Play interactive tour

Edit tour

Analysis Report Proforma Invoice Copy.exe

Overview

General Information

Sample Name:	Proforma Invoice Copy.exe
Analysis ID:	321196
MD5:	d3bcc41cd14ace48314861fbeae864ba
SHA1:	8e77cb335075e93fffe5e8652d2b7b011d2a922a
SHA256:	5bdb22f495f4d4856e100acf674236191d0082c075884b2fe0892fa5b58923a8
Tags:	AgentTeslaexe
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

.NET source code contains very large array initializations

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Program does not show much activity (idle)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

Proforma Invoice Copy.exe (PID: 6868 cmdline: 'C:\Users\user\Desktop\Proforma Invoice Copy.exe' MD5: D3BCC41CD14ACE48314861FBEAE864BA)

RegAsm.exe (PID: 6936 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)

Proforma Invoice Copy.exe (PID: 6992 cmdline: 'C:\Users\user\Desktop\Proforma Invoice Copy.exe' MD5: D3BCC41CD14ACE48314861FBEAE864BA)

RegAsm.exe (PID: 812 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.503144349.0000000000C94000.00000004.00000020.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.512025723.0000000005012000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.504392475.0000000002B36000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.274037382.0000000002961000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.504199488.0000000002A81000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.272957985.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.500472004.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000003.488119603.0000000004444000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Proforma Invoice Copy.exe PID: 6992	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegAsm.exe PID: 6936	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegAsm.exe PID: 6936	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 812	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegAsm.exe PID: 812	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author
1.2.RegAsm.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.RegAsm.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.Proforma Invoice Copy.exe.5010000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: Proforma Invoice Copy.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: Proforma Invoice Copy.exe	Virustotal: Detection: 34%			Perma Link
Source: Proforma Invoice Copy.exe	ReversingLabs: Detection: 45%

Machine Learning detection for sample

Show sources

Source: Proforma Invoice Copy.exe

Joe Sandbox ML: detected

Source: 1.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Source: RegAsm.exe, 00000001.00000002.274037382.0000000002961000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000002.504199488.0000000002A81000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 00000004.00000002.504199488.0000000002A81000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 00000004.00000002.504199488.0000000002A81000.00000004.00000001.sdmp	String found in binary or memory: http://PtYxrU.com
Source: RegAsm.exe, 00000004.00000002.504199488.0000000002A81000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.orgGETMozilla/5.0
Source: RegAsm.exe, 00000001.00000002.272957985.0000000000402000.00000040.00000001.sdmp, Proforma Invoice Copy.exe, 00000002.00000002.503144349.0000000000C94000.00000004.00000020.sdmp, RegAsm.exe, 00000004.00000002.500472004.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: RegAsm.exe, 00000001.00000002.274037382.0000000002961000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000002.504199488.0000000002A81000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
Source: RegAsm.exe, 00000001.00000002.272957985.0000000000402000.00000040.00000001.sdmp, Proforma Invoice Copy.exe, 00000002.00000002.503144349.0000000000C94000.00000004.00000020.sdmp, RegAsm.exe, 00000004.00000002.500472004.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: RegAsm.exe, 00000001.00000002.274037382.0000000002961000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000002.504199488.0000000002A81000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 1.2.RegAsm.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b3149C135u002dAFFBu002d4C62u002dB252u002dBC818EA64954u007d/u00321AB0C9Cu002d865Au002d46B1u002d89DBu002d23701144A328.cs	Large array initialization: .cctor: array initializer size 11818
Source: 2.2.Proforma Invoice Copy.exe.5010000.1.unpack, u003cPrivateImplementationDetailsu003eu007b3149C135u002dAFFBu002d4C62u002dB252u002dBC818EA64954u007d/u00321AB0C9Cu002d865Au002d46B1u002d89DBu002d23701144A328.cs	Large array initialization: .cctor: array initializer size 11818
Source: 4.2.RegAsm.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b3149C135u002dAFFBu002d4C62u002dB252u002dBC818EA64954u007d/u00321AB0C9Cu002d865Au002d46B1u002d89DBu002d23701144A328.cs	Large array initialization: .cctor: array initializer size 11818

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Proforma Invoice Copy.exe

Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Code function: 2_2_04EF00AD NtOpenSection,NtMapViewOfSection,		2_2_04EF00AD
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Code function: 2_2_04EF1C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,		2_2_04EF1C09

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00DB46A0	1_2_00DB46A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00DB359C	1_2_00DB359C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00DB45B0	1_2_00DB45B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00DBD261	1_2_00DBD261
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00DB5373	1_2_00DB5373
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_05E56508	1_2_05E56508
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_05E58CD8	1_2_05E58CD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_05E57120	1_2_05E57120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_05E56850	1_2_05E56850
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Code function: 2_2_0057E2B9	2_2_0057E2B9
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Code function: 2_2_00DA04F0	2_2_00DA04F0
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Code function: 2_2_00DA04E1	2_2_00DA04E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0269AAB0	4_2_0269AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_026901A4	4_2_026901A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_02695D28	4_2_02695D28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_026998B8	4_2_026998B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0269C618	4_2_0269C618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_02697468	4_2_02697468

Source: Proforma Invoice Copy.exe, 00000002.00000002.503144349.0000000000C94000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameDsLLleMsIXkWBLtjVecm.exe4 vs Proforma Invoice Copy.exe
Source: Proforma Invoice Copy.exe, 00000002.00000002.509466982.0000000003D7D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamelhqVMJEsRZDQKDeC.bounce.exe4 vs Proforma Invoice Copy.exe
Source: Proforma Invoice Copy.exe, 00000002.00000002.503062669.0000000000C6A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Proforma Invoice Copy.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll			Jump to behavior

Source: Proforma Invoice Copy.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 1.2.RegAsm.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.RegAsm.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.2.Proforma Invoice Copy.exe.5010000.1.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.2.Proforma Invoice Copy.exe.5010000.1.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.RegAsm.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.RegAsm.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/0@0/0

Source: Proforma Invoice Copy.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Proforma Invoice Copy.exe	Virustotal: Detection: 34%
Source: Proforma Invoice Copy.exe	ReversingLabs: Detection: 45%

Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe

File read: C:\Users\user\Desktop\Proforma Invoice Copy.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Proforma Invoice Copy.exe 'C:\Users\user\Desktop\Proforma Invoice Copy.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: unknown	Process created: C:\Users\user\Desktop\Proforma Invoice Copy.exe 'C:\Users\user\Desktop\Proforma Invoice Copy.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process created: C:\Users\user\Desktop\Proforma Invoice Copy.exe 'C:\Users\user\Desktop\Proforma Invoice Copy.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior

Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Proforma Invoice Copy.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Proforma Invoice Copy.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_02694689 push 8BFFFFFFh; retf

4_2_02694698

Source: initial sample

Static PE information: section name: .text entropy: 7.86287833188

Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Window / User API: threadDelayed 367	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Window / User API: threadDelayed 1891	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Window / User API: threadDelayed 384	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Window / User API: threadDelayed 1814	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 667	Jump to behavior

Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe TID: 6872	Thread sleep time: -37820s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 64	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5508	Thread sleep count: 136 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5508	Thread sleep count: 61 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe TID: 7020	Thread sleep count: 384 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe TID: 6996	Thread sleep count: 1814 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe TID: 6996	Thread sleep time: -36280s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6316	Thread sleep count: 224 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6316	Thread sleep count: 667 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -59500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -59282s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -58594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -58376s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -58188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -58000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -57500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -57282s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -56688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -113000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -56188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -55782s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -55594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -55376s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -55094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -54876s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -54688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -54500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -54282s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -53782s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -53594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -53376s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -53188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -79500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -52688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -52500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -52282s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -51876s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -51594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -51376s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -51188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -50782s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -50500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -50282s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -50094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -49688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -99000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -49188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -48782s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -48594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -48376s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -48094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -47688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -71250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -47282s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -47000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -46594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -46376s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -46188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -46000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -45688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -45500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -45282s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -45094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -44594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -44376s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -44188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -44000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -43282s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -43094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -42188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -42000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -41094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -40876s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -40688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -60750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -57750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -37594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -37376s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -36500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -36282s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -35188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -52500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -34094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -33876s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -33000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -32782s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -47250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -31000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -30782s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -30376s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -43594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -42500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -39000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -37000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -35500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -33500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -59812s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -59406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -58906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -58718s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -58500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -57812s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -57406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -57000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -56718s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -55406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -55218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -55000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -54812s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -54312s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -53906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -53718s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -53500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -53218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -52812s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -52406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -51906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -51718s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -51500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -51312s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -50812s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -50406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -49718s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -49312s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -48406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -48000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -47312s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -46906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -46218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -45812s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -44906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -44718s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -44500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324	Thread sleep time: -43812s >= -30000s	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Last function: Thread delayed

Source: RegAsm.exe, 00000001.00000002.276102343.0000000005A40000.00000002.00000001.sdmp, RegAsm.exe, 00000004.00000002.508532515.0000000005BB0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: RegAsm.exe, 00000001.00000002.276102343.0000000005A40000.00000002.00000001.sdmp, RegAsm.exe, 00000004.00000002.508532515.0000000005BB0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegAsm.exe, 00000001.00000002.276102343.0000000005A40000.00000002.00000001.sdmp, RegAsm.exe, 00000004.00000002.508532515.0000000005BB0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: RegAsm.exe, 00000001.00000002.276102343.0000000005A40000.00000002.00000001.sdmp, RegAsm.exe, 00000004.00000002.508532515.0000000005BB0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_0269AAB0 LdrInitializeThunk,

4_2_0269AAB0

Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Code function: 2_2_04EF00AD mov ecx, dword ptr fs:[00000030h]	2_2_04EF00AD
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Code function: 2_2_04EF00AD mov eax, dword ptr fs:[00000030h]	2_2_04EF00AD
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Code function: 2_2_04EF01CB mov eax, dword ptr fs:[00000030h]	2_2_04EF01CB

Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 9CA008			Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 874008			Jump to behavior

Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process created: C:\Users\user\Desktop\Proforma Invoice Copy.exe 'C:\Users\user\Desktop\Proforma Invoice Copy.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior

Source: Proforma Invoice Copy.exe, 00000002.00000002.503778930.0000000001290000.00000002.00000001.sdmp, RegAsm.exe, 00000004.00000002.503060022.00000000011C0000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: Proforma Invoice Copy.exe, 00000002.00000002.503778930.0000000001290000.00000002.00000001.sdmp, RegAsm.exe, 00000004.00000002.503060022.00000000011C0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Proforma Invoice Copy.exe, 00000002.00000002.503778930.0000000001290000.00000002.00000001.sdmp, RegAsm.exe, 00000004.00000002.503060022.00000000011C0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Proforma Invoice Copy.exe, 00000002.00000002.503778930.0000000001290000.00000002.00000001.sdmp, RegAsm.exe, 00000004.00000002.503060022.00000000011C0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Queries volume information: C:\Users\user\Desktop\Proforma Invoice Copy.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Queries volume information: C:\Users\user\Desktop\Proforma Invoice Copy.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_05E5223C GetUserNameW,

1_2_05E5223C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000002.00000002.503144349.0000000000C94000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.512025723.0000000005012000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.504392475.0000000002B36000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.272957985.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.500472004.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.488119603.0000000004444000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Proforma Invoice Copy.exe PID: 6992, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6936, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 812, type: MEMORY
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Proforma Invoice Copy.exe.5010000.1.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000001.00000002.274037382.0000000002961000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.504199488.0000000002A81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6936, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 812, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000002.00000002.503144349.0000000000C94000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.512025723.0000000005012000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.504392475.0000000002B36000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.272957985.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.500472004.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.488119603.0000000004444000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Proforma Invoice Copy.exe PID: 6992, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6936, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 812, type: MEMORY
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Proforma Invoice Copy.exe.5010000.1.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	DLL Side-Loading1	Process Injection212	Virtualization/Sandbox Evasion14	OS Credential Dumping1	Security Software Discovery121	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Disable or Modify Tools1	LSASS Memory	Virtualization/Sandbox Evasion14	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection212	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Local System1	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information2	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing3	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	DLL Side-Loading1	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery115	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Proforma Invoice Copy.exe	35%	Virustotal		Browse
Proforma Invoice Copy.exe	46%	ReversingLabs	ByteCode-MSIL.Trojan.Tnega
Proforma Invoice Copy.exe	100%	Avira	TR/AD.AgentTesla.hlwts
Proforma Invoice Copy.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.2.Proforma Invoice Copy.exe.5010000.1.unpack	100%	Avira	HEUR/AGEN.1138205	Download File
1.2.RegAsm.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File
4.2.RegAsm.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://PtYxrU.com	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	RegAsm.exe, 00000001.00000002.274037382.0000000002961000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000002.504199488.0000000002A81000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	RegAsm.exe, 00000004.00000002.504199488.0000000002A81000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://PtYxrU.com	RegAsm.exe, 00000004.00000002.504199488.0000000002A81000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	RegAsm.exe, 00000001.00000002.274037382.0000000002961000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000002.504199488.0000000002A81000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.telegram.org/bot%telegramapi%/	RegAsm.exe, 00000001.00000002.272957985.0000000000402000.00000040.00000001.sdmp, Proforma Invoice Copy.exe, 00000002.00000002.503144349.0000000000C94000.00000004.00000020.sdmp, RegAsm.exe, 00000004.00000002.500472004.0000000000402000.00000040.00000001.sdmp	false		high
https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x	RegAsm.exe, 00000001.00000002.274037382.0000000002961000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000002.504199488.0000000002A81000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	RegAsm.exe, 00000001.00000002.272957985.0000000000402000.00000040.00000001.sdmp, Proforma Invoice Copy.exe, 00000002.00000002.503144349.0000000000C94000.00000004.00000020.sdmp, RegAsm.exe, 00000004.00000002.500472004.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.ipify.orgGETMozilla/5.0	RegAsm.exe, 00000004.00000002.504199488.0000000002A81000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	321196
Start date:	20.11.2020
Start time:	15:34:26
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Proforma Invoice Copy.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.4% (good quality ratio 0.3%) Quality average: 58.7% Quality standard deviation: 30.9%
HCA Information:	Successful, ratio: 100% Number of executed functions: 38 Number of non-executed functions: 2
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:35:33	API Interceptor	782x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.8576781444417625
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Proforma Invoice Copy.exe
File size:	614400
MD5:	d3bcc41cd14ace48314861fbeae864ba
SHA1:	8e77cb335075e93fffe5e8652d2b7b011d2a922a
SHA256:	5bdb22f495f4d4856e100acf674236191d0082c075884b2fe0892fa5b58923a8
SHA512:	28d5a877d1e63efe0667b7ae134413a6a8c82b988aed249ca4425d1ad6eb926bad53a57f93a88a117c1b208ed3622ff70dc90aac0f49da2c0b5cd66d055458ad
SSDEEP:	12288:g6f1qSUgblfQ7F3hm//jUw5iSr3MnVmkyMmba2:N1egb8F3hm//QAlr8VVyZba
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...J.._.................X..........~v... ........@.. ..............................".....@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x49767e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FB6E24A [Thu Nov 19 21:23:22 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x97630	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x98000	0x242	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x95684	0x95800	False	0.917408614653	data	7.86287833188	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x98000	0x242	0x400	False	0.30859375	data	3.56683492949	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9a000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x98058	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Proforma Invoice Copy.exe PID: 6868 Parent PID: 5824

General

Start time:	15:35:19
Start date:	20/11/2020
Path:	C:\Users\user\Desktop\Proforma Invoice Copy.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Proforma Invoice Copy.exe'
Imagebase:	0xf20000
File size:	614400 bytes
MD5 hash:	D3BCC41CD14ACE48314861FBEAE864BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 6936 Parent PID: 6868

General

Start time:	15:35:24
Start date:	20/11/2020
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Imagebase:	0x650000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.274037382.0000000002961000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.272957985.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: Proforma Invoice Copy.exe PID: 6992 Parent PID: 6868

General

Start time:	15:35:28
Start date:	20/11/2020
Path:	C:\Users\user\Desktop\Proforma Invoice Copy.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Proforma Invoice Copy.exe'
Imagebase:	0x4f0000
File size:	614400 bytes
MD5 hash:	D3BCC41CD14ACE48314861FBEAE864BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.503144349.0000000000C94000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.512025723.0000000005012000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000003.488119603.0000000004444000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 812 Parent PID: 6992

General

Start time:	15:35:36
Start date:	20/11/2020
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Imagebase:	0x660000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.504392475.0000000002B36000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.504199488.0000000002A81000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.500472004.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: RegAsm.exe PID: 6936 Parent PID: 6868 RegAsm.exeCOMMON

Executed Functions

Function 05E5223C, Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 05E5B21B

Memory Dump Source

Source File: 00000001.00000002.276685369.0000000005E50000.00000040.00000001.sdmp, Offset: 05E50000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: acc227f3992f3b99c39e811cd051509001e7619e7f3e011a52bd561cc4f3b3a0
Instruction ID: 274042ff2f2dddd1ecd95954a51f34cdd5416bab71aa0c13a84f02b3022a89c8
Opcode Fuzzy Hash: acc227f3992f3b99c39e811cd051509001e7619e7f3e011a52bd561cc4f3b3a0
Instruction Fuzzy Hash: CC512470D00218CFDB14CFA9C899BDEBBB5BF48324F14912AE856AB350D774A844CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05E58CD8, Relevance: 1.6, Strings: 1, Instructions: 339COMMON

Download Yara Rule

Strings

<)l, xrefs: 05E58F25

Memory Dump Source

Source File: 00000001.00000002.276685369.0000000005E50000.00000040.00000001.sdmp, Offset: 05E50000, based on PE: false

Similarity

API ID:
String ID: <)l
API String ID: 0-2890260046
Opcode ID: 51b66764625dc759a7f0a81b9bc4187e1cfab3f5dee588cb3a413af4b50ef0a4
Instruction ID: f97b8933aef5f8ab733119e09648a01ab932cbb9f6daa5a34dd674e7cfaa9ef8
Opcode Fuzzy Hash: 51b66764625dc759a7f0a81b9bc4187e1cfab3f5dee588cb3a413af4b50ef0a4
Instruction Fuzzy Hash: 94D15E70E04219CFCB14DFA8C484AAEBBF2FF88324F158559E955AB351DB34A946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00DB45B0, Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273559301.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86af38e875e469862171c9db43229a4b234156aee5b591e1b61d6c0725bd5c42
Instruction ID: 21941409d01c9b8b0bdaf2b3e1a82c293e0c8053742acfa3fe309b34336bd953
Opcode Fuzzy Hash: 86af38e875e469862171c9db43229a4b234156aee5b591e1b61d6c0725bd5c42
Instruction Fuzzy Hash: BEF1CDB1C85785CFDB11CF65E8482893FB0EB8A318F15CA59D1A16F2E2D778146ACF60

Uniqueness

Uniqueness Score: -1.00%

Function 00DB46A0, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273559301.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6bfb7df6797fc361cff43eb7c99fca2d50273343eb7a8fe6f11501985a2a95b
Instruction ID: 3405a115674d5f32fe266ae7c0355353d67391b77ede3bc7aacfcf8fefac1a1f
Opcode Fuzzy Hash: e6bfb7df6797fc361cff43eb7c99fca2d50273343eb7a8fe6f11501985a2a95b
Instruction Fuzzy Hash: CA12C4F0C81746CBEB10CF65E8481853BA5B789728F61CB18D2612F6D1D7B911AACF64

Uniqueness

Uniqueness Score: -1.00%

Function 05E57120, Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276685369.0000000005E50000.00000040.00000001.sdmp, Offset: 05E50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06f69e82ff79e48b0c70b7813a9ea12f8edf0c714df6159bc092db8584df74fc
Instruction ID: 372d0d7b9c860faec18545bed29a4ad3f8ef743e5090bb0c1fcc95e450dbde19
Opcode Fuzzy Hash: 06f69e82ff79e48b0c70b7813a9ea12f8edf0c714df6159bc092db8584df74fc
Instruction Fuzzy Hash: C8B15CB0E042198FDF10CFA9C8857EDBBF2FF48368F149129E855A7294EB749855CB81

Uniqueness

Uniqueness Score: -1.00%

Function 05E56508, Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276685369.0000000005E50000.00000040.00000001.sdmp, Offset: 05E50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 491a88dfa45c79bfadc510fbfba0318fb97dfc2af102be5989c0ace0bab2c837
Instruction ID: dd4a3cfb7ab05493fd4061e394cd4498351db76b093e327c53b3d018e720f57b
Opcode Fuzzy Hash: 491a88dfa45c79bfadc510fbfba0318fb97dfc2af102be5989c0ace0bab2c837
Instruction Fuzzy Hash: D3915CB1E002099FDF10CFA8C8857EDBBF2BF88328F549529E855A7294DB749845CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00DB359C, Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273559301.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 587c60192bbab9547acbc5544880091c445dfecd655a3bc154c1932c1d54bd37
Instruction ID: 14a7e7fa1f340615bd23ae4795bbbd1a9cbd9864b6b0ab7dfe1839c6c47657f3
Opcode Fuzzy Hash: 587c60192bbab9547acbc5544880091c445dfecd655a3bc154c1932c1d54bd37
Instruction Fuzzy Hash: AD917A34E00719CFCB04DFA0D844ADDBBBAFF89304F258615E416AB7A4EB30A945DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DB5373, Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273559301.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e1cb24f1e029de14fd4ca5fb51ae94e8ad755d9697d022e3b1d0269a288acc2
Instruction ID: 0d3a6c8d5fca4b6fae17927e611a6df4517b87d7c974e9ed872d864315f8a759
Opcode Fuzzy Hash: 6e1cb24f1e029de14fd4ca5fb51ae94e8ad755d9697d022e3b1d0269a288acc2
Instruction Fuzzy Hash: 0F919E35D00349CFCB05DFA0D844ADDBBB6FF8A304F158655E416AB7A5EB30A949CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DB6903, Relevance: 6.1, APIs: 4, Instructions: 145threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00DB6913: GetCurrentProcess.KERNEL32 ref: 00DB69A0
Part of subcall function 00DB6913: GetCurrentThread.KERNEL32 ref: 00DB69DD
Part of subcall function 00DB6913: GetCurrentProcess.KERNEL32 ref: 00DB6A1A

GetCurrentThreadId.KERNEL32 ref: 00DB6A73

Memory Dump Source

Source File: 00000001.00000002.273559301.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f0fe40e66a88ab61e56a762ef9029f5fc3f5e445bf450edb97bc1c996d27ec0e
Instruction ID: abdbcfa899edfb7a0c4cdf8c2331423c0953f299bbb17d781292474f4b679878
Opcode Fuzzy Hash: f0fe40e66a88ab61e56a762ef9029f5fc3f5e445bf450edb97bc1c996d27ec0e
Instruction Fuzzy Hash: B55166B09043898FDB01DFA9C548BDEBFF0EF49304F14809AE449A7291D7789944CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00DB6913, Relevance: 6.1, APIs: 4, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273559301.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 13f9f13325a022adfffc612d96c570ea615085066bb7d6f4ff0c64d05b9aea83
Instruction ID: a76a62469517aa14ad1ff5116a69ac5adcb37c75897260d616a90d9a7d76bc91
Opcode Fuzzy Hash: 13f9f13325a022adfffc612d96c570ea615085066bb7d6f4ff0c64d05b9aea83
Instruction Fuzzy Hash: B05156B09043898FDB05DFA9C548BDEBBF0EF89304F14819AE449A7291D7789884CF72

Uniqueness

Uniqueness Score: -1.00%

Function 00DB6923, Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273559301.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 93fe9525baa5cfdcdb0fec79be617d0955b0f24b7b8f3375a335afed7a3bca5d
Instruction ID: 704b416fcd6a9e3ccb65d8402ae00070cbc99ba684cd84d11ff5db23ea7b6c12
Opcode Fuzzy Hash: 93fe9525baa5cfdcdb0fec79be617d0955b0f24b7b8f3375a335afed7a3bca5d
Instruction Fuzzy Hash: 8C5135B0904389CFDB15CFA9D548BDEBBF0EF89304F14815AE449A7291D778A984CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00DB6933, Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00DB69A0
GetCurrentThread.KERNEL32 ref: 00DB69DD
GetCurrentProcess.KERNEL32 ref: 00DB6A1A
GetCurrentThreadId.KERNEL32 ref: 00DB6A73

Memory Dump Source

Source File: 00000001.00000002.273559301.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 26a0e845824fa6ac8ccbeb108a529b00b87c01c546677541180363260c4d1a34
Instruction ID: 442d15dd0ae5ade412d65c455509169141733c27734c9ae4458aec5ce2590bd3
Opcode Fuzzy Hash: 26a0e845824fa6ac8ccbeb108a529b00b87c01c546677541180363260c4d1a34
Instruction Fuzzy Hash: E55145B09042498FDB14CFA9D5887DEBBF0EF49304F14855AE449A7390D7789884CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DB6940, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00DB69A0
GetCurrentThread.KERNEL32 ref: 00DB69DD
GetCurrentProcess.KERNEL32 ref: 00DB6A1A
GetCurrentThreadId.KERNEL32 ref: 00DB6A73

Memory Dump Source

Source File: 00000001.00000002.273559301.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c264ac5f7215fd2a9592bf038d9b4ab703631fcd97715cb17f8aecdbf1ff5db6
Instruction ID: cb8c669a28b9977167f8bbdd3cc76e0221ee9379cb749541b88cc6e5a88ead61
Opcode Fuzzy Hash: c264ac5f7215fd2a9592bf038d9b4ab703631fcd97715cb17f8aecdbf1ff5db6
Instruction Fuzzy Hash: 4D5135B0900249CFDB14CFA9D588BDEBBF0EB88304F248159E459A7390D778A944CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05E52219, Relevance: 1.6, APIs: 1, Instructions: 149COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 05E5B21B

Memory Dump Source

Source File: 00000001.00000002.276685369.0000000005E50000.00000040.00000001.sdmp, Offset: 05E50000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: e987ca4255e44da424a2dc378f8dcef31e56792d0d14fc7c0b663257bab2e15f
Instruction ID: c2050b03ed9207983a4d6c22a7cbd6439460b967ed2b4cff89c635c1c1da103a
Opcode Fuzzy Hash: e987ca4255e44da424a2dc378f8dcef31e56792d0d14fc7c0b663257bab2e15f
Instruction Fuzzy Hash: 17518874D043188FEB04CFA9C894BDDBBB5BF49314F05916AE896AB351D7749844CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05E59690, Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 05E5B21B

Memory Dump Source

Source File: 00000001.00000002.276685369.0000000005E50000.00000040.00000001.sdmp, Offset: 05E50000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 0d0ab76bc9c487e986af0b28816a6ab3f72be70f90b94d01c0a37add0d25d05d
Instruction ID: b42e0c9e02ac2c65045fc3743e90aaab3924e8ba437e00c6ff69bcf7da4bfdda
Opcode Fuzzy Hash: 0d0ab76bc9c487e986af0b28816a6ab3f72be70f90b94d01c0a37add0d25d05d
Instruction Fuzzy Hash: 1D514670D00318CFEB14CFA9C899BDEBBB5BF48314F15912AE856AB350D774A844CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 05E5969C, Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 05E5B21B

Memory Dump Source

Source File: 00000001.00000002.276685369.0000000005E50000.00000040.00000001.sdmp, Offset: 05E50000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 9cd109eb2931365363761379070c5c478f2b780a58af2addf0dc33d2eb9d5868
Instruction ID: 6e62b78fc6f3b2353148a6a6353fa450e6a8ec5588c168fdfc7d81dd47ce6549
Opcode Fuzzy Hash: 9cd109eb2931365363761379070c5c478f2b780a58af2addf0dc33d2eb9d5868
Instruction Fuzzy Hash: A2511574D00218CFDB14CFA9C899BDDBBB5BF48314F159119E856AB350D774A844CF94

Uniqueness

Uniqueness Score: -1.00%

Function 05E5B0D5, Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 05E5B21B

Memory Dump Source

Source File: 00000001.00000002.276685369.0000000005E50000.00000040.00000001.sdmp, Offset: 05E50000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: db136b7da1802d2da6dc77c40a7f2c02f16a9a8d2f8d3c68aeef5d1affada56f
Instruction ID: 28ffa01a2c9b984a85acd388c6e997c3388557a71b8bc48c6103e0db473010fc
Opcode Fuzzy Hash: db136b7da1802d2da6dc77c40a7f2c02f16a9a8d2f8d3c68aeef5d1affada56f
Instruction Fuzzy Hash: D7511474D002188FDB14CFA9C899BDDBBF5BF48314F15911AE856AB350D774A844CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00DB5084, Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00DB51A2

Memory Dump Source

Source File: 00000001.00000002.273559301.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 950fb199bebfd5813e4f44209f31844abf16f4801ae744ac97472adf8156a6e0
Instruction ID: 06d0524afdccdabb4a2a669c1d41094aeb4f36b5f3204c3f1508ed9bc4f225c4
Opcode Fuzzy Hash: 950fb199bebfd5813e4f44209f31844abf16f4801ae744ac97472adf8156a6e0
Instruction Fuzzy Hash: F751DFB0D00349DFDF14CF99D884ADEBBB5BF48354F64822AE819AB214D774A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00DB5090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00DB51A2

Memory Dump Source

Source File: 00000001.00000002.273559301.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: fedbd22085f94f510e27a040420de883ed63efddc94dc08b299a93cc95a8a56a
Instruction ID: 6ab390238a80ba22e00dcfb41250216c2e5295ae980139451939b6d70cbc75fb
Opcode Fuzzy Hash: fedbd22085f94f510e27a040420de883ed63efddc94dc08b299a93cc95a8a56a
Instruction Fuzzy Hash: D441D0B0D00308DFDF14CF99D884ADEBBB5BF48344F24822AE819AB210D774A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00DB7780, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 00DB7F09

Memory Dump Source

Source File: 00000001.00000002.273559301.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 9b9ef3b25d6fe9fed81c0626a12c66d9b48f918d8530d23bc047c368cfb1a9bd
Instruction ID: 0a537e327a968eb1e9a3c863e843549402e64b8940c6d87dd1b896e6d9a7ee3f
Opcode Fuzzy Hash: 9b9ef3b25d6fe9fed81c0626a12c66d9b48f918d8530d23bc047c368cfb1a9bd
Instruction Fuzzy Hash: 31411CB4904245CFCB14CF55C488AAABBF5FF8C314F258499E51AAB321D774E941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05E51E34, Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 05E53E42

Memory Dump Source

Source File: 00000001.00000002.276685369.0000000005E50000.00000040.00000001.sdmp, Offset: 05E50000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c34331bce39a8eed70b81af219e5691e7ac6e9674b8d133038e3f9309649cc2e
Instruction ID: 75b1308bc80b1fec3e6cb54fb8ef3bf698f4a75e8fcc3b6c7707f36120225d43
Opcode Fuzzy Hash: c34331bce39a8eed70b81af219e5691e7ac6e9674b8d133038e3f9309649cc2e
Instruction Fuzzy Hash: 593125B0D043499FDB14DFA8C88979EBBF1BB08364F10992AE855A7340DB749445CF95

Uniqueness

Uniqueness Score: -1.00%

Function 05E53D6F, Relevance: 1.6, APIs: 1, Instructions: 88libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 05E53E42

Memory Dump Source

Source File: 00000001.00000002.276685369.0000000005E50000.00000040.00000001.sdmp, Offset: 05E50000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 67f77239c443a7c97ee65289719a926925d4706f437e4a2a59f8188ffe1190ca
Instruction ID: 7baeaf47b56b4aedf8d4f85f245bc0726b96ca3ab4489d76be9381ea7739e9d9
Opcode Fuzzy Hash: 67f77239c443a7c97ee65289719a926925d4706f437e4a2a59f8188ffe1190ca
Instruction Fuzzy Hash: 8D3123B1D003499FDB14CFA8C88579EBFF1BB08364F149A2AE855A7380DB749486CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00DB6B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DB6BEF

Memory Dump Source

Source File: 00000001.00000002.273559301.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 15a216d593779fc1714560f217ad0bbaef395014dd02d2a404dfd1d759b4f14c
Instruction ID: 849d3b22c1196948c2e8d0190bb5edbd47487c23e574c0b832a7b4eaa356c86c
Opcode Fuzzy Hash: 15a216d593779fc1714560f217ad0bbaef395014dd02d2a404dfd1d759b4f14c
Instruction Fuzzy Hash: D221E0B5900248DFDB10CFA9D984ADEBBF4FB48310F14842AE955A3310D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DB6B63, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DB6BEF

Memory Dump Source

Source File: 00000001.00000002.273559301.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: df2caa9dbf07c2422d02593993be148167400131dd945c3bea8fa0e367d10304
Instruction ID: b47d3c44db712dede611330bd9c4bcda4af1090f8bae597d8354e739663218d5
Opcode Fuzzy Hash: df2caa9dbf07c2422d02593993be148167400131dd945c3bea8fa0e367d10304
Instruction Fuzzy Hash: 8821E0B5900249DFDB10CFA9D584AEEBFF4FB48310F14846AE955A7310D378A954CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DBBDF9, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 00DBBE82

Memory Dump Source

Source File: 00000001.00000002.273559301.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 60c2251f37aa565cf24661722e51e944082b730e968763baf0b263795e4fa4fb
Instruction ID: e984b07e6036f45a9f53e232963a8c7fc63113fdedfcfac0b3ed700ec56b88aa
Opcode Fuzzy Hash: 60c2251f37aa565cf24661722e51e944082b730e968763baf0b263795e4fa4fb
Instruction Fuzzy Hash: F0218BB09007498FDB10DFA9D8483DEBBF0FB46324F14856BE459A7681C778A808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DBBE08, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 00DBBE82

Memory Dump Source

Source File: 00000001.00000002.273559301.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 3714a80e451bf22c1ef2aaa3cecc951513f7ab20871926b15da5c10653300792
Instruction ID: 6b6d42b51f1ec227f2281f684e230e3ad62e05e1aba669b45d73c2ed337c1666
Opcode Fuzzy Hash: 3714a80e451bf22c1ef2aaa3cecc951513f7ab20871926b15da5c10653300792
Instruction Fuzzy Hash: 5F1147B0900749CFDF10DFA9D8487DABBF4FB49324F24842BE549A7640C779A948CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D3D53C, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273428726.0000000000D3D000.00000040.00000001.sdmp, Offset: 00D3D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 451a6e61966ab739453bdeb93672acba851f027638dbc663ad8220a32b454716
Instruction ID: a854d9afa1d0ba71d124852a00a41d8dc1c1877b29a3c903a9583ad888751c20
Opcode Fuzzy Hash: 451a6e61966ab739453bdeb93672acba851f027638dbc663ad8220a32b454716
Instruction Fuzzy Hash: 9D2125B1504244DFDB01DF10E8C0B26BF66FB95328F388569E9494B246C336D816CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D4D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273470435.0000000000D4D000.00000040.00000001.sdmp, Offset: 00D4D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0943dff3342a5f5112897cc71a4ef67dbec68111eec171c2d13b5b8e75a76478
Instruction ID: 0bd09eb2eeaba6568766b775e31ca41b0afd4fb23709a6cc7e34150e5b3efe41
Opcode Fuzzy Hash: 0943dff3342a5f5112897cc71a4ef67dbec68111eec171c2d13b5b8e75a76478
Instruction Fuzzy Hash: C021C2B5504244DFDB14CF14D8C4B26BBA6FB84314F28C9A9E9494B246C37AD847CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D4D005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273470435.0000000000D4D000.00000040.00000001.sdmp, Offset: 00D4D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 550312fb2a7966aef1267c9ebba13eb09aacfc94c95c19aa0b43c5e9ea96ae26
Instruction ID: 417ef5e72c42a37b51d219947f8ee23d226fc19053da92a19200c3c44ca97b9e
Opcode Fuzzy Hash: 550312fb2a7966aef1267c9ebba13eb09aacfc94c95c19aa0b43c5e9ea96ae26
Instruction Fuzzy Hash: 7A2150755093C08FDB12CF24D994715BF71EB46314F28C5EAD8498B697C33AD84ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D3D537, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273428726.0000000000D3D000.00000040.00000001.sdmp, Offset: 00D3D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7354a76e3ba979fea5a3cd086853515f00a4e8cfc58284410f309d67cc377e0
Instruction ID: 629862e6b667531af77abf9b338513f48c9e0808fb2648d9ea6b7905ec6e6141
Opcode Fuzzy Hash: c7354a76e3ba979fea5a3cd086853515f00a4e8cfc58284410f309d67cc377e0
Instruction Fuzzy Hash: FA11D376404284CFCB12CF10E9C4B56BF72FB95324F28C6A9D8494B656C336D856CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00DBD261, Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

D0)l, xrefs: 00DBD56C

Memory Dump Source

Source File: 00000001.00000002.273559301.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID:
String ID: D0)l
API String ID: 0-287000446
Opcode ID: d4d9b922e7e4441b5e540cfd1f7e513339d68238168fb893bf573a1ddd035882
Instruction ID: 946f5bd4f675caf79c4452f2ff998f94a762fa07e5de4c28eeeb1695062a7808
Opcode Fuzzy Hash: d4d9b922e7e4441b5e540cfd1f7e513339d68238168fb893bf573a1ddd035882
Instruction Fuzzy Hash: 76919034B04218CBCB189B7998547BE7AB7AFC9309B15896ED847E7388DF34C80587A1

Uniqueness

Uniqueness Score: -1.00%

Function 05E56850, Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.276685369.0000000005E50000.00000040.00000001.sdmp, Offset: 05E50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cda597487a1a5edb28370d8f222fc3e03a6e98b712a9054f6d810bf9ec60a8f5
Instruction ID: 7012412163cc50007eca90fa6f5d05b6ff45a1617b203f2b8fecfcf7f623f040
Opcode Fuzzy Hash: cda597487a1a5edb28370d8f222fc3e03a6e98b712a9054f6d810bf9ec60a8f5
Instruction Fuzzy Hash: 32B13E70E04209CFDF10CFA9C8857EDBBF2BF88728F549129D855AB294EB749845CB91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Proforma Invoice Copy.exe PID: 6992 Parent PID: 6868 Proforma Invoice Copy.exeCOMMON

Executed Functions

Function 04EF01CB, Relevance: 517.4, Strings: 413, Instructions: 1134COMMON

Download Yara Rule

Strings

2.dl, xrefs: 04EF041E
esTo, xrefs: 04EF0DCF
wnDl, xrefs: 04EF04F4
n, xrefs: 04EF0F33
sact, xrefs: 04EF0E84
enMu, xrefs: 04EF12E7
NtQu, xrefs: 04EF031E
roce, xrefs: 04EF0FEB
ster, xrefs: 04EF1128
text, xrefs: 04EF0A4F
ls\u, xrefs: 04EF0576
l, xrefs: 04EF12A7
tDes, xrefs: 04EF072C
W, xrefs: 04EF0B0D
tCon, xrefs: 04EF0A45
enKe, xrefs: 04EF05F6
Wind, xrefs: 04EF10DD
ll, xrefs: 04EF03DD
\Kno, xrefs: 04EF0526
ls\n, xrefs: 04EF04C6
eA, xrefs: 04EF0B3E
File, xrefs: 04EF0C0F
ofRe, xrefs: 04EF0232
ath, xrefs: 04EF0C79
strlenuser32.dlladvapi32.dll, xrefs: 04EF1348, 04EF134B
py, xrefs: 04EF0665
wnDl, xrefs: 04EF125C
eryI, xrefs: 04EF0B57
wnDl, xrefs: 04EF056C
Inst, xrefs: 04EF1238
l32., xrefs: 04EF054E
rren, xrefs: 04EF0ED3
ey, xrefs: 04EF0713
\Kno, xrefs: 04EF03EC
indo, xrefs: 04EF1155
nPai, xrefs: 04EF11DE
urce, xrefs: 04EF0269
mory, xrefs: 04EF098F
api3, xrefs: 04EF0414
wPro, xrefs: 04EF115F
Para, xrefs: 04EF0E0B
extW, xrefs: 04EF0696
wnDl, xrefs: 04EF04BC
NtDe, xrefs: 04EF0CA6
ateP, xrefs: 04EF0944
ecti, xrefs: 04EF0A90
tion, xrefs: 04EF0CC4
r32., xrefs: 04EF049E
GetP, xrefs: 04EF0818
enSe, xrefs: 04EF0EA2
irtu, xrefs: 04EF097B
Ex, xrefs: 04EF1215
ls32, xrefs: 04EF03BF
nt, xrefs: 04EF12CE
nel3, xrefs: 04EF0459
orma, xrefs: 04EF02A1
troy, xrefs: 04EF0736
GetS, xrefs: 04EF0363
NtGe, xrefs: 04EF0A3B
sW, xrefs: 04EF113C
lstr, xrefs: 04EF085D
enFi, xrefs: 04EF0BBB
layE, xrefs: 04EF0CB0
urce, xrefs: 04EF08CC
ss, xrefs: 04EF0836
lMem, xrefs: 04EF1022
eate, xrefs: 04EF12BA
age, xrefs: 04EF1196
ls32, xrefs: 04EF048A
Load, xrefs: 04EF0204
texW, xrefs: 04EF1360
tDec, xrefs: 04EF075A
cess, xrefs: 04EF0E56
KeyP, xrefs: 04EF0C6F
lize, xrefs: 04EF120B
ombs, xrefs: 04EF1096
eFil, xrefs: 04EF0B2A
ad, xrefs: 04EF0A63
RtlS, xrefs: 04EF0EBF
tRel, xrefs: 04EF07A6
onFi, xrefs: 04EF0B75
Ole3, xrefs: 04EF1293
ess, xrefs: 04EF1082
ePro, xrefs: 04EF0DF7
tant, xrefs: 04EF12F1
alMe, xrefs: 04EF0985
Cryp, xrefs: 04EF06A6
rent, xrefs: 04EF0C5B
NtPr, xrefs: 04EF0877
wnDl, xrefs: 04EF05A7
ZwUn, xrefs: 04EF099F
RtlC, xrefs: 04EF0D3E
itia, xrefs: 04EF1201
Cryp, xrefs: 04EF06CE
teWi, xrefs: 04EF1100
dll, xrefs: 04EF051C
IsWo, xrefs: 04EF0FD7
NtOp, xrefs: 04EF02F7
Clas, xrefs: 04EF1132
NtQu, xrefs: 04EF0B4D
tCre, xrefs: 04EF06B0
l, xrefs: 04EF0428
Reso, xrefs: 04EF01E7
Tran, xrefs: 04EF0E7A
emor, xrefs: 04EF091D
loca, xrefs: 04EF02C5
tePr, xrefs: 04EF08E6
dll, xrefs: 04EF04A8
eate, xrefs: 04EF122E
Muta, xrefs: 04EF12C4
Proc, xrefs: 04EF1078
Cryp, xrefs: 04EF0722
ntin, xrefs: 04EF0D25
Post, xrefs: 04EF1178
Priv, xrefs: 04EF0DBB
tdll, xrefs: 04EF04D0
text, xrefs: 04EF0A18
Thre, xrefs: 04EF0A22
on, xrefs: 04EF0A9A
wcsl, xrefs: 04EF0CD4
Size, xrefs: 04EF0228
ctio, xrefs: 04EF0F29
ZwCr, xrefs: 04EF0E66
s, xrefs: 04EF0315
Cryp, xrefs: 04EF06F5
ry, xrefs: 04EF08A9
NtOp, xrefs: 04EF12DD
reat, xrefs: 04EF0E38
NtWr, xrefs: 04EF0967
Load, xrefs: 04EF0800
eate, xrefs: 04EF1064
\Kno, xrefs: 04EF059D
Cont, xrefs: 04EF07BA
odul, xrefs: 04EF0B20
ndow, xrefs: 04EF110A
reat, xrefs: 04EF0D48
ansa, xrefs: 04EF0F1F
just, xrefs: 04EF0DB1
CoCr, xrefs: 04EF1224
oced, xrefs: 04EF0F50
eeVi, xrefs: 04EF100E
alue, xrefs: 04EF061D
NtCr, xrefs: 04EF0CED
User, xrefs: 04EF0C65
pVie, xrefs: 04EF0A7C
oces, xrefs: 04EF08F0
wOfS, xrefs: 04EF0A86
Free, xrefs: 04EF08B8
lenW, xrefs: 04EF0867
Cont, xrefs: 04EF068C
iteV, xrefs: 04EF0971
\Kno, xrefs: 04EF0476
sour, xrefs: 04EF023C
rThr, xrefs: 04EF0D5C
Thre, xrefs: 04EF0D01
ls32, xrefs: 04EF0400
NtOp, xrefs: 04EF05EC
CoIn, xrefs: 04EF11F7
Mess, xrefs: 04EF118C
ls\a, xrefs: 04EF04FE
NtOp, xrefs: 04EF0BB1
\use, xrefs: 04EF0494
rmin, xrefs: 04EF093A
wcst, xrefs: 04EF108C
mapV, xrefs: 04EF09A9
\Kno, xrefs: 04EF1252
oadD, xrefs: 04EF0F87
Mess, xrefs: 04EF0FB9
ory, xrefs: 04EF07F6
tual, xrefs: 04EF0895
mInf, xrefs: 04EF0297
rtua, xrefs: 04EF1018
eUse, xrefs: 04EF0E42
ueKe, xrefs: 04EF0BE8
Key, xrefs: 04EF0792
yste, xrefs: 04EF028D
l, xrefs: 04EF0594
Cryp, xrefs: 04EF0750
reat, xrefs: 04EF0DED
on, xrefs: 04EF10C4
Cryp, xrefs: 04EF0774
NtRe, xrefs: 04EF09D7
NtOp, xrefs: 04EF0D70
lMem, xrefs: 04EF02E3
enPr, xrefs: 04EF0301
Crea, xrefs: 04EF08DC
cess, xrefs: 04EF0E01
mbstowcs, xrefs: 04EF1371, 04EF1374
DefW, xrefs: 04EF114B
tCur, xrefs: 04EF0C51
EndP, xrefs: 04EF11A0
rPro, xrefs: 04EF0E4C
ance, xrefs: 04EF1242
Find, xrefs: 04EF01DD
ile, xrefs: 04EF0C33
mems, xrefs: 04EF0C93
w64P, xrefs: 04EF0FE1
oces, xrefs: 04EF0350
ckTr, xrefs: 04EF0F15
eroM, xrefs: 04EF0913
eryS, xrefs: 04EF10B0
Lock, xrefs: 04EF0255
ctio, xrefs: 04EF0EAC
ZwRo, xrefs: 04EF0F01
eate, xrefs: 04EF0AB3
NtWr, xrefs: 04EF0C1F
mete, xrefs: 04EF0E15
oces, xrefs: 04EF0D84
NtAl, xrefs: 04EF02BB
Sect, xrefs: 04EF0ABD
sume, xrefs: 04EF09E1
NtSe, xrefs: 04EF0A04
adEx, xrefs: 04EF0D0B
ss, xrefs: 04EF0FF5
adVi, xrefs: 04EF07D8
NtCo, xrefs: 04EF0D1B
NtQu, xrefs: 04EF0279
NtRe, xrefs: 04EF0B8E
tHas, xrefs: 04EF06D8
s, xrefs: 04EF035A
LdrL, xrefs: 04EF0F7D
ecti, xrefs: 04EF10BA
le, xrefs: 04EF0BA2
nmen, xrefs: 04EF0AEF
32.d, xrefs: 04EF127A
Quit, xrefs: 04EF1182
tVal, xrefs: 04EF0BDE
NtSe, xrefs: 04EF0BD4
ey, xrefs: 04EF064F
KERNEL32.DLL, xrefs: 04EF1392, 04EF1398
ose, xrefs: 04EF1040
NtQu, xrefs: 04EF0609
tion, xrefs: 04EF09C7
nsac, xrefs: 04EF0EE7
le, xrefs: 04EF0BC5
Hash, xrefs: 04EF0740
ileg, xrefs: 04EF0DC5
dll, xrefs: 04EF0558
wnDl, xrefs: 04EF0480
a, xrefs: 04EF06EC
2.dl, xrefs: 04EF0463
Cryp, xrefs: 04EF079C
tion, xrefs: 04EF02AB
Key, xrefs: 04EF0627
RtlF, xrefs: 04EF0C3D
RtlZ, xrefs: 04EF0909
eate, xrefs: 04EF0E70
wcsc, xrefs: 04EF104A
xecu, xrefs: 04EF0CBA
Fill, xrefs: 04EF11BA
\Ole, xrefs: 04EF1270
ls\O, xrefs: 04EF05B1
NtCr, xrefs: 04EF0BFB
Reso, xrefs: 04EF08C2
ageB, xrefs: 04EF0FC3
adFi, xrefs: 04EF0B98
py, xrefs: 04EF1051
etPr, xrefs: 04EF0F46
NtEn, xrefs: 04EF0631
oxA, xrefs: 04EF0FCD
tAcq, xrefs: 04EF0678
tStr, xrefs: 04EF0AF9
ls\k, xrefs: 04EF053A
\Kno, xrefs: 04EF0562
rtua, xrefs: 04EF02D9
ll.d, xrefs: 04EF03D3
orma, xrefs: 04EF0C47
\Kno, xrefs: 04EF03AB
Crea, xrefs: 04EF134C
hDat, xrefs: 04EF06E2
Rect, xrefs: 04EF11C4
memc, xrefs: 04EF065E
NtRe, xrefs: 04EF07CE
enPr, xrefs: 04EF0D7A
kernel32.dll, xrefs: 04EF137C, 04EF137F
Thre, xrefs: 04EF09EB
roce, xrefs: 04EF094E
ead, xrefs: 04EF0D66
n, xrefs: 04EF0EB6
ll, xrefs: 04EF1284
ings, xrefs: 04EF0B03
ory, xrefs: 04EF102C
.dll, xrefs: 04EF04DA
RtlC, xrefs: 04EF0E2E
.dll, xrefs: 04EF05C5
ls32, xrefs: 04EF0445
nfor, xrefs: 04EF0332
troy, xrefs: 04EF0788
wnDl, xrefs: 04EF03F6
cW, xrefs: 04EF1169
NtCr, xrefs: 04EF12B0
Reso, xrefs: 04EF025F
urce, xrefs: 04EF0218
2.dl, xrefs: 04EF058A
y, xrefs: 04EF0600
fSec, xrefs: 04EF09BD
eNam, xrefs: 04EF0B34
ad, xrefs: 04EF09F5
NtOp, xrefs: 04EF0E98
Crea, xrefs: 04EF10F6
viro, xrefs: 04EF0AE5
mati, xrefs: 04EF0B6B
iewO, xrefs: 04EF09B3
uire, xrefs: 04EF0682
NtCr, xrefs: 04EF105A
erne, xrefs: 04EF0544
NtAd, xrefs: 04EF0DA7
eryI, xrefs: 04EF0328
ion, xrefs: 04EF0AC7
ce, xrefs: 04EF0246
nfor, xrefs: 04EF0B61
rtua, xrefs: 04EF07E2
rs, xrefs: 04EF0E1F
Memo, xrefs: 04EF089F
\Kno, xrefs: 04EF04EA
wnDl, xrefs: 04EF03B5
NtTe, xrefs: 04EF0930
tDes, xrefs: 04EF077E
iveK, xrefs: 04EF0709
ion, xrefs: 04EF0E8E
GetM, xrefs: 04EF0B16
mInf, xrefs: 04EF0377
lMem, xrefs: 04EF07EC
Thre, xrefs: 04EF0A59
ext, xrefs: 04EF07C4
wnDl, xrefs: 04EF0530
Begi, xrefs: 04EF11D4
eryS, xrefs: 04EF0283
y, xrefs: 04EF0927
ll, xrefs: 04EF0F91
rypt, xrefs: 04EF0764
Regi, xrefs: 04EF111E
dvap, xrefs: 04EF0508
mati, xrefs: 04EF033C
RtlC, xrefs: 04EF0DE3
wcsc, xrefs: 04EF0FA0
ss, xrefs: 04EF0F6E
W, xrefs: 04EF01FB
eate, xrefs: 04EF0C05
\ker, xrefs: 04EF044F
tTra, xrefs: 04EF0EDD
ExW, xrefs: 04EF1114
teMu, xrefs: 04EF1356
yste, xrefs: 04EF036D
NtCl, xrefs: 04EF1036
teVi, xrefs: 04EF02CF
at, xrefs: 04EF0C8A
.dll, xrefs: 04EF0853
onPr, xrefs: 04EF0346
ad, xrefs: 04EF0A2C
en, xrefs: 04EF0D98
ureA, xrefs: 04EF0F5A
Expa, xrefs: 04EF0AD1
ateK, xrefs: 04EF0645
ndEn, xrefs: 04EF0ADB
tVir, xrefs: 04EF088B
eryV, xrefs: 04EF0613
tion, xrefs: 04EF0EF1
tCon, xrefs: 04EF0A0E
aint, xrefs: 04EF11AA
wcsc, xrefs: 04EF0C83
rocA, xrefs: 04EF0822
l, xrefs: 04EF046D
2.dl, xrefs: 04EF129D
o, xrefs: 04EF0381
iteF, xrefs: 04EF0C29
ateH, xrefs: 04EF06BA
Reso, xrefs: 04EF020E
Cryp, xrefs: 04EF066E
eUse, xrefs: 04EF0D52
ddre, xrefs: 04EF082C
NtCr, xrefs: 04EF0AA9
NtMa, xrefs: 04EF0A72
ow, xrefs: 04EF10E7
et, xrefs: 04EF0C9D
ls32, xrefs: 04EF1266
NtFr, xrefs: 04EF1004
ser3, xrefs: 04EF0580
ddre, xrefs: 04EF0F64
eate, xrefs: 04EF0CF7
nt, xrefs: 04EF11E8
en, xrefs: 04EF0CDE
\Kno, xrefs: 04EF0431
oces, xrefs: 04EF030B
ss, xrefs: 04EF0958
le32, xrefs: 04EF05BB
otec, xrefs: 04EF0881
ash, xrefs: 04EF06C4
ease, xrefs: 04EF07B0
ory, xrefs: 04EF02ED
tDer, xrefs: 04EF06FF
User, xrefs: 04EF106E
wnDl, xrefs: 04EF043B
i32., xrefs: 04EF0512
aryA, xrefs: 04EF080E
\ntd, xrefs: 04EF03C9
sW, xrefs: 04EF08FA
urce, xrefs: 04EF01F1
Libr, xrefs: 04EF0807
etCu, xrefs: 04EF0EC9
ken, xrefs: 04EF0DD9
mp, xrefs: 04EF0FAA
ue, xrefs: 04EF0D2F
\adv, xrefs: 04EF040A
\Kno, xrefs: 04EF04B2
le, xrefs: 04EF0B7F
llba, xrefs: 04EF0F0B
y, xrefs: 04EF0BF2
umer, xrefs: 04EF063B
LdrG, xrefs: 04EF0F3C
Show, xrefs: 04EF10D3
NtQu, xrefs: 04EF10A6
sTok, xrefs: 04EF0D8E

Memory Dump Source

Source File: 00000002.00000002.511793758.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID: Section$OpenView
String ID: .dll$.dll$.dll$2.dl$2.dl$2.dl$2.dl$32.d$Begi$Clas$CoCr$CoIn$Cont$Cont$Crea$Crea$Crea$Cryp$Cryp$Cryp$Cryp$Cryp$Cryp$Cryp$Cryp$DefW$EndP$Ex$ExW$Expa$File$Fill$Find$Free$GetM$GetP$GetS$Hash$Inst$IsWo$KERNEL32.DLL$Key$Key$KeyP$LdrG$LdrL$Libr$Load$Load$Lock$Memo$Mess$Mess$Muta$NtAd$NtAl$NtCl$NtCo$NtCr$NtCr$NtCr$NtCr$NtCr$NtDe$NtEn$NtFr$NtGe$NtMa$NtOp$NtOp$NtOp$NtOp$NtOp$NtOp$NtPr$NtQu$NtQu$NtQu$NtQu$NtQu$NtRe$NtRe$NtRe$NtSe$NtSe$NtTe$NtWr$NtWr$Ole3$Para$Post$Priv$Proc$Quit$Rect$Regi$Reso$Reso$Reso$Reso$RtlC$RtlC$RtlC$RtlF$RtlS$RtlZ$Sect$Show$Size$Thre$Thre$Thre$Thre$Tran$User$User$W$W$Wind$ZwCr$ZwRo$ZwUn$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Ole$\adv$\ker$\ntd$\use$a$ad$ad$ad$adEx$adFi$adVi$age$ageB$aint$alMe$alue$ance$ansa$api3$aryA$ash$at$ateH$ateK$ateP$ath$cW$ce$cess$cess$ckTr$ctio$ctio$ddre$ddre$dll$dll$dll$dvap$eA$eFil$eNam$ePro$eUse$eUse$ead$ease$eate$eate$eate$eate$eate$eate$eate$ecti$ecti$eeVi$emor$en$en$enFi$enKe$enMu$enPr$enPr$enSe$erne$eroM$eryI$eryI$eryS$eryS$eryV$esTo$ess$et$etCu$etPr$ext$extW$ey$ey$fSec$hDat$i32.$iewO$ile$ileg$indo$ings$ion$ion$irtu$iteF$iteV$itia$iveK$just$ken$kernel32.dll$l$l$l$l$l32.$lMem$lMem$lMem$layE$le$le$le$le32$lenW$lize$ll$ll$ll$ll.d$llba$loca$ls32$ls32$ls32$ls32$ls32$ls\O$ls\a$ls\k$ls\n$ls\u$lstr$mInf$mInf$mapV$mati$mati$mbstowcs$memc$mems$mete$mory$mp$n$n$nPai$ndEn$ndow$nel3$nfor$nfor$nmen$nsac$nt$nt$ntin$o$oadD$oced$oces$oces$oces$oces$odul$ofRe$ombs$on$on$onFi$onPr$orma$orma$ory$ory$ory$ose$otec$ow$oxA$pVie$py$py$r32.$rPro$rThr$reat$reat$reat$rent$rmin$rocA$roce$roce$rren$rs$rtua$rtua$rtua$ry$rypt$s$s$sTok$sW$sW$sact$ser3$sour$ss$ss$ss$ss$ster$strlenuser32.dlladvapi32.dll$sume$tAcq$tCon$tCon$tCre$tCur$tDec$tDer$tDes$tDes$tHas$tRel$tStr$tTra$tVal$tVir$tant$tdll$teMu$tePr$teVi$teWi$texW$text$text$tion$tion$tion$tion$troy$troy$tual$ue$ueKe$uire$umer$urce$urce$urce$urce$ureA$viro$w64P$wOfS$wPro$wcsc$wcsc$wcsc$wcsl$wcst$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$xecu$y$y$y$yste$yste
API String ID: 2380476227-789266925
Opcode ID: 787866d0769b518b38cf3cef9c8e0732aeba9ebab195fb7289df72886f22b9db
Instruction ID: 4136f374ce11a48a59c59e2989d71b36f422e60706ee646bf82e6ccb45ac7d58
Opcode Fuzzy Hash: 787866d0769b518b38cf3cef9c8e0732aeba9ebab195fb7289df72886f22b9db
Instruction Fuzzy Hash: 1FD2CEB1C052688ACF21DFA1CD85BCEBBB9BF55304F1091DAD648AB205DB319B84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 04EF1C09, Relevance: 15.2, APIs: 10, Instructions: 225nativethreadprocessCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,0800000C,00000000,00000000,?,?), ref: 04EF1CB7
NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 04EF1CDC
NtReadVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 04EF1CF6
NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 04EF1D41
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 04EF1D66
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 04EF1DA9
NtWriteVirtualMemory.NTDLL(?,?,?,00000004,?), ref: 04EF1E36
NtGetContextThread.NTDLL(?,?), ref: 04EF1E50
NtSetContextThread.NTDLL(?,00010007), ref: 04EF1E74
NtResumeThread.NTDLL(?,00000000), ref: 04EF1E86

Memory Dump Source

Source File: 00000002.00000002.511793758.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID: SectionThread$ContextCreateMemoryProcessViewVirtual$InformationQueryReadResumeWrite
String ID:
API String ID: 3307612235-0
Opcode ID: 96ae76fc365d5c28d7c28a07cf9a8eaef0a1b5bf8692d1917c9822d9dabbaf16
Instruction ID: 421f610868a1cae1b4a4396f1651670d957a604bdf57fc3607b82e847b755d30
Opcode Fuzzy Hash: 96ae76fc365d5c28d7c28a07cf9a8eaef0a1b5bf8692d1917c9822d9dabbaf16
Instruction Fuzzy Hash: BE91C17190024DEFDF219FA5CC89EEEBBB8EF89705F004059FA09EA150D731AA54DB60

Uniqueness

Uniqueness Score: -1.00%

Function 04EF00AD, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 92nativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,0000000C,?), ref: 04EF0199
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000002), ref: 04EF01B8

Strings

@, xrefs: 04EF018C
en, xrefs: 04EF0150
NtOpenSection, xrefs: 04EF011D, 04EF0120
NtMapViewOfSectionNtOpenSection, xrefs: 04EF0128, 04EF012B
wcsl, xrefs: 04EF0149

Memory Dump Source

Source File: 00000002.00000002.511793758.0000000004EF0000.00000040.00000001.sdmp, Offset: 04EF0000, based on PE: false

Similarity

API ID: Section$OpenView
String ID: @$NtMapViewOfSectionNtOpenSection$NtOpenSection$en$wcsl
API String ID: 2380476227-2634024955
Opcode ID: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
Instruction ID: 697b444ab0275bb4c1809a14cd3212af63e3d3db722ee0a97edb3928cc9a7a9b
Opcode Fuzzy Hash: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
Instruction Fuzzy Hash: 103114B1D00258EFCB10DFE4D985ADEBBB8FF08754F20415AE614EB251E774AA05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DA9290, Relevance: 1.5, APIs: 1, Instructions: 235memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,?), ref: 00DA9508

Memory Dump Source

Source File: 00000002.00000002.503424063.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fcace9c394d8f2c14d60c8d10435297aacee711aeccf6f88310b4c495fb32c07
Instruction ID: a0c7093753198f3f49d739a3ff4515f4d1ffae6d17f7fed1d7642af44891750f
Opcode Fuzzy Hash: fcace9c394d8f2c14d60c8d10435297aacee711aeccf6f88310b4c495fb32c07
Instruction Fuzzy Hash: A081C031A002149FCB14DB75C494BAEBBF6EB8A314F148569D559DB382CB39DC42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DA77D4, Relevance: 1.3, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,?), ref: 00DA9508

Memory Dump Source

Source File: 00000002.00000002.503424063.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 92e7970f8645b88f7f3dc3b00f70a76c28ca18f0e506ab20cef458ebced68878
Instruction ID: 235dbaf6b045a289d1c0dc957a5b4bc9966b6bdeaba40b219b50ddbcf2c960a7
Opcode Fuzzy Hash: 92e7970f8645b88f7f3dc3b00f70a76c28ca18f0e506ab20cef458ebced68878
Instruction Fuzzy Hash: 141146B19042489FCB10DF9AD488BDFFBF4EB89324F148419E559A7310C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C5D0EC, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503025209.0000000000C5D000.00000040.00000001.sdmp, Offset: 00C5D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d44b295a418c798f1752967e877b106b5a270ad03015237beee7d7b8b7ac44a
Instruction ID: 61bbde037b4492929b2eff7de40cd8fed6b001c25889d7440b7c44548971a907
Opcode Fuzzy Hash: 9d44b295a418c798f1752967e877b106b5a270ad03015237beee7d7b8b7ac44a
Instruction Fuzzy Hash: B321F5B9504744DFDB10DF10D8C0B1BBB65FB44325F24C569DC4A4B246C376D88ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C5D0E7, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503025209.0000000000C5D000.00000040.00000001.sdmp, Offset: 00C5D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 918b5a484225ea750dc867420c5dc02e162b71f4ae55fd38ff69526cb1fe86f3
Instruction ID: e75da4d2417cf349987a7a58a06111a3a446a58f896ea1a71d4cf04f0368f752
Opcode Fuzzy Hash: 918b5a484225ea750dc867420c5dc02e162b71f4ae55fd38ff69526cb1fe86f3
Instruction Fuzzy Hash: 43119079504780DFDB11CF10D9C4B1ABB71FB44324F24C6A9DC4A4B656C33AD98ACB91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: RegAsm.exe PID: 812 Parent PID: 6992 RegAsm.exeCOMMON

Executed Functions

Function 0269AAB0, Relevance: 2.4, APIs: 1, Instructions: 918libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0269B418

Memory Dump Source

Source File: 00000004.00000002.503547904.0000000002690000.00000040.00000001.sdmp, Offset: 02690000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4c1c19a728de12d1466e3729b081d81a21919884f9d59d8556a577b29c640c4f
Instruction ID: 8d6444cba4ef82d1a8e7832abcaf5666de317cb5f648ccf8d9661dcae1fbb778
Opcode Fuzzy Hash: 4c1c19a728de12d1466e3729b081d81a21919884f9d59d8556a577b29c640c4f
Instruction Fuzzy Hash: CD825934E046188FDB14EF78D85479EB7F2AF89304F1186AAD54AAB351EF309D85CB41

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Proforma Invoice Copy.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: Proforma Invoice Copy.exe PID: 6868 Parent PID: 5824

General

Chronological Activities

Analysis Process: RegAsm.exe PID: 6936 Parent PID: 6868

General

Chronological Activities