Loading ...

Play interactive tourEdit tour

Windows Analysis Report Statement of Account.exe

Overview

General Information

Sample Name:Statement of Account.exe
Analysis ID:1637
MD5:0fb63e5eb6af1aff086e3c2a2321f716
SHA1:5e7e1db40c9104297c3b05b26c97a788eb92401b
SHA256:0b65815d462586870177898072a1500ec014a390eb466ea0dd716567ada4109a
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Potential malicious icon found
Multi AV Scanner detection for submitted file
GuLoader behavior detected
Multi AV Scanner detection for domain / URL
Hides threads from debuggers
Writes to foreign memory regions
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
May check the online IP address of the machine
Tries to steal Mail credentials (via file access)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Abnormal high CPU Usage
Enables debug privileges
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64native
  • Statement of Account.exe (PID: 9068 cmdline: 'C:\Users\user\Desktop\Statement of Account.exe' MD5: 0FB63E5EB6AF1AFF086E3C2A2321F716)
    • RegAsm.exe (PID: 3604 cmdline: 'C:\Users\user\Desktop\Statement of Account.exe' MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • RegAsm.exe (PID: 7740 cmdline: 'C:\Users\user\Desktop\Statement of Account.exe' MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • conhost.exe (PID: 1572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • UserOOBEBroker.exe (PID: 1456 cmdline: C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding MD5: BCE744909EB87F293A85830D02B3D6EB)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: RegAsm.exe PID: 7740JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: Statement of Account.exeVirustotal: Detection: 21%Perma Link
    Source: Statement of Account.exeReversingLabs: Detection: 23%
    Multi AV Scanner detection for domain / URLShow sources
    Source: https://freegeoip.app/xml/Virustotal: Detection: 5%Perma Link
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00A09E00 CryptUnprotectData,24_2_00A09E00
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00A0A51B CryptUnprotectData,24_2_00A0A51B
    Source: Statement of Account.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: unknownHTTPS traffic detected: 104.21.19.200:443 -> 192.168.11.20:49760 version: TLS 1.0
    Source: unknownHTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49757 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.184.193:443 -> 192.168.11.20:49758 version: TLS 1.2
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 00A0CF6Fh24_2_00A0CCC8
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 00A0FADFh24_2_00A0F838
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 00A0C6BFh24_2_00A0C418
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 00A0CB17h24_2_00A0C870
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 00A0DC77h24_2_00A0D9D0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 00A0D3C7h24_2_00A0D120
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 00A0D81Fh24_2_00A0D578
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 00A0E527h24_2_00A0E280
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 00A0E97Fh24_2_00A0E6D8
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 00A0E0CFh24_2_00A0DE28
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 00A0F22Fh24_2_00A0EF88
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 00A0F687h24_2_00A0F3E0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 00A0EDD7h24_2_00A0EB30
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov esp, ebp24_2_00A0C180
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov esp, ebp24_2_00A0C190
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 1DABF0AFh24_2_1DABEDF0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 1DABD831h24_2_1DABCE48
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 1DABE258h24_2_1DABDE40
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 1DABEC4Fh24_2_1DABE990
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 1DABDC91h24_2_1DABD9D1
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 1DABFDCFh24_2_1DABFB11
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 1DABF96Fh24_2_1DABF6B0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 1DABF50Fh24_2_1DABF252
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 1DABE258h24_2_1DABDE31
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h24_2_1DABC99B
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h24_2_1DABCB7C
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 1DABE258h24_2_1DABE186
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h24_2_1DABC368

    Networking:

    barindex
    May check the online IP address of the machineShow sources
    Source: unknownDNS query: name: checkip.dyndns.org
    Source: unknownDNS query: name: checkip.dyndns.org
    Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: global trafficHTTP traffic detected: GET /xml/102.129.143.96 HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
    Source: Joe Sandbox ViewIP Address: 104.21.19.200 104.21.19.200
    Source: Joe Sandbox ViewIP Address: 104.21.19.200 104.21.19.200
    Source: Joe Sandbox ViewIP Address: 132.226.247.73 132.226.247.73
    Source: unknownHTTPS traffic detected: 104.21.19.200:443 -> 192.168.11.20:49760 version: TLS 1.0
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1fuTtg-3dZntlAsxF1yPdYhIzZ_wio3sJ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/3ec96pm2v8cjj8osvev6ltnouevou20i/1634121375000/08714151441044389622/*/1fuTtg-3dZntlAsxF1yPdYhIzZ_wio3sJ?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-08-4k-docs.googleusercontent.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
    Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
    Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: RegAsm.exe, 00000018.00000002.6271466911.000000001DD7C000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.com
    Source: RegAsm.exe, 00000018.00000002.6271305242.000000001DD70000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org
    Source: RegAsm.exe, 00000018.00000002.6269476123.000000001DCC1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org/
    Source: RegAsm.exe, 00000018.00000003.2085376210.0000000001095000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
    Source: RegAsm.exe, 00000018.00000003.2085376210.0000000001095000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: RegAsm.exe, 00000018.00000002.6271691821.000000001DD9D000.00000004.00000001.sdmpString found in binary or memory: http://freegeoip.app
    Source: UserOOBEBroker.exe, 00000021.00000002.6244747221.0000017B93A90000.00000002.00020000.sdmpString found in binary or memory: http://schemas.microso
    Source: RegAsm.exe, 00000018.00000002.6269476123.000000001DCC1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: RegAsm.exe, 00000018.00000003.2085376210.0000000001095000.00000004.00000001.sdmp, RegAsm.exe, 00000018.00000003.2090010661.0000000001095000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
    Source: RegAsm.exe, 00000018.00000003.2085376210.0000000001095000.00000004.00000001.sdmp, RegAsm.exe, 00000018.00000002.6250601315.0000000001008000.00000004.00000020.sdmpString found in binary or memory: https://doc-08-4k-docs.googleusercontent.com/
    Source: RegAsm.exe, 00000018.00000002.6253487023.0000000001071000.00000004.00000001.sdmpString found in binary or memory: https://doc-08-4k-docs.googleusercontent.com/%%doc-08-4k-docs.googleusercontent.com
    Source: RegAsm.exe, 00000018.00000003.2375703066.0000000001052000.00000004.00000001.sdmpString found in binary or memory: https://doc-08-4k-docs.googleusercontent.com/A
    Source: RegAsm.exe, 00000018.00000003.2375703066.0000000001052000.00000004.00000001.sdmpString found in binary or memory: https://doc-08-4k-docs.googleusercontent.com/L
    Source: RegAsm.exe, 00000018.00000003.2090010661.0000000001095000.00000004.00000001.sdmpString found in binary or memory: https://doc-08-4k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/3ec96pm2
    Source: RegAsm.exe, 00000018.00000002.6251289990.0000000001025000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/
    Source: RegAsm.exe, 00000018.00000002.6251289990.0000000001025000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/M(
    Source: RegAsm.exe, 00000018.00000002.6251289990.0000000001025000.00000004.00000001.sdmp, RegAsm.exe, 00000018.00000002.6249062375.0000000000DD0000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1fuTtg-3dZntlAsxF1yPdYhIzZ_wio3sJ
    Source: RegAsm.exe, 00000018.00000002.6251289990.0000000001025000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1fuTtg-3dZntlAsxF1yPdYhIzZ_wio3sJ4&/
    Source: RegAsm.exe, 00000018.00000003.2085376210.0000000001095000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1fuTtg-3dZntlAsxF1yPdYhIzZ_wio3sJTad-woJtmtPfZ2CsQ
    Source: RegAsm.exe, 00000018.00000002.6271466911.000000001DD7C000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app
    Source: RegAsm.exe, 00000018.00000002.6271466911.000000001DD7C000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/
    Source: RegAsm.exe, 00000018.00000002.6271466911.000000001DD7C000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/102.129.143.96
    Source: RegAsm.exe, 00000018.00000002.6272163007.000000001DDE1000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/
    Source: RegAsm.exe, 00000018.00000002.6272163007.000000001DDE1000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com//
    Source: RegAsm.exe, 00000018.00000002.6272163007.000000001DDE1000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/https://login.live.com/
    Source: RegAsm.exe, 00000018.00000002.6272163007.000000001DDE1000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/v104
    Source: RegAsm.exe, 00000018.00000002.6272576739.000000001DE08000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
    Source: unknownDNS traffic detected: queries for: drive.google.com
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1fuTtg-3dZntlAsxF1yPdYhIzZ_wio3sJ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/3ec96pm2v8cjj8osvev6ltnouevou20i/1634121375000/08714151441044389622/*/1fuTtg-3dZntlAsxF1yPdYhIzZ_wio3sJ?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-08-4k-docs.googleusercontent.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /xml/102.129.143.96 HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
    Source: unknownHTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49757 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.184.193:443 -> 192.168.11.20:49758 version: TLS 1.2

    System Summary:

    barindex
    Potential malicious icon foundShow sources
    Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
    Source: Statement of Account.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_004018680_2_00401868
    Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_0040228E0_2_0040228E
    Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_004032530_2_00403253
    Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_0040346F0_2_0040346F
    Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_004036120_2_00403612
    Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_004032D90_2_004032D9
    Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_004034FC0_2_004034FC
    Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_004033530_2_00403353
    Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_004033E40_2_004033E4
    Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_004035830_2_00403583
    Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_004031B30_2_004031B3
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00A0CCC824_2_00A0CCC8
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00A0F83824_2_00A0F838
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00A0C41824_2_00A0C418
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00A0C87024_2_00A0C870
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00A0D9D024_2_00A0D9D0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00A0D12024_2_00A0D120
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00A0D57824_2_00A0D578
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00A0E28024_2_00A0E280
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00A0E6D824_2_00A0E6D8
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00A0DE2824_2_00A0DE28
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00A0220824_2_00A02208
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00A0EF8824_2_00A0EF88
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00A097E024_2_00A097E0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00A0F3E024_2_00A0F3E0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00A0672824_2_00A06728
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00A0EB3024_2_00A0EB30
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00A0CCB824_2_00A0CCB8
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00A0F82824_2_00A0F828
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00A0C40824_2_00A0C408
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00A0C86C24_2_00A0C86C
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00A05D8024_2_00A05D80
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00A021FA24_2_00A021FA
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00A0D9C024_2_00A0D9C0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00A0592324_2_00A05923
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00A0D11124_2_00A0D111
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00A0D56924_2_00A0D569
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00A05D7024_2_00A05D70
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00A0E6C824_2_00A0E6C8
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00A0BA3024_2_00A0BA30
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00A0DE1824_2_00A0DE18
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00A0E27124_2_00A0E271
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00A097CF24_2_00A097CF
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00A0F3DC24_2_00A0F3DC
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00A0EB2124_2_00A0EB21
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00A0EF7924_2_00A0EF79
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_1DABEDF024_2_1DABEDF0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_1DAB2F0A24_2_1DAB2F0A
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_1DABCE4824_2_1DABCE48
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_1DABE99024_2_1DABE990
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_1DABD9D124_2_1DABD9D1
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_1DABFB1124_2_1DABFB11
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_1DAB5A6824_2_1DAB5A68
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_1DAB444024_2_1DAB4440
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_1DABF6B024_2_1DABF6B0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_1DAB914824_2_1DAB9148
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_1DAB609024_2_1DAB6090
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_1DABE2D024_2_1DABE2D0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_1DABF25224_2_1DABF252
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_1DABC36824_2_1DABC368
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_1DABC35724_2_1DABC357
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_1DABE2C124_2_1DABE2C1
    Source: C:\Users\user\Desktop\Statement of Account.exeCode function: String function: 0040177E appears 94 times
    Source: C:\Users\user\Desktop\Statement of Account.exeProcess Stats: CPU usage > 98%
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess Stats: CPU usage > 98%
    Source: Statement of Account.exe, 00000000.00000002.2113856348.0000000002AD0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUnnec1.exeFE2X vs Statement of Account.exe
    Source: Statement of Account.exe, 00000000.00000000.1194085530.000000000041C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUnnec1.exe vs Statement of Account.exe
    Source: Statement of Account.exeBinary or memory string: OriginalFilenameUnnec1.exe vs Statement of Account.exe
    Source: Statement of Account.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Windows\System32\oobe\UserOOBEBroker.exeSection loaded: edgegdi.dllJump to behavior
    Source: Statement of Account.exeVirustotal: Detection: 21%
    Source: Statement of Account.exeReversingLabs: Detection: 23%
    Source: Statement of Account.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Statement of Account.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\Statement of Account.exe 'C:\Users\user\Desktop\Statement of Account.exe'
    Source: C:\Users\user\Desktop\Statement of Account.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Statement of Account.exe'
    Source: C:\Users\user\Desktop\Statement of Account.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Statement of Account.exe'
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Windows\System32\oobe\UserOOBEBroker.exe C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
    Source: C:\Users\user\Desktop\Statement of Account.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Statement of Account.exe' Jump to behavior
    Source: C:\Users\user\Desktop\Statement of Account.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Statement of Account.exe' Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
    Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@7/0@4/4
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1572:304:WilStaging_02
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1572:120:WilError_03
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
    Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_00403F55 push 00000043h; ret 0_2_00403F65
    Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_004021A3 push FFFFFFC6h; retf 0_2_00402213
    Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_004067B9 push eax; retf 0_2_004067BA
    Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_02273C40 push esi; iretd 0_2_02273C41
    Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_02270EF6 push BA9255A5h; ret 0_2_02270F1A
    Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_022728FC pushfd ; ret 0_2_02272908
    Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_02270F14 push BA9255A5h; ret 0_2_02270F1A
    Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_02273362 push cs; ret 0_2_02273364
    Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_02272B4E push ss; retf 0_2_02272B5B
    Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_02272DCD push cs; iretd 0_2_02272DCE
    Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_022733C8 pushfd ; ret 0_2_022733CE
    Source: initial sampleStatic PE information: section name: .text entropy: 6.83550763896
    Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe