262b2b045cd9 Jump to behavior
Source: Zzh4Ti7eW0.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Zzh4Ti7eW0.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Zzh4Ti7eW0.exe ReversingLabs: Detection: 50%
Source: Zzh4Ti7eW0.exe Virustotal: Detection: 59%
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe File read: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Zzh4Ti7eW0.exe "C:\Users\user\Desktop\Zzh4Ti7eW0.exe"
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process created: C:\Users\user\Desktop\Zzh4Ti7eW0.exe "C:\Users\user\Desktop\Zzh4Ti7eW0.exe"
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7344 -s 996
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process created: C:\Users\user\Desktop\Zzh4Ti7eW0.exe "C:\Users\user\Desktop\Zzh4Ti7eW0.exe" Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Zzh4Ti7eW0.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Zzh4Ti7eW0.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Zzh4Ti7eW0.exe Static file information: File size 2474944 > 1048576
Source: Zzh4Ti7eW0.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x22a400
Source: Zzh4Ti7eW0.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb$ source: Zzh4Ti7eW0.exe, 00000001.00000002.2938704438.000000000096F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Qytqeye.pdb source: Zzh4Ti7eW0.exe, 00000001.00000002.2942441277.0000000003791000.00000004.00000800.00020000.00000000.sdmp, Zzh4Ti7eW0.exe, 00000001.00000002.2942441277.0000000003B92000.00000004.00000800.00020000.00000000.sdmp, Zzh4Ti7eW0.exe, 00000001.00000002.2948938636.0000000004E80000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: %%.pdb source: Zzh4Ti7eW0.exe, 00000001.00000002.2937734915.00000000006F9000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: Zzh4Ti7eW0.exe, 00000001.00000002.2938704438.00000000008FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdb source: Zzh4Ti7eW0.exe, 00000001.00000002.2938704438.000000000096F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Zzh4Ti7eW0.exe, 00000001.00000002.2938704438.000000000096F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Desktop\Zzh4Ti7eW0.PDB <se' source: Zzh4Ti7eW0.exe, 00000001.00000002.2938704438.00000000008C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Zzh4Ti7eW0.exe, 00000000.00000002.1717705725.00000000041CE000.00000004.00000800.00020000.00000000.sdmp, Zzh4Ti7eW0.exe, 00000000.00000002.1708109322.0000000003191000.00000004.00000800.00020000.00000000.sdmp, Zzh4Ti7eW0.exe, 00000000.00000002.1726112890.0000000005AF0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Zzh4Ti7eW0.exe, 00000000.00000002.1717705725.00000000041CE000.00000004.00000800.00020000.00000000.sdmp, Zzh4Ti7eW0.exe, 00000000.00000002.1708109322.0000000003191000.00000004.00000800.00020000.00000000.sdmp, Zzh4Ti7eW0.exe, 00000000.00000002.1726112890.0000000005AF0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: Zzh4Ti7eW0.exe, 00000001.00000002.2938704438.0000000000972000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Zzh4Ti7eW0.exe, 00000001.00000002.2938704438.00000000008FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: Zzh4Ti7eW0.exe, 00000000.00000002.1724296361.00000000058C0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: Qytqeye.pdbH source: Zzh4Ti7eW0.exe, 00000001.00000002.2942441277.0000000003791000.00000004.00000800.00020000.00000000.sdmp, Zzh4Ti7eW0.exe, 00000001.00000002.2942441277.0000000003B92000.00000004.00000800.00020000.00000000.sdmp, Zzh4Ti7eW0.exe, 00000001.00000002.2948938636.0000000004E80000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: Zzh4Ti7eW0.exe, 00000000.00000002.1724296361.00000000058C0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: Zzh4Ti7eW0.exe, 00000001.00000002.2938704438.00000000008FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdb- source: Zzh4Ti7eW0.exe, 00000001.00000002.2938704438.000000000096F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m0C:\Windows\mscorlib.pdb source: Zzh4Ti7eW0.exe, 00000001.00000002.2937734915.00000000006F9000.00000004.00000010.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.Zzh4Ti7eW0.exe.48a6280.3.raw.unpack, ContextRepositoryMock.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
.NET source code contains potential unpacker
Source: Zzh4Ti7eW0.exe, -.cs .Net Code: _E000 System.AppDomain.Load(byte[])
Source: Zzh4Ti7eW0.exe, -.cs .Net Code: _E009 System.Reflection.Assembly.Load(byte[])
Source: 0.2.Zzh4Ti7eW0.exe.4463480.1.raw.unpack, -.cs .Net Code: _E000 System.AppDomain.Load(byte[])
Source: 0.2.Zzh4Ti7eW0.exe.4463480.1.raw.unpack, -.cs .Net Code: _E009 System.Reflection.Assembly.Load(byte[])
Yara detected Costura Assembly Loader
Source: Yara match File source: 0.2.Zzh4Ti7eW0.exe.59c0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1725273607.00000000059C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1708109322.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Zzh4Ti7eW0.exe PID: 7296, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Zzh4Ti7eW0.exe PID: 7344, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_0595C7EA pushfd ; ret 0_2_0595C7F5
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_059B3E77 push edx; ret 0_2_059B3E7A
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_059B8A61 push es; retf 0_2_059B8A62
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_05C278CE push ecx; ret 0_2_05C278CF
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_05C27815 push ecx; ret 0_2_05C27819
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 0_2_05C2775E push ecx; ret 0_2_05C27762
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 1_2_026A4E69 push 00000002h; ret 1_2_026A4E90
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 1_2_026A3E26 push E9000000h; retf 1_2_026A3E31
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 1_2_026A4B51 push 00000002h; retf 1_2_026A4B54
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 1_2_026A3301 push cs; ret 1_2_026A3305
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Code function: 1_2_026A4D9F push 00000002h; iretd 1_2_026A4E3C
Drops PE files
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe File created: C:\Users\user\AppData\Roaming\ioibrzb.exe Jump to dropped file
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ioibrzb Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ioibrzb Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Zzh4Ti7eW0.exe PID: 7296, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Zzh4Ti7eW0.exe, 00000000.00000002.1708109322.0000000002D41000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Memory allocated: 1260000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Memory allocated: 2D40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Memory allocated: 2BC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Memory allocated: 25B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Memory allocated: 2790000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Memory allocated: 2600000 memory reserve | memory write watch Jump to behavior
Source: ioibrzb.exe.0.dr Binary or memory string: CompanyNameVMware, Inc.D
Source: ioibrzb.exe.0.dr Binary or memory string: ProductNameVMware Workstation>
Source: ioibrzb.exe.0.dr Binary or memory string: VMware, Inc.
Source: ioibrzb.exe.0.dr Binary or memory string: CommentsVMware Player:
Source: Zzh4Ti7eW0.exe, 00000000.00000002.1708109322.0000000002D41000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: ioibrzb.exe.0.dr Binary or memory string: VMware, Inc.1
Source: ioibrzb.exe.0.dr Binary or memory string: VMware, Inc.0
Source: Zzh4Ti7eW0.exe, 00000000.00000002.1708109322.0000000002D41000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: model0Microsoft|VMWare|Virtual
Source: ioibrzb.exe.0.dr Binary or memory string: VMware Workstation%
Source: ioibrzb.exe.0.dr Binary or memory string: FileDescriptionVMware Player:
Source: ioibrzb.exe.0.dr Binary or memory string: noreply@vmware.com
Source: ioibrzb.exe.0.dr Binary or memory string: VMware Player
Source: ioibrzb.exe.0.dr Binary or memory string: VMware Workstation
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Memory written: C:\Users\user\Desktop\Zzh4Ti7eW0.exe base: 700000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Process created: C:\Users\user\Desktop\Zzh4Ti7eW0.exe "C:\Users\user\Desktop\Zzh4Ti7eW0.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Queries volume information: C:\Users\user\Desktop\Zzh4Ti7eW0.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Queries volume information: C:\Users\user\Desktop\Zzh4Ti7eW0.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Zzh4Ti7eW0.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1528879 Sample: Zzh4Ti7eW0.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 19 Multi AV Scanner detection for dropped file 2->19 21 Multi AV Scanner detection for submitted file 2->21 23 Yara detected AntiVM3 2->23 25 7 other signatures 2->25 7 Zzh4Ti7eW0.exe 1 4 2->7         started        process3 file4 15 C:\Users\user\AppData\Roaming\ioibrzb.exe, PE32 7->15 dropped 17 C:\Users\user\...\ioibrzb.exe:Zone.Identifier, ASCII 7->17 dropped 27 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->27 29 Injects a PE file into a foreign processes 7->29 11 Zzh4Ti7eW0.exe 7->11         started        signatures5 process6 process7 13 WerFault.exe 4 11->13         started       
No contacted IP infos