Loading ...

Play interactive tourEdit tour

Analysis Report TAB-BAH-003#.pdf.exe

Overview

General Information

Sample Name:TAB-BAH-003#.pdf.exe
Analysis ID:297114
MD5:a50e1f5a371c73665a936da411a338b2
SHA1:cdecedffdf1560bdcd7abddb79e61a76e044760a
SHA256:1a54e429844aae230a6388ce6de7c8231f53380e748c7245bf8c3c7978d0ab79
Tags:exeGuLoader

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: RegAsm connects to smtp port
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected GuLoader
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • TAB-BAH-003#.pdf.exe (PID: 5624 cmdline: 'C:\Users\user\Desktop\TAB-BAH-003#.pdf.exe' MD5: A50E1F5A371C73665A936DA411A338B2)
    • RegAsm.exe (PID: 6488 cmdline: 'C:\Users\user\Desktop\TAB-BAH-003#.pdf.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • conhost.exe (PID: 6440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "ZLqIkN7aUazqL", "URL: ": "https://oyJs1sPjZ6xJ2VKtw.com", "To: ": "", "ByHost: ": "mail.nrngroupbd.com:587", "Password: ": "HvtE4uTziFz7B9L", "From: ": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.619412422.000000001D9D1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000001.00000002.611396110.0000000000E30000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
      Process Memory Space: RegAsm.exe PID: 6488JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        Process Memory Space: RegAsm.exe PID: 6488JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: RegAsm.exe PID: 6488JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: RegAsm connects to smtp portShow sources
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 192.185.88.194, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 6488, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49763

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: RegAsm.exe.6488.1.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "ZLqIkN7aUazqL", "URL: ": "https://oyJs1sPjZ6xJ2VKtw.com", "To: ": "", "ByHost: ": "mail.nrngroupbd.com:587", "Password: ": "HvtE4uTziFz7B9L", "From: ": ""}
            Multi AV Scanner detection for submitted fileShow sources
            Source: TAB-BAH-003#.pdf.exeVirustotal: Detection: 30%Perma Link
            Source: TAB-BAH-003#.pdf.exeReversingLabs: Detection: 16%
            Source: 0.2.TAB-BAH-003#.pdf.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
            Source: 0.0.TAB-BAH-003#.pdf.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49763 -> 192.185.88.194:587
            Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
            Source: unknownDNS traffic detected: queries for: onedrive.live.com
            Source: RegAsm.exe, 00000001.00000002.619412422.000000001D9D1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
            Source: RegAsm.exe, 00000001.00000002.619412422.000000001D9D1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
            Source: RegAsm.exe, 00000001.00000002.619412422.000000001D9D1000.00000004.00000001.sdmpString found in binary or memory: http://gPeDXp.com
            Source: RegAsm.exe, 00000001.00000002.620217497.000000001DD37000.00000004.00000001.sdmpString found in binary or memory: http://mail.nrngroupbd.com
            Source: RegAsm.exe, 00000001.00000002.619412422.000000001D9D1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
            Source: RegAsm.exe, 00000001.00000002.619412422.000000001D9D1000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
            Source: RegAsm.exeString found in binary or memory: https://onedrive.live.com/download?cid=5E15857517F5B05A&resid=5E15857517F5B05A%21109&authkey=ACfwJVC
            Source: RegAsm.exe, 00000001.00000002.619412422.000000001D9D1000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.620182343.000000001DD2D000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.620135916.000000001DCFE000.00000004.00000001.sdmpString found in binary or memory: https://oyJs1sPjZ6xJ2VKtw.com
            Source: RegAsm.exe, 00000001.00000002.619412422.000000001D9D1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Installs a global keyboard hookShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

            System Summary:

            barindex
            Initial sample is a PE file and has a suspicious nameShow sources
            Source: initial sampleStatic PE information: Filename: TAB-BAH-003#.pdf.exe
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeCode function: 0_2_02352F76 NtResumeThread,0_2_02352F76
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00E32F9F NtQueryInformationProcess,1_2_00E32F9F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00E32C23 NtProtectVirtualMemory,1_2_00E32C23
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeCode function: 0_2_02352E660_2_02352E66
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeCode function: 0_2_02352EDF0_2_02352EDF
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeCode function: 0_2_02350FC20_2_02350FC2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00FC00401_2_00FC0040
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00FC29A81_2_00FC29A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00FCF1871_2_00FCF187
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00FC69381_2_00FC6938
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00FCD1301_2_00FCD130
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00FC97D81_2_00FC97D8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00FC73C01_2_00FC73C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00FCD12E1_2_00FCD12E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1CC52CF81_2_1CC52CF8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_1CC564B81_2_1CC564B8
            Source: TAB-BAH-003#.pdf.exe, 00000000.00000002.393913636.000000000040C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameExpositsoutpl.exe vs TAB-BAH-003#.pdf.exe
            Source: TAB-BAH-003#.pdf.exe, 00000000.00000002.394304356.0000000002240000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameExpositsoutpl.exeFE2X vs TAB-BAH-003#.pdf.exe
            Source: TAB-BAH-003#.pdf.exe, 00000000.00000002.394245867.00000000021F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs TAB-BAH-003#.pdf.exe
            Source: TAB-BAH-003#.pdf.exeBinary or memory string: OriginalFilenameExpositsoutpl.exe vs TAB-BAH-003#.pdf.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/1@3/1
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6440:120:WilError_01
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\~DFE2342C2B75B1F85E.TMPJump to behavior
            Source: TAB-BAH-003#.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: TAB-BAH-003#.pdf.exeVirustotal: Detection: 30%
            Source: TAB-BAH-003#.pdf.exeReversingLabs: Detection: 16%
            Source: unknownProcess created: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exe 'C:\Users\user\Desktop\TAB-BAH-003#.pdf.exe'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\TAB-BAH-003#.pdf.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\TAB-BAH-003#.pdf.exe' Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000001.00000002.611396110.0000000000E30000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6488, type: MEMORY
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeCode function: 0_2_00408048 push 00401144h; ret 0_2_0040805B
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeCode function: 0_2_0040805C push 00401144h; ret 0_2_0040806F
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeCode function: 0_2_00408070 push 00401144h; ret 0_2_00408083
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeCode function: 0_2_0040800C push 00401144h; ret 0_2_0040801F
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeCode function: 0_2_00408020 push 00401144h; ret 0_2_00408033
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeCode function: 0_2_00408034 push 00401144h; ret 0_2_00408047
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeCode function: 0_2_00406CEB push esi; iretd 0_2_00406CEC
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeCode function: 0_2_00408084 push 00401144h; ret 0_2_00408097
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeCode function: 0_2_00407E51 push 00401144h; ret 0_2_00407E67
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeCode function: 0_2_00407E68 push 00401144h; ret 0_2_00407E7B
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeCode function: 0_2_00407E7C push 00401144h; ret 0_2_00407E8F
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeCode function: 0_2_00407ECC push 00401144h; ret 0_2_00407EDF
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeCode function: 0_2_00407EE0 push 00401144h; ret 0_2_00407EF3
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeCode function: 0_2_00407EF4 push 00401144h; ret 0_2_00407F07
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeCode function: 0_2_00407E90 push 00401144h; ret 0_2_00407EA3
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeCode function: 0_2_00407EA4 push 00401144h; ret 0_2_00407EB7
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeCode function: 0_2_00407EB8 push 00401144h; ret 0_2_00407ECB
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeCode function: 0_2_00407F44 push 00401144h; ret 0_2_00407F57
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeCode function: 0_2_00406B47 push edx; iretd 0_2_00406B4E
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeCode function: 0_2_00407F58 push 00401144h; ret 0_2_00407F6B
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeCode function: 0_2_00407F6C push 00401144h; ret 0_2_00407F7F
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeCode function: 0_2_00407F08 push 00401144h; ret 0_2_00407F1B
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeCode function: 0_2_00407F1C push 00401144h; ret 0_2_00407F2F
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeCode function: 0_2_00407F30 push 00401144h; ret 0_2_00407F43
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeCode function: 0_2_00407FD0 push 00401144h; ret 0_2_00407FE3
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeCode function: 0_2_00406BE1 push edx; iretd 0_2_00406BE2
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeCode function: 0_2_00407FE4 push 00401144h; ret 0_2_00407FF7
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeCode function: 0_2_00407FF8 push 00401144h; ret 0_2_0040800B
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeCode function: 0_2_00407F80 push 00401144h; ret 0_2_00407F93
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeCode function: 0_2_00407F94 push 00401144h; ret 0_2_00407FA7
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeCode function: 0_2_00407FA8 push 00401144h; ret 0_2_00407FBB

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Uses an obfuscated file name to hide its real file extension (double extension)Show sources
            Source: Possible double extension: pdf.exeStatic PE information: TAB-BAH-003#.pdf.exe
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeRDTSC instruction interceptor: First address: 00000000023513F4 second address: 00000000023513F4 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F4914E605A8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 dec ecx 0x00000023 cmp ecx, 00000000h 0x00000026 jne 00007F4914E60593h 0x00000028 push ecx 0x00000029 call 00007F4914E605B7h 0x0000002e call 00007F4914E605BAh 0x00000033 lfence 0x00000036 mov edx, dword ptr [7FFE0014h] 0x0000003c lfence 0x0000003f ret 0x00000040 mov esi, edx 0x00000042 pushad 0x00000043 rdtsc
            Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Tries to detect Any.runShow sources
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: RegAsm.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeRDTSC instruction interceptor: First address: 00000000023513F4 second address: 00000000023513F4 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F4914E605A8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 dec ecx 0x00000023 cmp ecx, 00000000h 0x00000026 jne 00007F4914E60593h 0x00000028 push ecx 0x00000029 call 00007F4914E605B7h 0x0000002e call 00007F4914E605BAh 0x00000033 lfence 0x00000036 mov edx, dword ptr [7FFE0014h] 0x0000003c lfence 0x0000003f ret 0x00000040 mov esi, edx 0x00000042 pushad 0x00000043 rdtsc
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeRDTSC instruction interceptor: First address: 00000000023514A4 second address: 00000000023514A4 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F491439635Ah 0x0000001f popad 0x00000020 call 00007F4914394FBDh 0x00000025 lfence 0x00000028 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000E314A4 second address: 0000000000E314A4 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F4914E6194Ah 0x0000001f popad 0x00000020 call 00007F4914E605ADh 0x00000025 lfence 0x00000028 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00E314A1 rdtsc 1_2_00E314A1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 544Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -3689348814741908s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -59594s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -117000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -58000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -57594s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -56000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -55688s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -55500s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -53000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -51500s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -49500s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -45500s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -44000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -43500s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -42000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -40500s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -53250s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -35000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -59812s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -59312s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -88359s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -58718s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -58218s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -57812s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -54406s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -52812s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -52624s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -52124s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -51906s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -51718s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -51218s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -48906s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -47124s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -45124s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -43124s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -42406s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -37718s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -37530s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -36812s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -33406s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -33030s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -32812s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -30718s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -30312s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -57406s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -56500s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -55406s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6652Thread sleep time: -55000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: TAB-BAH-003#.pdf.exe, 00000000.00000002.395472870.000000000397A000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.612404324.0000000002B2A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
            Source: TAB-BAH-003#.pdf.exe, 00000000.00000002.395472870.000000000397A000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.612404324.0000000002B2A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
            Source: RegAsm.exe, 00000001.00000002.624088501.0000000020600000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: RegAsm.exe, 00000001.00000002.612404324.0000000002B2A000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
            Source: TAB-BAH-003#.pdf.exe, 00000000.00000002.395472870.000000000397A000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.612404324.0000000002B2A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
            Source: TAB-BAH-003#.pdf.exe, 00000000.00000002.395472870.000000000397A000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.612404324.0000000002B2A000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
            Source: TAB-BAH-003#.pdf.exe, 00000000.00000002.395472870.000000000397A000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.612404324.0000000002B2A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
            Source: RegAsm.exe, 00000001.00000002.612404324.0000000002B2A000.00000004.00000001.sdmpBinary or memory string: vmicvss
            Source: RegAsm.exe, 00000001.00000002.624088501.0000000020600000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: RegAsm.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: RegAsm.exe, 00000001.00000002.624088501.0000000020600000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: TAB-BAH-003#.pdf.exe, 00000000.00000002.395472870.000000000397A000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.612404324.0000000002B2A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
            Source: TAB-BAH-003#.pdf.exe, 00000000.00000002.395472870.000000000397A000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.612404324.0000000002B2A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
            Source: TAB-BAH-003#.pdf.exe, 00000000.00000002.395472870.000000000397A000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.612404324.0000000002B2A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
            Source: RegAsm.exe, 00000001.00000002.612404324.0000000002B2A000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat
            Source: RegAsm.exe, 00000001.00000002.624088501.0000000020600000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging:

            barindex
            Hides threads from debuggersShow sources
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00E314A1 rdtsc 1_2_00E314A1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00FC5AA8 LdrInitializeThunk,1_2_00FC5AA8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00E30C73 mov eax, dword ptr fs:[00000030h]1_2_00E30C73
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00E326EF mov eax, dword ptr fs:[00000030h]1_2_00E326EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00E329C2 mov eax, dword ptr fs:[00000030h]1_2_00E329C2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00E308D8 mov eax, dword ptr fs:[00000030h]1_2_00E308D8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00E3256E mov eax, dword ptr fs:[00000030h]1_2_00E3256E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00E30B76 mov eax, dword ptr fs:[00000030h]1_2_00E30B76
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00E3135A mov eax, dword ptr fs:[00000030h]1_2_00E3135A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Writes to foreign memory regionsShow sources
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E30000Jump to behavior
            Source: C:\Users\user\Desktop\TAB-BAH-003#.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\TAB-BAH-003#.pdf.exe' Jump to behavior
            Source: RegAsm.exe, 00000001.00000002.612251074.00000000016D0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: RegAsm.exe, 00000001.00000002.612251074.00000000016D0000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: RegAsm.exe, 00000001.00000002.612251074.00000000016D0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
            Source: RegAsm.exe, 00000001.00000002.612251074.00000000016D0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected AgentTeslaShow sources
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6488, type: MEMORY
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
            Tries to harvest and steal browser information (history, passwords, etc)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Tries to harvest and steal ftp login credentialsShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
            Tries to steal Mail credentials (via file access)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Source: Yara matchFile source: 00000001.00000002.619412422.000000001D9D1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6488, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected AgentTeslaShow sources
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6488, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation211DLL Side-Loading1Process Injection112Masquerading1OS Credential Dumping2Security Software Discovery631Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Virtualization/Sandbox Evasion34Input Capture11Virtualization/Sandbox Evasion34Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Credentials in Registry1Process Discovery2SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelData from Local System2Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information11LSA SecretsRemote System Discovery1SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsSystem Information Discovery314VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process