Loading ...

Play interactive tourEdit tour

Analysis Report Proforma Invoice Copy.exe

Overview

General Information

Sample Name:Proforma Invoice Copy.exe
Analysis ID:321196
MD5:d3bcc41cd14ace48314861fbeae864ba
SHA1:8e77cb335075e93fffe5e8652d2b7b011d2a922a
SHA256:5bdb22f495f4d4856e100acf674236191d0082c075884b2fe0892fa5b58923a8
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code contains very large array initializations
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Proforma Invoice Copy.exe (PID: 6868 cmdline: 'C:\Users\user\Desktop\Proforma Invoice Copy.exe' MD5: D3BCC41CD14ACE48314861FBEAE864BA)
    • RegAsm.exe (PID: 6936 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • Proforma Invoice Copy.exe (PID: 6992 cmdline: 'C:\Users\user\Desktop\Proforma Invoice Copy.exe' MD5: D3BCC41CD14ACE48314861FBEAE864BA)
      • RegAsm.exe (PID: 812 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.503144349.0000000000C94000.00000004.00000020.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000002.512025723.0000000005012000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000004.00000002.504392475.0000000002B36000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000001.00000002.274037382.0000000002961000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000004.00000002.504199488.0000000002A81000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.RegAsm.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              4.2.RegAsm.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                2.2.Proforma Invoice Copy.exe.5010000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Antivirus / Scanner detection for submitted sampleShow sources
                  Source: Proforma Invoice Copy.exeAvira: detected
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: Proforma Invoice Copy.exeVirustotal: Detection: 34%Perma Link
                  Source: Proforma Invoice Copy.exeReversingLabs: Detection: 45%
                  Machine Learning detection for sampleShow sources
                  Source: Proforma Invoice Copy.exeJoe Sandbox ML: detected
                  Source: 1.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: 4.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: RegAsm.exe, 00000001.00000002.274037382.0000000002961000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000002.504199488.0000000002A81000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: RegAsm.exe, 00000004.00000002.504199488.0000000002A81000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                  Source: RegAsm.exe, 00000004.00000002.504199488.0000000002A81000.00000004.00000001.sdmpString found in binary or memory: http://PtYxrU.com
                  Source: RegAsm.exe, 00000004.00000002.504199488.0000000002A81000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
                  Source: RegAsm.exe, 00000001.00000002.272957985.0000000000402000.00000040.00000001.sdmp, Proforma Invoice Copy.exe, 00000002.00000002.503144349.0000000000C94000.00000004.00000020.sdmp, RegAsm.exe, 00000004.00000002.500472004.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
                  Source: RegAsm.exe, 00000001.00000002.274037382.0000000002961000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000002.504199488.0000000002A81000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
                  Source: RegAsm.exe, 00000001.00000002.272957985.0000000000402000.00000040.00000001.sdmp, Proforma Invoice Copy.exe, 00000002.00000002.503144349.0000000000C94000.00000004.00000020.sdmp, RegAsm.exe, 00000004.00000002.500472004.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                  Source: RegAsm.exe, 00000001.00000002.274037382.0000000002961000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000002.504199488.0000000002A81000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                  System Summary:

                  barindex
                  .NET source code contains very large array initializationsShow sources
                  Source: 1.2.RegAsm.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b3149C135u002dAFFBu002d4C62u002dB252u002dBC818EA64954u007d/u00321AB0C9Cu002d865Au002d46B1u002d89DBu002d23701144A328.csLarge array initialization: .cctor: array initializer size 11818
                  Source: 2.2.Proforma Invoice Copy.exe.5010000.1.unpack, u003cPrivateImplementationDetailsu003eu007b3149C135u002dAFFBu002d4C62u002dB252u002dBC818EA64954u007d/u00321AB0C9Cu002d865Au002d46B1u002d89DBu002d23701144A328.csLarge array initialization: .cctor: array initializer size 11818
                  Source: 4.2.RegAsm.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b3149C135u002dAFFBu002d4C62u002dB252u002dBC818EA64954u007d/u00321AB0C9Cu002d865Au002d46B1u002d89DBu002d23701144A328.csLarge array initialization: .cctor: array initializer size 11818
                  Initial sample is a PE file and has a suspicious nameShow sources
                  Source: initial sampleStatic PE information: Filename: Proforma Invoice Copy.exe
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeCode function: 2_2_04EF00AD NtOpenSection,NtMapViewOfSection,2_2_04EF00AD
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeCode function: 2_2_04EF1C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,2_2_04EF1C09
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00DB46A01_2_00DB46A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00DB359C1_2_00DB359C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00DB45B01_2_00DB45B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00DBD2611_2_00DBD261
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00DB53731_2_00DB5373
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_05E565081_2_05E56508
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_05E58CD81_2_05E58CD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_05E571201_2_05E57120
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_05E568501_2_05E56850
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeCode function: 2_2_0057E2B92_2_0057E2B9
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeCode function: 2_2_00DA04F02_2_00DA04F0
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeCode function: 2_2_00DA04E12_2_00DA04E1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0269AAB04_2_0269AAB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_026901A44_2_026901A4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02695D284_2_02695D28
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_026998B84_2_026998B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0269C6184_2_0269C618
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_026974684_2_02697468
                  Source: Proforma Invoice Copy.exe, 00000002.00000002.503144349.0000000000C94000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameDsLLleMsIXkWBLtjVecm.exe4 vs Proforma Invoice Copy.exe
                  Source: Proforma Invoice Copy.exe, 00000002.00000002.509466982.0000000003D7D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamelhqVMJEsRZDQKDeC.bounce.exe4 vs Proforma Invoice Copy.exe
                  Source: Proforma Invoice Copy.exe, 00000002.00000002.503062669.0000000000C6A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Proforma Invoice Copy.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: Proforma Invoice Copy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: 1.2.RegAsm.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 1.2.RegAsm.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 2.2.Proforma Invoice Copy.exe.5010000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 2.2.Proforma Invoice Copy.exe.5010000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 4.2.RegAsm.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 4.2.RegAsm.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/0@0/0
                  Source: Proforma Invoice Copy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: Proforma Invoice Copy.exeVirustotal: Detection: 34%
                  Source: Proforma Invoice Copy.exeReversingLabs: Detection: 45%
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeFile read: C:\Users\user\Desktop\Proforma Invoice Copy.exe:Zone.IdentifierJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\Proforma Invoice Copy.exe 'C:\Users\user\Desktop\Proforma Invoice Copy.exe'
                  Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                  Source: unknownProcess created: C:\Users\user\Desktop\Proforma Invoice Copy.exe 'C:\Users\user\Desktop\Proforma Invoice Copy.exe'
                  Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess created: C:\Users\user\Desktop\Proforma Invoice Copy.exe 'C:\Users\user\Desktop\Proforma Invoice Copy.exe' Jump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Proforma Invoice Copy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: Proforma Invoice Copy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02694689 push 8BFFFFFFh; retf 4_2_02694698
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.86287833188
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion:

                  barindex
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeWindow / User API: threadDelayed 367Jump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeWindow / User API: threadDelayed 1891Jump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeWindow / User API: threadDelayed 384Jump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeWindow / User API: threadDelayed 1814Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 667Jump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe TID: 6872Thread sleep time: -37820s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 64Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5508Thread sleep count: 136 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5508Thread sleep count: 61 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe TID: 7020Thread sleep count: 384 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe TID: 6996Thread sleep count: 1814 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe TID: 6996Thread sleep time: -36280s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6316Thread sleep count: 224 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6316Thread sleep count: 667 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -59500s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -59282s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -58594s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -58376s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -58188s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -58000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -57500s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -57282s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -56688s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -113000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -56188s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -55782s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -55594s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -55376s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -55094s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -54876s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -54688s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -54500s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -54282s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -53782s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -53594s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -53376s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -53188s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -79500s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -52688s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -52500s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -52282s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -51876s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -51594s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -51376s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -51188s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -50782s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -50500s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -50282s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -50094s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -49688s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -99000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -49188s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -48782s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -48594s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -48376s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -48094s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -47688s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -71250s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -47282s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -47000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -46594s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -46376s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -46188s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -46000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -45688s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -45500s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -45282s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -45094s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -44594s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -44376s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -44188s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -44000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -43282s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -43094s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -42188s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -42000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -41094s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -40876s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -40688s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -60750s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -40000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -57750s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -37594s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -37376s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -36500s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -36282s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -35188s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -52500s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -34094s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -33876s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -33000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -32782s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -47250s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -31000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -30782s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -30376s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -43594s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -42500s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -39000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -37000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -35500s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -33500s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -59812s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -59406s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -58906s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -58718s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -58500s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -57812s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -57406s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -57000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -56718s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -55406s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -55218s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -55000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -54812s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -54312s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -53906s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -53718s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -53500s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -53218s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -52812s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -52406s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -51906s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -51718s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -51500s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -51312s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -50812s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -50406s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -50000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -49718s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -49312s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -48406s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -48000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -47312s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -46906s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -46218s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -45812s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -44906s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -44718s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -44500s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -43812s >= -30000sJump to behavior
                  Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeLast function: Thread delayed
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeLast function: Thread delayed
                  Source: RegAsm.exe, 00000001.00000002.276102343.0000000005A40000.00000002.00000001.sdmp, RegAsm.exe, 00000004.00000002.508532515.0000000005BB0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                  Source: RegAsm.exe, 00000001.00000002.276102343.0000000005A40000.00000002.00000001.sdmp, RegAsm.exe, 00000004.00000002.508532515.0000000005BB0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                  Source: RegAsm.exe, 00000001.00000002.276102343.0000000005A40000.00000002.00000001.sdmp, RegAsm.exe, 00000004.00000002.508532515.0000000005BB0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                  Source: RegAsm.exe, 00000001.00000002.276102343.0000000005A40000.00000002.00000001.sdmp, RegAsm.exe, 00000004.00000002.508532515.0000000005BB0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0269AAB0 LdrInitializeThunk,4_2_0269AAB0
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeCode function: 2_2_04EF00AD mov ecx, dword ptr fs:[00000030h]2_2_04EF00AD
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeCode function: 2_2_04EF00AD mov eax, dword ptr fs:[00000030h]2_2_04EF00AD
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeCode function: 2_2_04EF01CB mov eax, dword ptr fs:[00000030h]2_2_04EF01CB
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                  Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  Maps a DLL or memory area into another processShow sources
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regionsShow sources
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 9CA008Jump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 874008Jump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess created: C:\Users\user\Desktop\Proforma Invoice Copy.exe 'C:\Users\user\Desktop\Proforma Invoice Copy.exe' Jump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                  Source: Proforma Invoice Copy.exe, 00000002.00000002.503778930.0000000001290000.00000002.00000001.sdmp, RegAsm.exe, 00000004.00000002.503060022.00000000011C0000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
                  Source: Proforma Invoice Copy.exe, 00000002.00000002.503778930.0000000001290000.00000002.00000001.sdmp, RegAsm.exe, 00000004.00000002.503060022.00000000011C0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: Proforma Invoice Copy.exe, 00000002.00000002.503778930.0000000001290000.00000002.00000001.sdmp, RegAsm.exe, 00000004.00000002.503060022.00000000011C0000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: Proforma Invoice Copy.exe, 00000002.00000002.503778930.0000000001290000.00000002.00000001.sdmp, RegAsm.exe, 00000004.00000002.503060022.00000000011C0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeQueries volume information: C:\Users\user\Desktop\Proforma Invoice Copy.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeQueries volume information: C:\Users\user\Desktop\Proforma Invoice Copy.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_05E5223C GetUserNameW,1_2_05E5223C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000002.00000002.503144349.0000000000C94000.00000004.00000020.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.512025723.0000000005012000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.504392475.0000000002B36000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.272957985.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.500472004.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.488119603.0000000004444000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Proforma Invoice Copy.exe PID: 6992, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6936, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 812, type: MEMORY
                  Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.Proforma Invoice Copy.exe.5010000.1.unpack, type: UNPACKEDPE
                  Tries to harvest and steal browser information (history, passwords, etc)Show sources
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Tries to steal Mail credentials (via file access)Show sources
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: Yara matchFile source: 00000001.00000002.274037382.0000000002961000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.504199488.0000000002A81000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6936, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 812, type: MEMORY

                  Remote Access Functionality:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000002.00000002.503144349.0000000000C94000.00000004.00000020.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.512025723.0000000005012000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.504392475.0000000002B36000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.272957985.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.500472004.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.488119603.0000000004444000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Proforma Invoice Copy.exe PID: 6992, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6936, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 812, type: MEMORY
                  Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.Proforma Invoice Copy.exe.5010000.1.unpack, type: UNPACKEDPE

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management Instrumentation211DLL Side-Loading1Process Injection212Virtualization/Sandbox Evasion14OS Credential Dumping1Security Software Discovery121Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1LSASS MemoryVirtualization/Sandbox Evasion14Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection212Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing3Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery115Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.