Loading ...

Play interactive tourEdit tour

Analysis Report Purchase Order Mch2020 .exe

Overview

General Information

Sample Name:Purchase Order Mch2020 .exe
MD5:2992cf24eff20baeedf086fb6ad07f29
SHA1:1941164a9895014a4acd106ed06c4112703b6baa
SHA256:e2835d917864f771c6dc3539f1f3276bae6503ff19c6d1674f9489a3b0bc6cbe

Most interesting Screenshot:

Detection

GuLoader
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Executable has a suspicious name (potential lure to open the executable)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • Purchase Order Mch2020 .exe (PID: 5284 cmdline: 'C:\Users\user\Desktop\Purchase Order Mch2020 .exe' MD5: 2992CF24EFF20BAEEDF086FB6AD07F29)
    • RegAsm.exe (PID: 5600 cmdline: 'C:\Users\user\Desktop\Purchase Order Mch2020 .exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • conhost.exe (PID: 5628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.2511988326.0000000001300000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    Process Memory Space: RegAsm.exe PID: 5600JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: Purchase Order Mch2020 .exeVirustotal: Detection: 72%Perma Link
      Source: Purchase Order Mch2020 .exeMetadefender: Detection: 37%Perma Link
      Source: Purchase Order Mch2020 .exeReversingLabs: Detection: 80%
      Machine Learning detection for sampleShow sources
      Source: Purchase Order Mch2020 .exeJoe Sandbox ML: detected
      Source: 0.0.Purchase Order Mch2020 .exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
      Source: 0.2.Purchase Order Mch2020 .exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 7_2_01303283 InternetReadFile,7_2_01303283
      Source: unknownDNS traffic detected: queries for: onedrive.live.com
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
      Source: RegAsm.exe, 00000007.00000002.2513681227.0000000001698000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
      Source: RegAsm.exe, 00000007.00000002.2514062172.000000000170B000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.dig)
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0
      Source: RegAsm.exe, 00000007.00000002.2513681227.0000000001698000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0F
      Source: RegAsm.exe, 00000007.00000002.2514021517.00000000016FE000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.msocsp.com0
      Source: RegAsm.exe, 00000007.00000002.2514062172.000000000170B000.00000004.00000020.sdmp, RegAsm.exe, 00000007.00000002.2515018479.0000000002F40000.00000004.00000001.sdmpString found in binary or memory: https://account.live.com/username/recover?wreply=https://login.live.com/login.srf%3flc%3d1033%26mkt%
      Source: RegAsm.exe, 00000007.00000002.2514062172.000000000170B000.00000004.00000020.sdmp, RegAsm.exe, 00000007.00000002.2515018479.0000000002F40000.00000004.00000001.sdmpString found in binary or memory: https://lgincdnmsftuswe2.azureedge.net/
      Source: RegAsm.exe, 00000007.00000002.2514062172.000000000170B000.00000004.00000020.sdmp, RegAsm.exe, 00000007.00000002.2515018479.0000000002F40000.00000004.00000001.sdmpString found in binary or memory: https://lgincdnvzeuno.azureedge.net/
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: https://lhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738089&rver=7.3.6962.0&wp=MB
      Source: RegAsm.exe, 00000007.00000002.2514062172.000000000170B000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/
      Source: RegAsm.exe, 00000007.00000002.2514062172.000000000170B000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/%26resid%3D4AC5BD987B58F
      Source: RegAsm.exe, 00000007.00000002.2514021517.00000000016FE000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/)J8
      Source: RegAsm.exe, 00000007.00000002.2514062172.000000000170B000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/.b.lg.prod.aadmsa.trafficmanager.net
      Source: RegAsm.exe, 00000007.00000002.2514062172.000000000170B000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/.b.lg.prod.aadmsa.trafficmanager.net5
      Source: RegAsm.exe, 00000007.00000002.2514062172.000000000170B000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/.b.lg.prod.aadmsa.trafficmanager.netK
      Source: RegAsm.exe, 00000007.00000002.2514062172.000000000170B000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/.b.lg.prod.aadmsa.trafficmanager.netQ
      Source: RegAsm.exe, 00000007.00000002.2514062172.000000000170B000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/.b.lg.prod.aadmsa.trafficmanager.netm
      Source: RegAsm.exe, 00000007.00000002.2514062172.000000000170B000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/3
      Source: RegAsm.exe, 00000007.00000002.2514062172.000000000170B000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/7s
      Source: RegAsm.exe, 00000007.00000002.2514062172.000000000170B000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/Cs
      Source: RegAsm.exe, 00000007.00000002.2514062172.000000000170B000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/IthQcwj_ThA&lc=1033&id=2
      Source: RegAsm.exe, 00000007.00000002.2514062172.000000000170B000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/Ls
      Source: RegAsm.exe, 00000007.00000002.2514062172.000000000170B000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/Ys
      Source: RegAsm.exe, 00000007.00000002.2514062172.000000000170B000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/er=7.3.6962.0&wp=MBI_SSL
      Source: RegAsm.exe, 00000007.00000002.2514062172.000000000170B000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/es
      Source: RegAsm.exe, 00000007.00000002.2514062172.000000000170B000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf%3fwa%3dwsignin1.0%26rpsnv%3d13%26ct%3d1594738089%26rver%3d7.3.6962.
      Source: RegAsm.exe, 00000007.00000002.2514062172.000000000170B000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594737613&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594737657&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594737724&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594737725&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594737726&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594737727&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594737728&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594737734&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738012&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738013&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738014&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738015&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738016&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738017&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738018&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738019&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738020&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738021&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738022&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738023&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738024&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738025&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738026&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738027&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738028&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738029&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738030&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738031&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514386695.000000000175D000.00000004.00000020.sdmp, RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738032&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738033&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738034&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738035&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738036&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738037&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738038&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738039&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738040&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738041&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738042&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738043&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738044&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738045&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738046&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738047&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738048&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738049&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738050&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738051&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738052&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738053&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738054&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738055&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738056&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738057&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738058&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738059&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738060&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738061&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738062&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738063&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738064&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738065&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738066&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738067&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738068&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738069&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738070&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738071&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738072&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738073&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738074&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738075&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738076&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738077&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738078&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738079&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738080&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738081&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2518681207.000000001F13C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738082&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738083&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738084&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738085&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738086&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmp, RegAsm.exe, 00000007.00000002.2514386695.000000000175D000.00000004.00000020.sdmp, RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738087&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmp, RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738088&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514423505.0000000001769000.00000004.00000020.sdmp, RegAsm.exe, 00000007.00000002.2514062172.000000000170B000.00000004.00000020.sdmp, RegAsm.exe, 00000007.00000002.2518581203.000000001F130000.00000004.00000001.sdmp, RegAsm.exe, 00000007.00000002.2515018479.0000000002F40000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1594738089&rver=7.3.6962.0&wp=MBI_SSL_SHA
      Source: RegAsm.exe, 00000007.00000002.2514062172.000000000170B000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/nedrive.live.com%2Fdownl
      Source: RegAsm.exe, 00000007.00000002.2514062172.000000000170B000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/ography
      Source: RegAsm.exe, 00000007.00000002.2514062172.000000000170B000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/om/login.srf?wa=wsignin1
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmp, RegAsm.exe, 00000007.00000002.2513681227.0000000001698000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/pp1600/
      Source: RegAsm.exe, 00000007.00000002.2514062172.000000000170B000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/s
      Source: RegAsm.exe, 00000007.00000002.2514062172.000000000170B000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/vs
      Source: RegAsm.exe, 00000007.00000002.2514062172.000000000170B000.00000004.00000020.sdmp, RegAsm.exe, 00000007.00000002.2515018479.0000000002F40000.00000004.00000001.sdmpString found in binary or memory: https://logincdn.msauth.net/
      Source: RegAsm.exe, 00000007.00000002.2514062172.000000000170B000.00000004.00000020.sdmp, RegAsm.exe, 00000007.00000002.2515018479.0000000002F40000.00000004.00000001.sdmpString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ
      Source: RegAsm.exe, 00000007.00000002.2514062172.000000000170B000.00000004.00000020.sdmp, RegAsm.exe, 00000007.00000002.2515018479.0000000002F40000.00000004.00000001.sdmpString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/OldConvergedLogin_PCore_xqcDwEKeDux9oCNjuqEZ-A2.js
      Source: RegAsm.exe, 00000007.00000002.2514062172.000000000170B000.00000004.00000020.sdmp, RegAsm.exe, 00000007.00000002.2515018479.0000000002F40000.00000004.00000001.sdmpString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/oldconvergedlogin_palt_5a70kbZdzxpCE-8MRlMA7Q2.js
      Source: RegAsm.exe, 00000007.00000002.2513681227.0000000001698000.00000004.00000020.sdmp, RegAsm.exe, 00000007.00000002.2514062172.000000000170B000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/
      Source: RegAsm.exe, 00000007.00000002.2514062172.000000000170B000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/$y
      Source: RegAsm.exe, 00000007.00000002.2514021517.00000000016FE000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/8&resid=4AC5BD987B58FB28%21106&authkey=AC1uIthQcwj_ThA
      Source: RegAsm.exe, 00000007.00000002.2511964596.00000000012FA000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=4AC5BD987B58FB28&resid=4AC5B
      Source: RegAsm.exe, 00000007.00000002.2514062172.000000000170B000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=4AC5BD987B58FB28&resid=4AC5BD987B58FB28%21106
      Source: RegAsm.exe, 00000007.00000002.2513898669.00000000016E0000.00000004.00000020.sdmp, RegAsm.exe, 00000007.00000002.2514386695.000000000175D000.00000004.00000020.sdmp, RegAsm.exe, 00000007.00000002.2513681227.0000000001698000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=4AC5BD987B58FB28&resid=4AC5BD987B58FB28%21106&authkey=AC1uIth
      Source: RegAsm.exe, 00000007.00000002.2514062172.000000000170B000.00000004.00000020.sdmp, RegAsm.exe, 00000007.00000002.2515018479.0000000002F40000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/preload?view=Folders.All&id=250206&mkt=EN-US
      Source: RegAsm.exe, 00000007.00000002.2514223695.000000000172C000.00000004.00000020.sdmpString found in binary or memory: https://www.digicert.com/CPS0

      System Summary:

      barindex
      Potential malicious icon foundShow sources
      Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
      Executable has a suspicious name (potential lure to open the executable)Show sources
      Source: Purchase Order Mch2020 .exeStatic file information: Suspicious name
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: Purchase Order Mch2020 .exe
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 7_2_01302F17 NtProtectVirtualMemory,7_2_01302F17
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 7_2_01300089 NtSetInformationThread,Sleep,7_2_01300089
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 7_2_013000C0 NtSetInformationThread,7_2_013000C0
      Source: Purchase Order Mch2020 .exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Purchase Order Mch2020 .exe, 00000000.00000000.791906446.000000000040E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBEOENC.exe vs Purchase Order Mch2020 .exe
      Source: Purchase Order Mch2020 .exeBinary or memory string: OriginalFilenameBEOENC.exe vs Purchase Order Mch2020 .exe
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
      Source: classification engineClassification label: mal88.rans.troj.evad.winEXE@4/0@2/0
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5628:120:WilError_01
      Source: Purchase Order Mch2020 .exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Purchase Order Mch2020 .exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\Purchase Order Mch2020 .exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Purchase Order Mch2020 .exeVirustotal: Detection: 72%
      Source: Purchase Order Mch2020 .exeMetadefender: Detection: 37%
      Source: Purchase Order Mch2020 .exeReversingLabs: Detection: 80%
      Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order Mch2020 .exe 'C:\Users\user\Desktop\Purchase Order Mch2020 .exe'
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Purchase Order Mch2020 .exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\Purchase Order Mch2020 .exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Purchase Order Mch2020 .exe' Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: 00000007.00000002.2511988326.0000000001300000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5600, type: MEMORY
      Source: C:\Users\user\Desktop\Purchase Order Mch2020 .exeCode function: 0_2_00405098 push cs; iretd 0_2_004050A6
      Source: C:\Users\user\Desktop\Purchase Order Mch2020 .exeCode function: 0_2_00406977 push esp; retf 0_2_00406979
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 7_2_01303830 push esp; iretd 7_2_0130385A
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 7_2_01303954 push esp; iretd 7_2_01303956
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 7_2_0130389C push ebx; retf 7_2_013038DA
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 7_2_013038DC push edx; retf 7_2_013038EA
      Source: C:\Users\user\Desktop\Purchase Order Mch2020 .exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeEvasive API call chain: GetPEB, DecisionNodes, Sleepgraph_7-1462
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: threadDelayed 811Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5624Thread sleep time: -8110000s >= -30000sJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: RegAsm.exe, 00000007.00000002.2513681227.0000000001698000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWH!o
      Source: RegAsm.exe, 00000007.00000002.2513898669.00000000016E0000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW

      Anti Debugging:

      barindex
      Contains functionality to hide a thread from the debuggerShow sources
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 7_2_01300089 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,000000007_2_01300089
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\Purchase Order Mch2020 .exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 7_2_01300050 EnumWindows,LdrInitializeThunk,7_2_01300050
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 7_2_01302C25 mov eax, dword ptr fs:[00000030h]7_2_01302C25
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 7_2_01302A1D mov eax, dword ptr fs:[00000030h]7_2_01302A1D
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 7_2_01300C68 mov eax, dword ptr fs:[00000030h]7_2_01300C68
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 7_2_01300768 mov eax, dword ptr fs:[00000030h]7_2_01300768
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 7_2_01300AAD mov eax, dword ptr fs:[00000030h]7_2_01300AAD
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 7_2_013029E0 mov eax, dword ptr fs:[00000030h]7_2_013029E0
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 7_2_013015DE mov eax, dword ptr fs:[00000030h]7_2_013015DE
      Source: C:\Users\user\Desktop\Purchase Order Mch2020 .exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Purchase Order Mch2020 .exe' Jump to behavior
      Source: RegAsm.exe, 00000007.00000002.2514583186.0000000001B20000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: RegAsm.exe, 00000007.00000002.2514583186.0000000001B20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: RegAsm.exe, 00000007.00000002.2514583186.0000000001B20000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: RegAsm.exe, 00000007.00000002.2514583186.0000000001B20000.00000002.00000001.sdmpBinary or memory string: Progmanlock

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsExecution through API1Winlogon Helper DLLProcess Injection12Software Packing1Credential DumpingVirtualization/Sandbox Evasion11Remote File Copy1Data from Local SystemData CompressedRemote File Copy1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Replication Through Removable MediaGraphical User Interface1Port MonitorsAccessibility FeaturesVirtualization/Sandbox Evasion11Network SniffingProcess Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionProcess Injection12Input CaptureApplication Window Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information1Credentials in FilesSecurity Software Discovery21Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
      Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessDLL Side-Loading1Account ManipulationRemote System Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceDLL Search Order HijackingBrute ForceSystem Information Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.