Loading ...

Play interactive tourEdit tour

Analysis Report Proforma Invoice Copy.exe

Overview

General Information

Sample Name:Proforma Invoice Copy.exe
Analysis ID:321196
MD5:d3bcc41cd14ace48314861fbeae864ba
SHA1:8e77cb335075e93fffe5e8652d2b7b011d2a922a
SHA256:5bdb22f495f4d4856e100acf674236191d0082c075884b2fe0892fa5b58923a8
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code contains very large array initializations
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Proforma Invoice Copy.exe (PID: 6868 cmdline: 'C:\Users\user\Desktop\Proforma Invoice Copy.exe' MD5: D3BCC41CD14ACE48314861FBEAE864BA)
    • RegAsm.exe (PID: 6936 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • Proforma Invoice Copy.exe (PID: 6992 cmdline: 'C:\Users\user\Desktop\Proforma Invoice Copy.exe' MD5: D3BCC41CD14ACE48314861FBEAE864BA)
      • RegAsm.exe (PID: 812 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.503144349.0000000000C94000.00000004.00000020.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000002.512025723.0000000005012000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000004.00000002.504392475.0000000002B36000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000001.00000002.274037382.0000000002961000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000004.00000002.504199488.0000000002A81000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.RegAsm.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              4.2.RegAsm.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                2.2.Proforma Invoice Copy.exe.5010000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Antivirus / Scanner detection for submitted sampleShow sources
                  Source: Proforma Invoice Copy.exeAvira: detected
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: Proforma Invoice Copy.exeVirustotal: Detection: 34%Perma Link
                  Source: Proforma Invoice Copy.exeReversingLabs: Detection: 45%
                  Machine Learning detection for sampleShow sources
                  Source: Proforma Invoice Copy.exeJoe Sandbox ML: detected
                  Source: 1.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: 4.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: RegAsm.exe, 00000001.00000002.274037382.0000000002961000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000002.504199488.0000000002A81000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: RegAsm.exe, 00000004.00000002.504199488.0000000002A81000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                  Source: RegAsm.exe, 00000004.00000002.504199488.0000000002A81000.00000004.00000001.sdmpString found in binary or memory: http://PtYxrU.com
                  Source: RegAsm.exe, 00000004.00000002.504199488.0000000002A81000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
                  Source: RegAsm.exe, 00000001.00000002.272957985.0000000000402000.00000040.00000001.sdmp, Proforma Invoice Copy.exe, 00000002.00000002.503144349.0000000000C94000.00000004.00000020.sdmp, RegAsm.exe, 00000004.00000002.500472004.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
                  Source: RegAsm.exe, 00000001.00000002.274037382.0000000002961000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000002.504199488.0000000002A81000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
                  Source: RegAsm.exe, 00000001.00000002.272957985.0000000000402000.00000040.00000001.sdmp, Proforma Invoice Copy.exe, 00000002.00000002.503144349.0000000000C94000.00000004.00000020.sdmp, RegAsm.exe, 00000004.00000002.500472004.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                  Source: RegAsm.exe, 00000001.00000002.274037382.0000000002961000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000002.504199488.0000000002A81000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                  System Summary:

                  barindex
                  .NET source code contains very large array initializationsShow sources
                  Source: 1.2.RegAsm.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b3149C135u002dAFFBu002d4C62u002dB252u002dBC818EA64954u007d/u00321AB0C9Cu002d865Au002d46B1u002d89DBu002d23701144A328.csLarge array initialization: .cctor: array initializer size 11818
                  Source: 2.2.Proforma Invoice Copy.exe.5010000.1.unpack, u003cPrivateImplementationDetailsu003eu007b3149C135u002dAFFBu002d4C62u002dB252u002dBC818EA64954u007d/u00321AB0C9Cu002d865Au002d46B1u002d89DBu002d23701144A328.csLarge array initialization: .cctor: array initializer size 11818
                  Source: 4.2.RegAsm.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b3149C135u002dAFFBu002d4C62u002dB252u002dBC818EA64954u007d/u00321AB0C9Cu002d865Au002d46B1u002d89DBu002d23701144A328.csLarge array initialization: .cctor: array initializer size 11818
                  Initial sample is a PE file and has a suspicious nameShow sources
                  Source: initial sampleStatic PE information: Filename: Proforma Invoice Copy.exe
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeCode function: 2_2_04EF00AD NtOpenSection,NtMapViewOfSection,
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeCode function: 2_2_04EF1C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00DB46A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00DB359C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00DB45B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00DBD261
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00DB5373
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_05E56508
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_05E58CD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_05E57120
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_05E56850
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeCode function: 2_2_0057E2B9
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeCode function: 2_2_00DA04F0
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeCode function: 2_2_00DA04E1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0269AAB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_026901A4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02695D28
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_026998B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0269C618
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02697468
                  Source: Proforma Invoice Copy.exe, 00000002.00000002.503144349.0000000000C94000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameDsLLleMsIXkWBLtjVecm.exe4 vs Proforma Invoice Copy.exe
                  Source: Proforma Invoice Copy.exe, 00000002.00000002.509466982.0000000003D7D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamelhqVMJEsRZDQKDeC.bounce.exe4 vs Proforma Invoice Copy.exe
                  Source: Proforma Invoice Copy.exe, 00000002.00000002.503062669.0000000000C6A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Proforma Invoice Copy.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                  Source: Proforma Invoice Copy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: 1.2.RegAsm.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 1.2.RegAsm.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 2.2.Proforma Invoice Copy.exe.5010000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 2.2.Proforma Invoice Copy.exe.5010000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 4.2.RegAsm.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 4.2.RegAsm.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/0@0/0
                  Source: Proforma Invoice Copy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: Proforma Invoice Copy.exeVirustotal: Detection: 34%
                  Source: Proforma Invoice Copy.exeReversingLabs: Detection: 45%
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeFile read: C:\Users\user\Desktop\Proforma Invoice Copy.exe:Zone.IdentifierJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\Proforma Invoice Copy.exe 'C:\Users\user\Desktop\Proforma Invoice Copy.exe'
                  Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                  Source: unknownProcess created: C:\Users\user\Desktop\Proforma Invoice Copy.exe 'C:\Users\user\Desktop\Proforma Invoice Copy.exe'
                  Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess created: C:\Users\user\Desktop\Proforma Invoice Copy.exe 'C:\Users\user\Desktop\Proforma Invoice Copy.exe'
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: Proforma Invoice Copy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: Proforma Invoice Copy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02694689 push 8BFFFFFFh; retf
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.86287833188
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion:

                  barindex
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeWindow / User API: threadDelayed 367
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeWindow / User API: threadDelayed 1891
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeWindow / User API: threadDelayed 384
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeWindow / User API: threadDelayed 1814
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 667
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe TID: 6872Thread sleep time: -37820s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 64Thread sleep time: -1844674407370954s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5508Thread sleep count: 136 > 30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5508Thread sleep count: 61 > 30
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe TID: 7020Thread sleep count: 384 > 30
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe TID: 6996Thread sleep count: 1814 > 30
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exe TID: 6996Thread sleep time: -36280s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -4611686018427385s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6316Thread sleep count: 224 > 30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6316Thread sleep count: 667 > 30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -59500s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -59282s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -58594s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -58376s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -58188s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -58000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -57500s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -57282s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -56688s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -113000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -56188s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -55782s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -55594s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -55376s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -55094s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -54876s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -54688s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -54500s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -54282s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -53782s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -53594s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -53376s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -53188s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -79500s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -52688s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -52500s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -52282s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -51876s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -51594s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -51376s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -51188s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -50782s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -50500s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -50282s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -50094s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -49688s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -99000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -49188s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -48782s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -48594s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -48376s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -48094s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -47688s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -71250s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -47282s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -47000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -46594s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -46376s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -46188s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -46000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -45688s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -45500s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -45282s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -45094s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -44594s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -44376s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -44188s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -44000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -43282s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -43094s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -42188s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -42000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -41094s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -40876s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -40688s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -60750s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -40000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -57750s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -37594s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -37376s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -36500s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -36282s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -35188s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -52500s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -34094s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -33876s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -33000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -32782s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -47250s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -31000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -30782s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -30376s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -30000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -43594s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -42500s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -39000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -37000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -35500s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -33500s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -30000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -59812s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -59406s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -58906s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -58718s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -58500s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -57812s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -57406s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -57000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -56718s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -55406s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -55218s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -55000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -54812s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -54312s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -53906s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -53718s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -53500s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -53218s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -52812s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -52406s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -51906s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -51718s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -51500s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -51312s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -50812s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -50406s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -50000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -49718s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -49312s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -48406s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -48000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -47312s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -46906s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -46218s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -45812s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -44906s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -44718s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -44500s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6324Thread sleep time: -43812s >= -30000s
                  Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeLast function: Thread delayed
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeLast function: Thread delayed
                  Source: RegAsm.exe, 00000001.00000002.276102343.0000000005A40000.00000002.00000001.sdmp, RegAsm.exe, 00000004.00000002.508532515.0000000005BB0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                  Source: RegAsm.exe, 00000001.00000002.276102343.0000000005A40000.00000002.00000001.sdmp, RegAsm.exe, 00000004.00000002.508532515.0000000005BB0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                  Source: RegAsm.exe, 00000001.00000002.276102343.0000000005A40000.00000002.00000001.sdmp, RegAsm.exe, 00000004.00000002.508532515.0000000005BB0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                  Source: RegAsm.exe, 00000001.00000002.276102343.0000000005A40000.00000002.00000001.sdmp, RegAsm.exe, 00000004.00000002.508532515.0000000005BB0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess information queried: ProcessInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0269AAB0 LdrInitializeThunk,
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeCode function: 2_2_04EF00AD mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeCode function: 2_2_04EF00AD mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeCode function: 2_2_04EF01CB mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess token adjusted: Debug
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess token adjusted: Debug
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: Debug
                  Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeMemory allocated: page read and write | page guard

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  Maps a DLL or memory area into another processShow sources
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write
                  Writes to foreign memory regionsShow sources
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 9CA008
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 874008
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess created: C:\Users\user\Desktop\Proforma Invoice Copy.exe 'C:\Users\user\Desktop\Proforma Invoice Copy.exe'
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                  Source: Proforma Invoice Copy.exe, 00000002.00000002.503778930.0000000001290000.00000002.00000001.sdmp, RegAsm.exe, 00000004.00000002.503060022.00000000011C0000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
                  Source: Proforma Invoice Copy.exe, 00000002.00000002.503778930.0000000001290000.00000002.00000001.sdmp, RegAsm.exe, 00000004.00000002.503060022.00000000011C0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: Proforma Invoice Copy.exe, 00000002.00000002.503778930.0000000001290000.00000002.00000001.sdmp, RegAsm.exe, 00000004.00000002.503060022.00000000011C0000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: Proforma Invoice Copy.exe, 00000002.00000002.503778930.0000000001290000.00000002.00000001.sdmp, RegAsm.exe, 00000004.00000002.503060022.00000000011C0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeQueries volume information: C:\Users\user\Desktop\Proforma Invoice Copy.exe VolumeInformation
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeQueries volume information: C:\Users\user\Desktop\Proforma Invoice Copy.exe VolumeInformation
                  Source: C:\Users\user\Desktop\Proforma Invoice Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_05E5223C GetUserNameW,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000002.00000002.503144349.0000000000C94000.00000004.00000020.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.512025723.0000000005012000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.504392475.0000000002B36000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.272957985.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.500472004.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.488119603.0000000004444000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Proforma Invoice Copy.exe PID: 6992, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6936, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 812, type: MEMORY
                  Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.Proforma Invoice Copy.exe.5010000.1.unpack, type: UNPACKEDPE
                  Tries to harvest and steal browser information (history, passwords, etc)Show sources
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                  Tries to steal Mail credentials (via file access)Show sources
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                  Source: Yara matchFile source: 00000001.00000002.274037382.0000000002961000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.504199488.0000000002A81000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6936, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 812, type: MEMORY

                  Remote Access Functionality:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000002.00000002.503144349.0000000000C94000.00000004.00000020.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.512025723.0000000005012000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.504392475.0000000002B36000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.272957985.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.500472004.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.488119603.0000000004444000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Proforma Invoice Copy.exe PID: 6992, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6936, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 812, type: MEMORY
                  Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.Proforma Invoice Copy.exe.5010000.1.unpack, type: UNPACKEDPE

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management Instrumentation211DLL Side-Loading1Process Injection212Virtualization/Sandbox Evasion14OS Credential Dumping1Security Software Discovery121Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1LSASS MemoryVirtualization/Sandbox Evasion14Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection212Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing3Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery115Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  Proforma Invoice Copy.exe35%VirustotalBrowse
                  Proforma Invoice Copy.exe46%ReversingLabsByteCode-MSIL.Trojan.Tnega
                  Proforma Invoice Copy.exe100%AviraTR/AD.AgentTesla.hlwts
                  Proforma Invoice Copy.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  2.2.Proforma Invoice Copy.exe.5010000.1.unpack100%AviraHEUR/AGEN.1138205Download File
                  1.2.RegAsm.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                  4.2.RegAsm.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://PtYxrU.com0%Avira URL Cloudsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
                  https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
                  https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://127.0.0.1:HTTP/1.1RegAsm.exe, 00000001.00000002.274037382.0000000002961000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000002.504199488.0000000002A81000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  low
                  http://DynDns.comDynDNSRegAsm.exe, 00000004.00000002.504199488.0000000002A81000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://PtYxrU.comRegAsm.exe, 00000004.00000002.504199488.0000000002A81000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRegAsm.exe, 00000001.00000002.274037382.0000000002961000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000002.504199488.0000000002A81000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  https://api.telegram.org/bot%telegramapi%/RegAsm.exe, 00000001.00000002.272957985.0000000000402000.00000040.00000001.sdmp, Proforma Invoice Copy.exe, 00000002.00000002.503144349.0000000000C94000.00000004.00000020.sdmp, RegAsm.exe, 00000004.00000002.500472004.0000000000402000.00000040.00000001.sdmpfalse
                    high
                    https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------xRegAsm.exe, 00000001.00000002.274037382.0000000002961000.00000004.00000001.sdmp, RegAsm.exe, 00000004.00000002.504199488.0000000002A81000.00000004.00000001.sdmpfalse
                      high
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipRegAsm.exe, 00000001.00000002.272957985.0000000000402000.00000040.00000001.sdmp, Proforma Invoice Copy.exe, 00000002.00000002.503144349.0000000000C94000.00000004.00000020.sdmp, RegAsm.exe, 00000004.00000002.500472004.0000000000402000.00000040.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      https://api.ipify.orgGETMozilla/5.0RegAsm.exe, 00000004.00000002.504199488.0000000002A81000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown

                      Contacted IPs

                      No contacted IP infos

                      General Information

                      Joe Sandbox Version:31.0.0 Red Diamond
                      Analysis ID:321196
                      Start date:20.11.2020
                      Start time:15:34:26
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 8m 8s
                      Hypervisor based Inspection enabled:false
                      Report type:light
                      Sample file name:Proforma Invoice Copy.exe
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:23
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@7/0@0/0
                      EGA Information:Failed
                      HDC Information:
                      • Successful, ratio: 0.4% (good quality ratio 0.3%)
                      • Quality average: 58.7%
                      • Quality standard deviation: 30.9%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI
                      • Found application associated with file extension: .exe
                      Warnings:
                      Show All
                      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      15:35:33API Interceptor782x Sleep call for process: RegAsm.exe modified

                      Joe Sandbox View / Context

                      IPs

                      No context

                      Domains

                      No context

                      ASN

                      No context

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      No created / dropped files found

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Entropy (8bit):7.8576781444417625
                      TrID:
                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      • Win32 Executable (generic) a (10002005/4) 49.78%
                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                      • Generic Win/DOS Executable (2004/3) 0.01%
                      • DOS Executable Generic (2002/1) 0.01%
                      File name:Proforma Invoice Copy.exe
                      File size:614400
                      MD5:d3bcc41cd14ace48314861fbeae864ba
                      SHA1:8e77cb335075e93fffe5e8652d2b7b011d2a922a
                      SHA256:5bdb22f495f4d4856e100acf674236191d0082c075884b2fe0892fa5b58923a8
                      SHA512:28d5a877d1e63efe0667b7ae134413a6a8c82b988aed249ca4425d1ad6eb926bad53a57f93a88a117c1b208ed3622ff70dc90aac0f49da2c0b5cd66d055458ad
                      SSDEEP:12288:g6f1qSUgblfQ7F3hm//jUw5iSr3MnVmkyMmba2:N1egb8F3hm//QAlr8VVyZba
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...J.._.................X..........~v... ........@.. ..............................".....@................................

                      File Icon

                      Icon Hash:00828e8e8686b000

                      Static PE Info

                      General

                      Entrypoint:0x49767e
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Time Stamp:0x5FB6E24A [Thu Nov 19 21:23:22 2020 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:v4.0.30319
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                      Entrypoint Preview

                      Instruction
                      jmp dword ptr [00402000h]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x976300x4b.text
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x980000x242.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x9a0000xc.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x20000x956840x95800False0.917408614653data7.86287833188IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      .rsrc0x980000x2420x400False0.30859375data3.56683492949IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0x9a0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountry
                      RT_MANIFEST0x980580x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                      Imports

                      DLLImport
                      mscoree.dll_CorExeMain

                      Network Behavior

                      No network behavior found

                      Code Manipulations

                      Statistics

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Start time:15:35:19
                      Start date:20/11/2020
                      Path:C:\Users\user\Desktop\Proforma Invoice Copy.exe
                      Wow64 process (32bit):true
                      Commandline:'C:\Users\user\Desktop\Proforma Invoice Copy.exe'
                      Imagebase:0xf20000
                      File size:614400 bytes
                      MD5 hash:D3BCC41CD14ACE48314861FBEAE864BA
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Reputation:low

                      General

                      Start time:15:35:24
                      Start date:20/11/2020
                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Imagebase:0x650000
                      File size:64616 bytes
                      MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Yara matches:
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.274037382.0000000002961000.00000004.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.272957985.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      Reputation:moderate

                      General

                      Start time:15:35:28
                      Start date:20/11/2020
                      Path:C:\Users\user\Desktop\Proforma Invoice Copy.exe
                      Wow64 process (32bit):true
                      Commandline:'C:\Users\user\Desktop\Proforma Invoice Copy.exe'
                      Imagebase:0x4f0000
                      File size:614400 bytes
                      MD5 hash:D3BCC41CD14ACE48314861FBEAE864BA
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Yara matches:
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.503144349.0000000000C94000.00000004.00000020.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.512025723.0000000005012000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000003.488119603.0000000004444000.00000004.00000001.sdmp, Author: Joe Security
                      Reputation:low

                      General

                      Start time:15:35:36
                      Start date:20/11/2020
                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      Imagebase:0x660000
                      File size:64616 bytes
                      MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Yara matches:
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.504392475.0000000002B36000.00000004.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.504199488.0000000002A81000.00000004.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.500472004.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                      Reputation:moderate

                      Disassembly

                      Code Analysis

                      Reset < >