Windows Analysis Report Statement of Acct..exe

Overview

General Information

Sample Name:	Statement of Acct..exe
Analysis ID:	483652
MD5:	850ef5cb4d3e3023ab26072a4cc6a25f
SHA1:	0947a5b62ad244324971c7863977befaae3d71fd
SHA256:	bb7d986712c63235f866f11ebc85ac60c360676e0576a075f16c16f679c31c7b
Tags:	exeFormbookxloader
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Antivirus / Scanner detection for submitted sample

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Sigma detected: CMSTP Execution Process Creation

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Uses a Windows Living Off The Land Binaries (LOL bins)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000006.00000002.352548910.0000000000FB0000.00000040.00020000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.fhuosa.com/tgnd/"], "decoy": ["forever1887.com", "zkz889.icu", "futuresmanagers.com", "salondebelle.biz", "ziwomou.site", "mobilestoreok.com", "codexiveserver.xyz", "cloudrail.net", "pancakeandwaffle.net", "ckbtmg.com", "ralphboyer.net", "carpenterglobal.solutions", "mercoso.com", "restoreyourpavers.com", "tianyunpd.com", "lan-sinoh.xyz", "networlink.com", "kazisworkshop.com", "hempandcan.com", "wd255.com", "spectedsinues.com", "winbigcompetitions.com", "careconnectorsfl.com", "customia.xyz", "aestheticsbychill.com", "sydneymortgagebroker.sydney", "legallawgroup.com", "posafrica.biz", "rrstables.net", "opexma.com", "xxertyg.xyz", "centermen.com", "2272772.com", "badplants.com", "scrappyjonez.com", "habesha-dream.com", "doradoeventos.com", "truegifty.website", "markoonline.com", "rockpresident.com", "datasydney2022.com", "tubbsbaitco.com", "shopavix.com", "ol9qz8i2sj3ic2f8.cfd", "67161.xyz", "tallulah.top", "24-7homebiz.info", "thesugarbuddy.com", "instantcancelorder.xyz", "bpost-international.com", "infracreation.com", "otomakyaj35.xyz", "aboutforeverness.com", "racheleaton.info", "16ty6.com", "davideli.com", "financertr.xyz", "matteogonfiantini.com", "loudandclearcaraudio.com", "spalp.xyz", "apkversion.site", "littlehappy.world", "georgecuthbert.com", "au-easyprofit-way.xyz"]}

Yara detected FormBook

Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.352548910.0000000000FB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.351561948.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.570633609.00000000004E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.334707595.0000000007D6B000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.571687076.0000000002C10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.313551615.0000000007D6B000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.352452527.0000000000F80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.571420301.0000000002910000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.283227986.0000000003A39000.00000004.00000001.sdmp, type: MEMORY

Antivirus / Scanner detection for submitted sample

Source: Statement of Acct..exe

Avira: detected

Machine Learning detection for sample

Source: Statement of Acct..exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 6.2.RegSvcs.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: Statement of Acct..exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: Statement of Acct..exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdbeex.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: explorer.exe, 0000001F.00000002.557832791.00007FFF97C41000.00000020.00020000.sdmp
Source:	Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdb source: explorer.exe, 0000001F.00000002.557832791.00007FFF97C41000.00000020.00020000.sdmp
Source:	Binary string: cmstp.pdbGCTL source: RegSvcs.exe, 00000006.00000002.352653457.0000000001020000.00000040.00020000.sdmp
Source:	Binary string: RegSvcs.pdb, source: cmstp.exe, 00000012.00000002.570765603.00000000005EC000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000006.00000003.281526807.0000000000EB0000.00000004.00000001.sdmp, cmstp.exe, 00000012.00000002.572364026.00000000047BF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, cmstp.exe
Source:	Binary string: cmstp.pdb source: RegSvcs.exe, 00000006.00000002.352653457.0000000001020000.00000040.00020000.sdmp
Source:	Binary string: RegSvcs.pdb source: cmstp.exe, 00000012.00000002.570765603.00000000005EC000.00000004.00000020.sdmp
Source:	Binary string: eex.pdb source: explorer.exe, 0000001F.00000002.557832791.00007FFF97C41000.00000020.00020000.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then pop edi		6_2_00415687
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 4x nop then pop edi		18_2_02C25687

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.fhuosa.com/tgnd/

Source: explorer.exe, 0000001F.00000002.558114958.00007FFF97D29000.00000002.00020000.sdmp	String found in binary or memory: http://components.groove.net/Groove/Components/Root.osd?Package=net.groove.Groove.Tools.System.Groov
Source: explorer.exe, 0000001F.00000002.558114958.00007FFF97D29000.00000002.00020000.sdmp	String found in binary or memory: http://components.groove.net/Groove/Components/SystemComponents/SystemComponents.osd?Package=net.gro
Source: explorer.exe, 0000001F.00000002.546262433.0000000008352000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Statement of Acct..exe, 00000001.00000003.259045485.00000000059BB000.00000004.00000001.sdmp, Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Statement of Acct..exe, 00000001.00000003.259045485.00000000059BB000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.comoT
Source: Statement of Acct..exe, 00000001.00000003.259045485.00000000059BB000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.comp
Source: explorer.exe, 00000009.00000000.337658583.000000000ECC0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.microsoft.co
Source: Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Statement of Acct..exe, 00000001.00000003.264462671.00000000059C3000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: Statement of Acct..exe, 00000001.00000003.264462671.00000000059C3000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlZ
Source: explorer.exe, 00000009.00000000.310033076.0000000006870000.00000004.00000001.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: Statement of Acct..exe, 00000001.00000003.262915588.00000000059BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: Statement of Acct..exe, 00000001.00000003.263320335.00000000059BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comEacf
Source: Statement of Acct..exe, 00000001.00000003.263320335.00000000059BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: Statement of Acct..exe, 00000001.00000003.263320335.00000000059BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coma
Source: Statement of Acct..exe, 00000001.00000003.262963855.00000000059BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comacd
Source: Statement of Acct..exe, 00000001.00000003.262646868.00000000059BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comae
Source: Statement of Acct..exe, 00000001.00000003.263320335.00000000059BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comdd
Source: Statement of Acct..exe, 00000001.00000003.262915588.00000000059BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.come
Source: Statement of Acct..exe, 00000001.00000003.263643018.00000000059BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comes
Source: Statement of Acct..exe, 00000001.00000003.263643018.00000000059BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comhlyY
Source: Statement of Acct..exe, 00000001.00000003.263320335.00000000059BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comic
Source: Statement of Acct..exe, 00000001.00000003.262915588.00000000059BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comig
Source: Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Statement of Acct..exe, 00000001.00000003.262915588.00000000059BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comm
Source: Statement of Acct..exe, 00000001.00000003.262915588.00000000059BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.como.
Source: Statement of Acct..exe, 00000001.00000003.262771270.00000000059BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comoa
Source: Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Statement of Acct..exe, 00000001.00000003.268396294.00000000059C1000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Statement of Acct..exe, 00000001.00000003.267751284.00000000059C3000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Statement of Acct..exe, 00000001.00000003.270048479.00000000059DE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html.
Source: Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Statement of Acct..exe, 00000001.00000003.270048479.00000000059DE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmle
Source: Statement of Acct..exe, 00000001.00000003.269718934.00000000059BB000.00000004.00000001.sdmp, Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Statement of Acct..exe, 00000001.00000003.269628851.00000000059DE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmli
Source: Statement of Acct..exe, 00000001.00000003.267813196.00000000059C3000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers2
Source: Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmp, Statement of Acct..exe, 00000001.00000003.269171308.00000000059BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Statement of Acct..exe, 00000001.00000003.267988132.00000000059C3000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersJ
Source: Statement of Acct..exe, 00000001.00000003.268298607.00000000059C1000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersP
Source: Statement of Acct..exe, 00000001.00000003.275141930.00000000059BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersa
Source: Statement of Acct..exe, 00000001.00000003.270346557.00000000059BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersf
Source: Statement of Acct..exe, 00000001.00000002.281801359.0000000001117000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: Statement of Acct..exe, 00000001.00000002.281801359.0000000001117000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Statement of Acct..exe, 00000001.00000003.262915588.00000000059BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Statement of Acct..exe, 00000001.00000003.261800977.00000000059BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/tr
Source: Statement of Acct..exe, 00000001.00000003.261918947.00000000059BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/u
Source: Statement of Acct..exe, 00000001.00000003.262915588.00000000059BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnadeG
Source: Statement of Acct..exe, 00000001.00000003.262915588.00000000059BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cniesI
Source: Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Statement of Acct..exe, 00000001.00000003.272140319.00000000059BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmes-es_tradnl
Source: Statement of Acct..exe, 00000001.00000003.272196518.00000000059BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmf
Source: Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Statement of Acct..exe, 00000001.00000003.257739241.00000000059A2000.00000004.00000001.sdmp, Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Statement of Acct..exe, 00000001.00000003.257739241.00000000059A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.coma
Source: Statement of Acct..exe, 00000001.00000003.264462671.00000000059C3000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Statement of Acct..exe, 00000001.00000003.260949530.00000000059BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Statement of Acct..exe, 00000001.00000003.261090323.00000000059BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krde
Source: Statement of Acct..exe, 00000001.00000003.260949530.00000000059BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krle
Source: Statement of Acct..exe, 00000001.00000003.261090323.00000000059BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krn
Source: Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Statement of Acct..exe, 00000001.00000003.262118335.00000000059BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comn
Source: Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Statement of Acct..exe, 00000001.00000003.270596707.00000000059C8000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Statement of Acct..exe, 00000001.00000003.267250978.00000000059C3000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deO
Source: Statement of Acct..exe, 00000001.00000003.267250978.00000000059C3000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deo
Source: Statement of Acct..exe, 00000001.00000003.267250978.00000000059C3000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deoi
Source: Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Statement of Acct..exe, 00000001.00000003.262505353.00000000059BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cncj

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.352548910.0000000000FB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.351561948.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.570633609.00000000004E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.334707595.0000000007D6B000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.571687076.0000000002C10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.313551615.0000000007D6B000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.352452527.0000000000F80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.571420301.0000000002910000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.283227986.0000000003A39000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.352548910.0000000000FB0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.352548910.0000000000FB0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.351561948.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.351561948.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.570633609.00000000004E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.570633609.00000000004E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.334707595.0000000007D6B000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.334707595.0000000007D6B000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.571687076.0000000002C10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.571687076.0000000002C10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.313551615.0000000007D6B000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.313551615.0000000007D6B000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.352452527.0000000000F80000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.352452527.0000000000F80000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.571420301.0000000002910000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.571420301.0000000002910000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.283227986.0000000003A39000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.283227986.0000000003A39000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Uses 32bit PE files

Source: Statement of Acct..exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Uses a Windows Living Off The Land Binaries (LOL bins)

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe

Yara signature match

Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.352548910.0000000000FB0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.352548910.0000000000FB0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.351561948.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.351561948.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.570633609.00000000004E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.570633609.00000000004E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000000.334707595.0000000007D6B000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000000.334707595.0000000007D6B000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.571687076.0000000002C10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.571687076.0000000002C10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000000.313551615.0000000007D6B000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000000.313551615.0000000007D6B000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.352452527.0000000000F80000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.352452527.0000000000F80000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.571420301.0000000002910000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.571420301.0000000002910000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.283227986.0000000003A39000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.283227986.0000000003A39000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Detected potential crypto function

Source: C:\Users\user\Desktop\Statement of Acct..exe	Code function: 1_2_0068EB73	1_2_0068EB73
Source: C:\Users\user\Desktop\Statement of Acct..exe	Code function: 1_2_0068EA84	1_2_0068EA84
Source: C:\Users\user\Desktop\Statement of Acct..exe	Code function: 1_2_0068E30D	1_2_0068E30D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00401030	6_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041B8FA	6_2_0041B8FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041C974	6_2_0041C974
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041D291	6_2_0041D291
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041CB5C	6_2_0041CB5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00408C5B	6_2_00408C5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00408C60	6_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00402D90	6_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041C68E	6_2_0041C68E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00402FB0	6_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0107F900	6_2_0107F900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01094120	6_2_01094120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01131002	6_2_01131002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0108B090	6_2_0108B090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010AEBB0	6_2_010AEBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01070D20	6_2_01070D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01141D55	6_2_01141D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0108841F	6_2_0108841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01096E30	6_2_01096E30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_0478D466	18_2_0478D466
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_046D841F	18_2_046D841F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_04791D55	18_2_04791D55
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_046C0D20	18_2_046C0D20
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_04792D07	18_2_04792D07
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_046DD5E0	18_2_046DD5E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_047925DD	18_2_047925DD
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_046F2581	18_2_046F2581
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_046E6E30	18_2_046E6E30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_0478D616	18_2_0478D616
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_04792EF7	18_2_04792EF7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_04791FF1	18_2_04791FF1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_04781002	18_2_04781002
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_047928EC	18_2_047928EC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_046F20A0	18_2_046F20A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_047920A8	18_2_047920A8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_046DB090	18_2_046DB090
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_046E4120	18_2_046E4120
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_046CF900	18_2_046CF900
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_047922AE	18_2_047922AE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_04792B28	18_2_04792B28
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_0478DBD2	18_2_0478DBD2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_046FEBB0	18_2_046FEBB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_02C2D291	18_2_02C2D291
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_02C2CB5C	18_2_02C2CB5C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_02C2B8FA	18_2_02C2B8FA
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_02C2C974	18_2_02C2C974
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_02C12FB0	18_2_02C12FB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_02C18C5B	18_2_02C18C5B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_02C18C60	18_2_02C18C60
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_02C12D90	18_2_02C12D90

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\cmstp.exe

Code function: String function: 046CB150 appears 35 times

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_004185C0 NtCreateFile,	6_2_004185C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00418670 NtReadFile,	6_2_00418670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_004186F0 NtClose,	6_2_004186F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_004187A0 NtAllocateVirtualMemory,	6_2_004187A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_004185BA NtCreateFile,	6_2_004185BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041866A NtReadFile,	6_2_0041866A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_004186EA NtClose,	6_2_004186EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041879A NtAllocateVirtualMemory,	6_2_0041879A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_010B9910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010B99A0 NtCreateSection,LdrInitializeThunk,	6_2_010B99A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010B9840 NtDelayExecution,LdrInitializeThunk,	6_2_010B9840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010B9860 NtQuerySystemInformation,LdrInitializeThunk,	6_2_010B9860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010B98F0 NtReadVirtualMemory,LdrInitializeThunk,	6_2_010B98F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010B9A00 NtProtectVirtualMemory,LdrInitializeThunk,	6_2_010B9A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010B9A20 NtResumeThread,LdrInitializeThunk,	6_2_010B9A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010B9A50 NtCreateFile,LdrInitializeThunk,	6_2_010B9A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010B9540 NtReadFile,LdrInitializeThunk,	6_2_010B9540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010B95D0 NtClose,LdrInitializeThunk,	6_2_010B95D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010B9710 NtQueryInformationToken,LdrInitializeThunk,	6_2_010B9710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010B9780 NtMapViewOfSection,LdrInitializeThunk,	6_2_010B9780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010B97A0 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_010B97A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010B9FE0 NtCreateMutant,LdrInitializeThunk,	6_2_010B9FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010B9660 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_010B9660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010B96E0 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_010B96E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010B9950 NtQueueApcThread,	6_2_010B9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010B99D0 NtCreateProcessEx,	6_2_010B99D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010B9820 NtEnumerateKey,	6_2_010B9820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010BB040 NtSuspendThread,	6_2_010BB040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010B98A0 NtWriteVirtualMemory,	6_2_010B98A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010B9B00 NtSetValueKey,	6_2_010B9B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010BA3B0 NtGetContextThread,	6_2_010BA3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010B9A10 NtQuerySection,	6_2_010B9A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010B9A80 NtOpenDirectoryObject,	6_2_010B9A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010B9520 NtWaitForSingleObject,	6_2_010B9520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010BAD30 NtSetContextThread,	6_2_010BAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010B9560 NtWriteFile,	6_2_010B9560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010B95F0 NtQueryInformationFile,	6_2_010B95F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010BA710 NtOpenProcessToken,	6_2_010BA710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010B9730 NtQueryVirtualMemory,	6_2_010B9730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010B9760 NtOpenProcess,	6_2_010B9760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010B9770 NtSetInformationFile,	6_2_010B9770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010BA770 NtOpenThread,	6_2_010BA770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010B9610 NtEnumerateValueKey,	6_2_010B9610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010B9650 NtQueryValueKey,	6_2_010B9650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010B9670 NtQueryInformationProcess,	6_2_010B9670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010B96D0 NtCreateKey,	6_2_010B96D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_04709540 NtReadFile,LdrInitializeThunk,	18_2_04709540
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_047095D0 NtClose,LdrInitializeThunk,	18_2_047095D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_04709660 NtAllocateVirtualMemory,LdrInitializeThunk,	18_2_04709660
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_04709650 NtQueryValueKey,LdrInitializeThunk,	18_2_04709650
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_047096E0 NtFreeVirtualMemory,LdrInitializeThunk,	18_2_047096E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_047096D0 NtCreateKey,LdrInitializeThunk,	18_2_047096D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_04709710 NtQueryInformationToken,LdrInitializeThunk,	18_2_04709710
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_04709FE0 NtCreateMutant,LdrInitializeThunk,	18_2_04709FE0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_04709780 NtMapViewOfSection,LdrInitializeThunk,	18_2_04709780
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_04709860 NtQuerySystemInformation,LdrInitializeThunk,	18_2_04709860
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_04709840 NtDelayExecution,LdrInitializeThunk,	18_2_04709840
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_04709910 NtAdjustPrivilegesToken,LdrInitializeThunk,	18_2_04709910
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_047099A0 NtCreateSection,LdrInitializeThunk,	18_2_047099A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_04709A50 NtCreateFile,LdrInitializeThunk,	18_2_04709A50
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_04709560 NtWriteFile,	18_2_04709560
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_0470AD30 NtSetContextThread,	18_2_0470AD30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_04709520 NtWaitForSingleObject,	18_2_04709520
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_047095F0 NtQueryInformationFile,	18_2_047095F0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_04709670 NtQueryInformationProcess,	18_2_04709670
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_04709610 NtEnumerateValueKey,	18_2_04709610
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_0470A770 NtOpenThread,	18_2_0470A770
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_04709770 NtSetInformationFile,	18_2_04709770
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_04709760 NtOpenProcess,	18_2_04709760
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_04709730 NtQueryVirtualMemory,	18_2_04709730
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_0470A710 NtOpenProcessToken,	18_2_0470A710
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_047097A0 NtUnmapViewOfSection,	18_2_047097A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_0470B040 NtSuspendThread,	18_2_0470B040
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_04709820 NtEnumerateKey,	18_2_04709820
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_047098F0 NtReadVirtualMemory,	18_2_047098F0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_047098A0 NtWriteVirtualMemory,	18_2_047098A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_04709950 NtQueueApcThread,	18_2_04709950
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_047099D0 NtCreateProcessEx,	18_2_047099D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_04709A20 NtResumeThread,	18_2_04709A20
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_04709A10 NtQuerySection,	18_2_04709A10
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_04709A00 NtProtectVirtualMemory,	18_2_04709A00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_04709A80 NtOpenDirectoryObject,	18_2_04709A80
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_04709B00 NtSetValueKey,	18_2_04709B00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_0470A3B0 NtGetContextThread,	18_2_0470A3B0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_02C286F0 NtClose,	18_2_02C286F0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_02C28670 NtReadFile,	18_2_02C28670
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_02C287A0 NtAllocateVirtualMemory,	18_2_02C287A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_02C285C0 NtCreateFile,	18_2_02C285C0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_02C286EA NtClose,	18_2_02C286EA
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_02C2866A NtReadFile,	18_2_02C2866A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_02C2879A NtAllocateVirtualMemory,	18_2_02C2879A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_02C285BA NtCreateFile,	18_2_02C285BA

Abnormal high CPU Usage

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 98%

Sample file is different than original file name gathered from version info

Source: Statement of Acct..exe, 00000001.00000002.280674453.0000000000696000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameDefaultDllImportSearchPathsAttribu.exe< vs Statement of Acct..exe
Source: Statement of Acct..exe, 00000001.00000002.282193017.0000000002A86000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameEnvoySinks.dll6 vs Statement of Acct..exe
Source: Statement of Acct..exe, 00000001.00000002.283227986.0000000003A39000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCF_Secretaria.dll< vs Statement of Acct..exe
Source: Statement of Acct..exe	Binary or memory string: OriginalFilenameDefaultDllImportSearchPathsAttribu.exe< vs Statement of Acct..exe

Source: Statement of Acct..exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: Statement of Acct..exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Statement of Acct..exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\Statement of Acct..exe 'C:\Users\user\Desktop\Statement of Acct..exe'
Source: C:\Users\user\Desktop\Statement of Acct..exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\explorer.exe 'C:\Windows\explorer.exe' /LOADSAVEDWINDOWS
Source: C:\Users\user\Desktop\Statement of Acct..exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'	Jump to behavior

Source: Statement of Acct..exe, u0008u2000.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.Statement of Acct..exe.610000.0.unpack, u0008u2000.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.Statement of Acct..exe.610000.0.unpack, u0008u2000.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: Statement of Acct..exe, u0008u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Statement of Acct..exe.610000.0.unpack, u0008u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.Statement of Acct..exe.610000.0.unpack, u0008u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041B86C push eax; ret	6_2_0041B872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041B802 push eax; ret	6_2_0041B808
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041B80B push eax; ret	6_2_0041B872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041D0E1 push esp; ret	6_2_0041D0DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041D17C push esp; ret	6_2_0041D0DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00416219 push es; ret	6_2_0041621A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041D291 push esp; ret	6_2_0041D0DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041CF30 push esp; ret	6_2_0041D0DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041B7B5 push eax; ret	6_2_0041B808
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_010CD0D1 push ecx; ret	6_2_010CD0E4
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_0471D0D1 push ecx; ret	18_2_0471D0E4
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_02C2D291 push esp; ret	18_2_02C2D0DE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_02C26219 push es; ret	18_2_02C2621A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_02C2D0E1 push esp; ret	18_2_02C2D0DE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_02C2B86C push eax; ret	18_2_02C2B872
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_02C2B802 push eax; ret	18_2_02C2B808
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_02C2B80B push eax; ret	18_2_02C2B872
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_02C2D17C push esp; ret	18_2_02C2D0DE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_02C2B7B5 push eax; ret	18_2_02C2B808
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 18_2_02C2CF30 push esp; ret	18_2_02C2D0DE

Source: C:\Users\user\Desktop\Statement of Acct..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement of Acct..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement of Acct..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement of Acct..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement of Acct..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement of Acct..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement of Acct..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement of Acct..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement of Acct..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement of Acct..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement of Acct..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement of Acct..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement of Acct..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement of Acct..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement of Acct..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement of Acct..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement of Acct..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement of Acct..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement of Acct..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement of Acct..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement of Acct..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement of Acct..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement of Acct..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement of Acct..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement of Acct..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement of Acct..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement of Acct..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement of Acct..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement of Acct..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement of Acct..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement of Acct..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement of Acct..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement of Acct..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement of Acct..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement of Acct..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Yara match	File source: 00000001.00000002.282193017.0000000002A86000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Statement of Acct..exe PID: 6308, type: MEMORYSTR

Source: Statement of Acct..exe, 00000001.00000002.282193017.0000000002A86000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Statement of Acct..exe, 00000001.00000002.282193017.0000000002A86000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 0000000002C185F4 second address: 0000000002C185FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 0000000002C1897E second address: 0000000002C18984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Statement of Acct..exe TID: 6312	Thread sleep time: -43483s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Statement of Acct..exe TID: 6384	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\SysWOW64\cmstp.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Statement of Acct..exe	Thread delayed: delay time: 43483			Jump to behavior
Source: C:\Users\user\Desktop\Statement of Acct..exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000009.00000000.314009591.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 0000001F.00000002.532910815.0000000004505000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000001F.00000002.535667052.000000000680D000.00000004.00000001.sdmp	Binary or memory string: Prod_VMware_SATA
Source: explorer.exe, 0000001F.00000002.545899264.000000000824F000.00000004.00000001.sdmp	Binary or memory string: NECVMWarVMware SATA CD001.00WB
Source: explorer.exe, 0000001F.00000002.545899264.000000000824F000.00000004.00000001.sdmp	Binary or memory string: NECVMWarVMware SATA CD001.00
Source: explorer.exe, 0000001F.00000002.545899264.000000000824F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 0000001F.00000002.547896887.000000000844A000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00.nJ
Source: Statement of Acct..exe, 00000001.00000002.282193017.0000000002A86000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 0000001F.00000002.545899264.000000000824F000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: Statement of Acct..exe, 00000001.00000002.282193017.0000000002A86000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 0000001F.00000002.547541515.00000000083CE000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 0000001F.00000002.535667052.000000000680D000.00000004.00000001.sdmp	Binary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}Q8
Source: Statement of Acct..exe, 00000001.00000002.282193017.0000000002A86000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 0000001F.00000002.547896887.000000000844A000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00~o
Source: Statement of Acct..exe, 00000001.00000002.282193017.0000000002A86000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Statement of Acct..exe, 00000001.00000002.282193017.0000000002A86000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: Statement of Acct..exe, 00000001.00000002.282193017.0000000002A86000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: Statement of Acct..exe, 00000001.00000002.281560751.0000000000D2E000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 00000009.00000000.298200387.0000000008C73000.00000004.00000001.sdmp	Binary or memory string: a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001F.00000002.535847908.00000000068B4000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Statement of Acct..exe, 00000001.00000002.282193017.0000000002A86000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 0000001F.00000002.546340892.0000000008362000.00000004.00000001.sdmp	Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000001F.00000002.535847908.00000000068B4000.00000004.00000001.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Statement of Acct..exe, 00000001.00000002.282193017.0000000002A86000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 0000001F.00000002.522216604.0000000000A68000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001F.00000002.535667052.000000000680D000.00000004.00000001.sdmp	Binary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}es
Source: explorer.exe, 00000009.00000000.314387168.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 00000009.00000000.297782820.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 00000009.00000000.310642515.00000000069DA000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD002
Source: explorer.exe, 0000001F.00000002.535847908.00000000068B4000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001F.00000002.535847908.00000000068B4000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}[
Source: explorer.exe, 0000001F.00000002.545899264.000000000824F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: unknown target: unknown protection: read write	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 3292			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Thread register set: target process: 3292			Jump to behavior

Source: explorer.exe, 00000009.00000000.375609203.0000000001400000.00000002.00020000.sdmp	Binary or memory string: uProgram Manager
Source: cmstp.exe, 00000012.00000002.571800378.0000000002F50000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000002.528525754.0000000001060000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000009.00000000.330658470.0000000005F40000.00000004.00000001.sdmp, cmstp.exe, 00000012.00000002.571800378.0000000002F50000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000002.528525754.0000000001060000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000009.00000000.375609203.0000000001400000.00000002.00020000.sdmp, cmstp.exe, 00000012.00000002.571800378.0000000002F50000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000002.528525754.0000000001060000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000009.00000000.375609203.0000000001400000.00000002.00020000.sdmp, cmstp.exe, 00000012.00000002.571800378.0000000002F50000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000002.528525754.0000000001060000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000009.00000000.305283035.0000000000EB8000.00000004.00000020.sdmp	Binary or memory string: ProgmanX
Source: cmstp.exe, 00000012.00000002.571800378.0000000002F50000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000002.528525754.0000000001060000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWndass
Source: explorer.exe, 00000009.00000000.314387168.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndAj

ID:	483652
Product:	CloudBasic
Start time:	10:54:12
Start date:	15.09.2021
Sample:	Statement of Acct..exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	850ef5cb4d3e3023ab26072a4cc6a25f
SHA1:	0947a5b62ad244324971c7863977befaae3d71fd
SHA256:	bb7d986712c63235f866f11ebc85ac60c360676e0576a075f16c16f679c31c7b
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Windows Analysis Report Statement of Acct..exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted URLs