Windows Analysis Report
statement of acct WWP.exe

Overview

General Information

Sample name: statement of acct WWP.exe
Analysis ID: 1532363
MD5: f79a55a13a3d164ef221efdcb36e1922
SHA1: 5939a114dca3cb5e472cff9cb4c966739d1c1358
SHA256: 03edf3102a8f0d109eb2d90c241415855241d7f74d7f7d5de9461562533b9a36
Tags: exeuser-threatcat_ch
Infos:

Detection

Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Txbgvtdzyo.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Roaming\Txbgvtdzyo.exe Virustotal: Detection: 67% Perma Link
Multi AV Scanner detection for submitted file
Source: statement of acct WWP.exe ReversingLabs: Detection: 55%
Source: statement of acct WWP.exe Virustotal: Detection: 67% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Txbgvtdzyo.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: statement of acct WWP.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: statement of acct WWP.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: statement of acct WWP.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: InstallUtil.exe, 00000001.00000002.2953640043.0000000000F12000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: nC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2952743942.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbJ source: InstallUtil.exe, 00000001.00000002.2953640043.0000000000F12000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdbU source: InstallUtil.exe, 00000001.00000002.2953640043.0000000000F12000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbs\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\; source: InstallUtil.exe, 00000001.00000002.2953640043.0000000000F12000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: InstallUtil.exe, 00000001.00000002.2952743942.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: statement of acct WWP.exe, 00000000.00000002.1733730921.0000000006790000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: ((.pdb source: InstallUtil.exe, 00000001.00000002.2952743942.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2953640043.0000000000F12000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbs source: InstallUtil.exe, 00000001.00000002.2953640043.0000000000F12000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: statement of acct WWP.exe, statement of acct WWP.exe, 00000000.00000002.1733730921.0000000006790000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089Kan4RGj7VL7rWDtSRt8.PDBiskHbqINHQw1Li1KyxLqjX03nvWxA7BFEC.wbKtL0OVV2YaxXW04o3;GetDelegateForFunctionPointerKs3J36A3KjCmS04ikGP.QJJZCogJ55PKAkd9uW source: InstallUtil.exe, 00000001.00000002.2956383768.0000000003EAC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2956383768.0000000003D38000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2960309219.00000000051E0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbu@R\ source: InstallUtil.exe, 00000001.00000002.2953640043.0000000000F12000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2952743942.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: statement of acct WWP.exe, 00000000.00000002.1728246718.0000000004506000.00000004.00000800.00020000.00000000.sdmp, statement of acct WWP.exe, 00000000.00000002.1732436443.0000000005FD0000.00000004.08000000.00040000.00000000.sdmp, statement of acct WWP.exe, 00000000.00000002.1728246718.00000000044EE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2953640043.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: statement of acct WWP.exe, 00000000.00000002.1728246718.0000000004506000.00000004.00000800.00020000.00000000.sdmp, statement of acct WWP.exe, 00000000.00000002.1732436443.0000000005FD0000.00000004.08000000.00040000.00000000.sdmp, statement of acct WWP.exe, 00000000.00000002.1728246718.00000000044EE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.pdb source: InstallUtil.exe, 00000001.00000002.2953640043.0000000000F12000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n8C:\Windows\InstallUtil.pdbg source: InstallUtil.exe, 00000001.00000002.2952743942.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDBpw source: InstallUtil.exe, 00000001.00000002.2953640043.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb* source: InstallUtil.exe, 00000001.00000002.2953640043.0000000000F12000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 00000001.00000002.2953640043.0000000000F12000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: an4RGj7VL7rWDtSRt8.PDBiskHbqINHQw1Li1 source: InstallUtil.exe, 00000001.00000002.2956383768.0000000003EAC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2956383768.0000000003D38000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2960309219.00000000051E0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2953640043.0000000000F12000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdbty0 source: InstallUtil.exe, 00000001.00000002.2953640043.0000000000F12000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb9\ source: InstallUtil.exe, 00000001.00000002.2953640043.0000000000F12000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2952743942.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: InstallUtil.exe, 00000001.00000002.2953640043.0000000000F12000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2953640043.0000000000F12000.00000004.00000020.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 4x nop then jmp 05FB9939h 0_2_05FB98D8
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 4x nop then jmp 05FB9939h 0_2_05FB98C8
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 4x nop then jmp 05FB9939h 0_2_05FB9AC6
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 4x nop then jmp 0607CFD9h 0_2_0607CE98
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 4x nop then jmp 0607CFD9h 0_2_0607CEA8
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 4x nop then jmp 0607CFD9h 0_2_0607CF9C
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 4x nop then jmp 0607CFD9h 0_2_0607D1B8
Source: statement of acct WWP.exe, 00000000.00000002.1713123325.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: statement of acct WWP.exe, 00000000.00000002.1728246718.0000000004506000.00000004.00000800.00020000.00000000.sdmp, statement of acct WWP.exe, 00000000.00000002.1732436443.0000000005FD0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: statement of acct WWP.exe, 00000000.00000002.1728246718.0000000004506000.00000004.00000800.00020000.00000000.sdmp, statement of acct WWP.exe, 00000000.00000002.1732436443.0000000005FD0000.00000004.08000000.00040000.00000000.sdmp, statement of acct WWP.exe, 00000000.00000002.1728246718.00000000044EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: statement of acct WWP.exe, 00000000.00000002.1728246718.0000000004506000.00000004.00000800.00020000.00000000.sdmp, statement of acct WWP.exe, 00000000.00000002.1732436443.0000000005FD0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: statement of acct WWP.exe, 00000000.00000002.1728246718.0000000004506000.00000004.00000800.00020000.00000000.sdmp, statement of acct WWP.exe, 00000000.00000002.1732436443.0000000005FD0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: statement of acct WWP.exe, 00000000.00000002.1728246718.0000000004506000.00000004.00000800.00020000.00000000.sdmp, statement of acct WWP.exe, 00000000.00000002.1732436443.0000000005FD0000.00000004.08000000.00040000.00000000.sdmp, statement of acct WWP.exe, 00000000.00000002.1713123325.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: statement of acct WWP.exe, 00000000.00000002.1728246718.0000000004506000.00000004.00000800.00020000.00000000.sdmp, statement of acct WWP.exe, 00000000.00000002.1732436443.0000000005FD0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Contains functionality to call native functions
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_06073C30 NtProtectVirtualMemory, 0_2_06073C30
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_06075130 NtResumeThread, 0_2_06075130
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_06073C28 NtProtectVirtualMemory, 0_2_06073C28
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_06075129 NtResumeThread, 0_2_06075129
Detected potential crypto function
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_067E2EA8 0_2_067E2EA8
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_06796E5B 0_2_06796E5B
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_05FBA5A7 0_2_05FBA5A7
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_05FBE580 0_2_05FBE580
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_05FB5938 0_2_05FB5938
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_05FBE570 0_2_05FBE570
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_05FBB151 0_2_05FBB151
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_05FBAFD7 0_2_05FBAFD7
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_05FBAB28 0_2_05FBAB28
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_05FC4520 0_2_05FC4520
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_05FC142C 0_2_05FC142C
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_05FCC630 0_2_05FCC630
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_05FC0040 0_2_05FC0040
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_05FCD378 0_2_05FCD378
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_05FC5F28 0_2_05FC5F28
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_05FCC5F7 0_2_05FCC5F7
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_05FC44FF 0_2_05FC44FF
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_05FCB670 0_2_05FCB670
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_05FCB660 0_2_05FCB660
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_05FC0006 0_2_05FC0006
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_05FCD368 0_2_05FCD368
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_05FC5F17 0_2_05FC5F17
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_06072E18 0_2_06072E18
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_06070EE8 0_2_06070EE8
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_06079308 0_2_06079308
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_06079BD8 0_2_06079BD8
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_06072E07 0_2_06072E07
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_06070E62 0_2_06070E62
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_0607CE98 0_2_0607CE98
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_0607CEA8 0_2_0607CEA8
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_0607E6BF 0_2_0607E6BF
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_06070ED9 0_2_06070ED9
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_0607CF9C 0_2_0607CF9C
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_06078FC0 0_2_06078FC0
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_06070006 0_2_06070006
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_0607D1B8 0_2_0607D1B8
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_06080007 0_2_06080007
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_06080040 0_2_06080040
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_060D8D88 0_2_060D8D88
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_060D83C8 0_2_060D83C8
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_060DC171 0_2_060DC171
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_060DD788 0_2_060DD788
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_060DC4A7 0_2_060DC4A7
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_060D8D78 0_2_060D8D78
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_060D5383 0_2_060D5383
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_060D0006 0_2_060D0006
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_060D0040 0_2_060D0040
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_0641DAA0 0_2_0641DAA0
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_06400040 0_2_06400040
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_06400006 0_2_06400006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_00E47A50 1_2_00E47A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_00E43308 1_2_00E43308
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_00E432F8 1_2_00E432F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_00E43308 1_2_00E43308
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_00E4470D 1_2_00E4470D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_00E44718 1_2_00E44718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_05355CE0 1_2_05355CE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_05355045 1_2_05355045
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_05355CE0 1_2_05355CE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_05355CDF 1_2_05355CDF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_05354368 1_2_05354368
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_053563E8 1_2_053563E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_053566B0 1_2_053566B0
One or more processes crash
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7348 -s 1148
Sample file is different than original file name gathered from version info
Source: statement of acct WWP.exe Binary or memory string: OriginalFilename vs statement of acct WWP.exe
Source: statement of acct WWP.exe, 00000000.00000002.1728246718.0000000004506000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs statement of acct WWP.exe
Source: statement of acct WWP.exe, 00000000.00000002.1732436443.0000000005FD0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs statement of acct WWP.exe
Source: statement of acct WWP.exe, 00000000.00000002.1733730921.0000000006790000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs statement of acct WWP.exe
Source: statement of acct WWP.exe, 00000000.00000002.1728246718.0000000003EB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNjgvqnsbzc.exe" vs statement of acct WWP.exe
Source: statement of acct WWP.exe, 00000000.00000002.1711702882.000000000100E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs statement of acct WWP.exe
Source: statement of acct WWP.exe, 00000000.00000002.1713123325.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs statement of acct WWP.exe
Source: statement of acct WWP.exe, 00000000.00000002.1713123325.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNjgvqnsbzc.exe" vs statement of acct WWP.exe
Source: statement of acct WWP.exe, 00000000.00000002.1728246718.00000000044EE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs statement of acct WWP.exe
Source: statement of acct WWP.exe, 00000000.00000002.1713123325.00000000030BB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNjgvqnsbzc.exe" vs statement of acct WWP.exe
Uses 32bit PE files
Source: statement of acct WWP.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: statement of acct WWP.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Txbgvtdzyo.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: statement of acct WWP.exe, PoolInfoTask.cs Task registration methods: 'RegisterCreator'
Source: classification engine Classification label: mal96.evad.winEXE@4/2@0/0
Source: C:\Users\user\Desktop\statement of acct WWP.exe File created: C:\Users\user\AppData\Roaming\Txbgvtdzyo.exe Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7500:64:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\2239e0e9-86c2-4171-87b9-8995593d83e5 Jump to behavior
Source: statement of acct WWP.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: statement of acct WWP.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\statement of acct WWP.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: statement of acct WWP.exe ReversingLabs: Detection: 55%
Source: statement of acct WWP.exe Virustotal: Detection: 67%
Source: C:\Users\user\Desktop\statement of acct WWP.exe File read: C:\Users\user\Desktop\statement of acct WWP.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\statement of acct WWP.exe "C:\Users\user\Desktop\statement of acct WWP.exe"
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7348 -s 1148
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: statement of acct WWP.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: statement of acct WWP.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: statement of acct WWP.exe Static file information: File size 1519104 > 1048576
Source: statement of acct WWP.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x172200
Source: statement of acct WWP.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: InstallUtil.exe, 00000001.00000002.2953640043.0000000000F12000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: nC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2952743942.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbJ source: InstallUtil.exe, 00000001.00000002.2953640043.0000000000F12000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdbU source: InstallUtil.exe, 00000001.00000002.2953640043.0000000000F12000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbs\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\; source: InstallUtil.exe, 00000001.00000002.2953640043.0000000000F12000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: InstallUtil.exe, 00000001.00000002.2952743942.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: statement of acct WWP.exe, 00000000.00000002.1733730921.0000000006790000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: ((.pdb source: InstallUtil.exe, 00000001.00000002.2952743942.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2953640043.0000000000F12000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbs source: InstallUtil.exe, 00000001.00000002.2953640043.0000000000F12000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: statement of acct WWP.exe, statement of acct WWP.exe, 00000000.00000002.1733730921.0000000006790000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089Kan4RGj7VL7rWDtSRt8.PDBiskHbqINHQw1Li1KyxLqjX03nvWxA7BFEC.wbKtL0OVV2YaxXW04o3;GetDelegateForFunctionPointerKs3J36A3KjCmS04ikGP.QJJZCogJ55PKAkd9uW source: InstallUtil.exe, 00000001.00000002.2956383768.0000000003EAC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2956383768.0000000003D38000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2960309219.00000000051E0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbu@R\ source: InstallUtil.exe, 00000001.00000002.2953640043.0000000000F12000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2952743942.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: statement of acct WWP.exe, 00000000.00000002.1728246718.0000000004506000.00000004.00000800.00020000.00000000.sdmp, statement of acct WWP.exe, 00000000.00000002.1732436443.0000000005FD0000.00000004.08000000.00040000.00000000.sdmp, statement of acct WWP.exe, 00000000.00000002.1728246718.00000000044EE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2953640043.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: statement of acct WWP.exe, 00000000.00000002.1728246718.0000000004506000.00000004.00000800.00020000.00000000.sdmp, statement of acct WWP.exe, 00000000.00000002.1732436443.0000000005FD0000.00000004.08000000.00040000.00000000.sdmp, statement of acct WWP.exe, 00000000.00000002.1728246718.00000000044EE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.pdb source: InstallUtil.exe, 00000001.00000002.2953640043.0000000000F12000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n8C:\Windows\InstallUtil.pdbg source: InstallUtil.exe, 00000001.00000002.2952743942.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDBpw source: InstallUtil.exe, 00000001.00000002.2953640043.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb* source: InstallUtil.exe, 00000001.00000002.2953640043.0000000000F12000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 00000001.00000002.2953640043.0000000000F12000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: an4RGj7VL7rWDtSRt8.PDBiskHbqINHQw1Li1 source: InstallUtil.exe, 00000001.00000002.2956383768.0000000003EAC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2956383768.0000000003D38000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2960309219.00000000051E0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2953640043.0000000000F12000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdbty0 source: InstallUtil.exe, 00000001.00000002.2953640043.0000000000F12000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb9\ source: InstallUtil.exe, 00000001.00000002.2953640043.0000000000F12000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2952743942.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: InstallUtil.exe, 00000001.00000002.2953640043.0000000000F12000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2953640043.0000000000F12000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: statement of acct WWP.exe, DescriptorCallbackClass.cs .Net Code: ComputeSerializer System.AppDomain.Load(byte[])
Source: 0.2.statement of acct WWP.exe.4506710.0.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 0.2.statement of acct WWP.exe.4506710.0.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 0.2.statement of acct WWP.exe.4506710.0.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 0.2.statement of acct WWP.exe.4506710.0.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 0.2.statement of acct WWP.exe.4506710.0.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Yara detected Costura Assembly Loader
Source: Yara match File source: 0.2.statement of acct WWP.exe.60e0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1732770665.00000000060E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1713123325.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: statement of acct WWP.exe PID: 7304, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7348, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_013645B0 push ebx; retf 0002h 0_2_013645B2
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_013645BB push ebp; retf 0002h 0_2_013645D2
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_01364591 push ebx; retf 0002h 0_2_01364592
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_01369BD0 pushfd ; retf 0002h 0_2_01369BD2
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_01369C19 pushfd ; retf 0002h 0_2_01369C1A
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_01369C41 pushfd ; retf 0002h 0_2_01369C42
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_06070751 push es; iretd 0_2_06070780
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_06070782 push es; iretd 0_2_06070784
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_0607AD88 pushfd ; iretd 0_2_0607AD89
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_06083E71 push edi; ret 0_2_06083E72
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_060D3E27 push ss; ret 0_2_060D3E2A
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_060D5E41 push es; retf 0_2_060D5E4C
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_060D60E5 push es; ret 0_2_060D6104
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_060D6132 push es; retf 0_2_060D6138
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_06401AF3 push ecx; ret 0_2_06401AFC
Source: C:\Users\user\Desktop\statement of acct WWP.exe Code function: 0_2_064035B6 push ebx; retf 0_2_064035BD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_00E459B9 push FFFFFFB8h; retf 1_2_00E459C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_05353D13 push edi; ret 1_2_05353D19
Source: statement of acct WWP.exe Static PE information: section name: .text entropy: 7.906317177896089
Source: Txbgvtdzyo.exe.0.dr Static PE information: section name: .text entropy: 7.906317177896089
Source: 0.2.statement of acct WWP.exe.5720000.3.raw.unpack, nWDjMXVRbhkgGjbPi3c.cs High entropy of concatenated method names: 'RtlInitUnicodeString', 'LdrLoadDll', 'RtlZeroMemory', 'NtQueryInformationProcess', 'V4XVAi2vNN', 'NtProtectVirtualMemory', 'KPFrvAQFJWFXSH9F9mS', 'bKsRHtQ8gMTU1Wl42Y7', 'S2nEMcQOhkNmyZcvVYU', 'jpBVigQfwjFUhiZxF2p'
Drops PE files
Source: C:\Users\user\Desktop\statement of acct WWP.exe File created: C:\Users\user\AppData\Roaming\Txbgvtdzyo.exe Jump to dropped file
Source: C:\Users\user\Desktop\statement of acct WWP.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Txbgvtdzyo Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Txbgvtdzyo Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: statement of acct WWP.exe PID: 7304, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: statement of acct WWP.exe, 00000000.00000002.1713123325.00000000033F5000.00000004.00000800.00020000.00000000.sdmp, statement of acct WWP.exe, 00000000.00000002.1713123325.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: statement of acct WWP.exe, 00000000.00000002.1713123325.00000000033F5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL@\^Q
Source: statement of acct WWP.exe, 00000000.00000002.1713123325.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: EXPLORERJSBIEDLL.DLLKCUCKOOMON.DLLLWIN32_PROCESS.HANDLE='{0}'MPARENTPROCESSIDNCMDOSELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILUREPVERSIONQSERIALNUMBERSVMWARE|VIRTUAL|A M I|XENTSELECT * FROM WIN32_COMPUTERSYSTEMUMANUFACTURERVMODELWMICROSOFT|VMWARE|VIRTUALXJOHNYANNAZXXXXXXXX
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\statement of acct WWP.exe Memory allocated: 1360000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Memory allocated: 2EB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Memory allocated: 2CC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: E40000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2BC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 29C0000 memory reserve | memory write watch Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\statement of acct WWP.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\Desktop\statement of acct WWP.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
Source: statement of acct WWP.exe, 00000000.00000002.1713123325.00000000033F5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OBXGA X7HXYL7E65@\^q0VMware|VIRTUAL|A M<
Source: statement of acct WWP.exe, 00000000.00000002.1713123325.00000000033F5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware\V
Source: statement of acct WWP.exe, 00000000.00000002.1713123325.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: statement of acct WWP.exe, 00000000.00000002.1713123325.00000000033F5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMwareLR^q8
Source: statement of acct WWP.exe, 00000000.00000002.1713123325.00000000033F5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: mfwnbu7Me4pSX1C xZ8MKOxC@\^q0Microsoft|VMWare|V<
Source: statement of acct WWP.exe, 00000000.00000002.1713123325.00000000033F5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware|VIRTUAL|A M I|Xen@\^q
Source: statement of acct WWP.exe, 00000000.00000002.1713123325.00000000033F5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWareLR^q
Source: statement of acct WWP.exe, 00000000.00000002.1713123325.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Microsoft|VMWare|Virtual
Source: statement of acct WWP.exe, 00000000.00000002.1713123325.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware|VIRTUAL|A M I|Xen(_^q
Source: statement of acct WWP.exe, 00000000.00000002.1713123325.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: explorerJSbieDll.dllKcuckoomon.dllLwin32_process.handle='{0}'MParentProcessIdNcmdOselect * from Win32_BIOS8Unexpected WMI query failurePversionQSerialNumberSVMware|VIRTUAL|A M I|XenTselect * from Win32_ComputerSystemUmanufacturerVmodelWMicrosoft|VMWare|VirtualXjohnYannaZxxxxxxxx
Source: statement of acct WWP.exe, 00000000.00000002.1713123325.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $^q 1:en-CH:Microsoft|VMWare|Virtual
Source: statement of acct WWP.exe, 00000000.00000002.1713123325.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $^q 1:en-CH:VMware|VIRTUAL|A M I|Xen
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\statement of acct WWP.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\statement of acct WWP.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 486000 Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 488000 Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 968008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\statement of acct WWP.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\statement of acct WWP.exe Queries volume information: C:\Users\user\Desktop\statement of acct WWP.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\statement of acct WWP.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1532363 Sample: statement of acct WWP.exe Startdate: 13/10/2024 Architecture: WINDOWS Score: 96 19 Multi AV Scanner detection for dropped file 2->19 21 Multi AV Scanner detection for submitted file 2->21 23 Yara detected AntiVM3 2->23 25 5 other signatures 2->25 7 statement of acct WWP.exe 1 4 2->7         started        process3 file4 15 C:\Users\user\AppData\...\Txbgvtdzyo.exe, PE32 7->15 dropped 17 C:\Users\...\Txbgvtdzyo.exe:Zone.Identifier, ASCII 7->17 dropped 27 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->27 29 Writes to foreign memory regions 7->29 31 Injects a PE file into a foreign processes 7->31 11 InstallUtil.exe 2 7->11         started        signatures5 process6 process7 13 WerFault.exe 4 11->13         started       
No contacted IP infos