Loading ...

Play interactive tourEdit tour

Windows Analysis Report Proforma Invoice.exe

Overview

General Information

Sample Name:Proforma Invoice.exe
Analysis ID:502592
MD5:dd00dde252a92512815c0d0d3679d1fd
SHA1:44ca2aa75de6ca79ae39408b48cd605d384a9a9b
SHA256:c0057025e69297714ba47f8fc982ec8fd8713f5a270a2d638257bcc395cad39f
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM3
Installs a global keyboard hook
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains functionality to register a low level keyboard hook
Machine Learning detection for sample
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Executable has a suspicious name (potential lure to open the executable)
Moves itself to temp directory
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Proforma Invoice.exe (PID: 6844 cmdline: 'C:\Users\user\Desktop\Proforma Invoice.exe' MD5: DD00DDE252A92512815C0D0D3679D1FD)
    • Proforma Invoice.exe (PID: 5608 cmdline: C:\Users\user\Desktop\Proforma Invoice.exe MD5: DD00DDE252A92512815C0D0D3679D1FD)
    • Proforma Invoice.exe (PID: 6804 cmdline: C:\Users\user\Desktop\Proforma Invoice.exe MD5: DD00DDE252A92512815C0D0D3679D1FD)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "kendakenda@karanex.com", "Password": "zarazita404", "Host": "webmail.karanex.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.560307423.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000002.560307423.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000000.00000002.309881173.00000000025A1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000000.00000002.310366268.00000000035A9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.310366268.00000000035A9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Proforma Invoice.exe.3846860.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.Proforma Invoice.exe.3846860.2.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                4.2.Proforma Invoice.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  4.2.Proforma Invoice.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.Proforma Invoice.exe.3846860.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 6 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 4.2.Proforma Invoice.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "kendakenda@karanex.com", "Password": "zarazita404", "Host": "webmail.karanex.com"}
                      Machine Learning detection for sampleShow sources
                      Source: Proforma Invoice.exeJoe Sandbox ML: detected
                      Source: 4.2.Proforma Invoice.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: Proforma Invoice.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Proforma Invoice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49841 -> 185.8.128.141:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49842 -> 185.8.128.141:587
                      Source: Joe Sandbox ViewASN Name: ALASTYRTR ALASTYRTR
                      Source: Joe Sandbox ViewIP Address: 185.8.128.141 185.8.128.141
                      Source: global trafficTCP traffic: 192.168.2.3:49841 -> 185.8.128.141:587
                      Source: global trafficTCP traffic: 192.168.2.3:49841 -> 185.8.128.141:587
                      Source: Proforma Invoice.exe, 00000004.00000002.562365344.0000000002E31000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: Proforma Invoice.exe, 00000004.00000002.562365344.0000000002E31000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Proforma Invoice.exe, 00000004.00000002.562365344.0000000002E31000.00000004.00000001.sdmpString found in binary or memory: http://LqBkoD7aW7iu.org
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: Proforma Invoice.exe, 00000004.00000002.562365344.0000000002E31000.00000004.00000001.sdmpString found in binary or memory: http://rafeBU.com
                      Source: Proforma Invoice.exe, 00000004.00000002.562871223.000000000319E000.00000004.00000001.sdmpString found in binary or memory: http://webmail.karanex.com
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: Proforma Invoice.exe, 00000000.00000002.309881173.00000000025A1000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: Proforma Invoice.exe, 00000000.00000002.312573125.0000000006692000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: Proforma Invoice.exe, 00000004.00000002.562365344.0000000002E31000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: Proforma Invoice.exe, 00000004.00000002.562365344.0000000002E31000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: Proforma Invoice.exe, 00000000.00000002.310366268.00000000035A9000.00000004.00000001.sdmp, Proforma Invoice.exe, 00000004.00000002.560307423.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: Proforma Invoice.exe, 00000004.00000002.562365344.0000000002E31000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: webmail.karanex.com

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Installs a global keyboard hookShow sources
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\Proforma Invoice.exeJump to behavior
                      Contains functionality to register a low level keyboard hookShow sources
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_013627B4 SetWindowsHookExW 0000000D,00000000,?,?4_2_013627B4
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: Proforma Invoice.exe
                      .NET source code contains very large array initializationsShow sources
                      Source: 4.2.Proforma Invoice.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b334B4886u002d2F78u002d4310u002dAD8Du002d8030633F3870u007d/u0035BFC86F3u002d17F0u002d46D9u002dB37Au002d34C66161B569.csLarge array initialization: .cctor: array initializer size 12019
                      Executable has a suspicious name (potential lure to open the executable)Show sources
                      Source: Proforma Invoice.exeStatic file information: Suspicious name
                      Source: Proforma Invoice.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_002A4C210_2_002A4C21
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_00C5E9C00_2_00C5E9C0
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_00C5E9D00_2_00C5E9D0
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 0_2_00C5C9DC0_2_00C5C9DC
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 3_2_002E4C213_2_002E4C21
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_00B24C214_2_00B24C21
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_012935304_2_01293530
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_012900404_2_01290040
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_0129DF104_2_0129DF10
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_012997D04_2_012997D0
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_01296A184_2_01296A18
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_012956B04_2_012956B0
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_012900144_2_01290014
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_0129A3C84_2_0129A3C8
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_0136A0884_2_0136A088
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_01361B804_2_01361B80
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_01369C944_2_01369C94
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_013C64B84_2_013C64B8
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_013C57584_2_013C5758
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_02DE48604_2_02DE4860
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_02DE3F084_2_02DE3F08
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_02DE47704_2_02DE4770
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_02DE85084_2_02DE8508
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_02DE48104_2_02DE4810
                      Source: Proforma Invoice.exeBinary or memory string: OriginalFilename vs Proforma Invoice.exe
                      Source: Proforma Invoice.exe, 00000000.00000002.310366268.00000000035A9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll< vs Proforma Invoice.exe
                      Source: Proforma Invoice.exe, 00000000.00000002.310366268.00000000035A9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamejKFYOWLbQkFBIMPfWhghzZgVT.exe4 vs Proforma Invoice.exe
                      Source: Proforma Invoice.exe, 00000000.00000002.309881173.00000000025A1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameriched20.dllp( vs Proforma Invoice.exe
                      Source: Proforma Invoice.exe, 00000000.00000002.309881173.00000000025A1000.00000004.00000001.sdmpBinary or memory string: yl,\\StringFileInfo\\000004B0\\OriginalFilename vs Proforma Invoice.exe
                      Source: Proforma Invoice.exeBinary or memory string: OriginalFilename vs Proforma Invoice.exe
                      Source: Proforma Invoice.exeBinary or memory string: OriginalFilename vs Proforma Invoice.exe
                      Source: Proforma Invoice.exe, 00000004.00000002.560307423.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamejKFYOWLbQkFBIMPfWhghzZgVT.exe4 vs Proforma Invoice.exe
                      Source: Proforma Invoice.exe, 00000004.00000002.560597448.0000000000F38000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Proforma Invoice.exe
                      Source: Proforma Invoice.exeBinary or memory string: OriginalFilenamec.exe8 vs Proforma Invoice.exe
                      Source: Proforma Invoice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: Proforma Invoice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Proforma Invoice.exe 'C:\Users\user\Desktop\Proforma Invoice.exe'
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess created: C:\Users\user\Desktop\Proforma Invoice.exe C:\Users\user\Desktop\Proforma Invoice.exe
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess created: C:\Users\user\Desktop\Proforma Invoice.exe C:\Users\user\Desktop\Proforma Invoice.exe
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess created: C:\Users\user\Desktop\Proforma Invoice.exe C:\Users\user\Desktop\Proforma Invoice.exeJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess created: C:\Users\user\Desktop\Proforma Invoice.exe C:\Users\user\Desktop\Proforma Invoice.exeJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Proforma Invoice.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/2@1/1
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: 4.2.Proforma Invoice.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 4.2.Proforma Invoice.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Proforma Invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Proforma Invoice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: Proforma Invoice.exe, WinUsbInitForm.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 0.2.Proforma Invoice.exe.2a0000.0.unpack, WinUsbInitForm.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 0.0.Proforma Invoice.exe.2a0000.0.unpack, WinUsbInitForm.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 3.0.Proforma Invoice.exe.2e0000.0.unpack, WinUsbInitForm.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 3.2.Proforma Invoice.exe.2e0000.0.unpack, WinUsbInitForm.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 4.2.Proforma Invoice.exe.b20000.1.unpack, WinUsbInitForm.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 4.0.Proforma Invoice.exe.b20000.0.unpack, WinUsbInitForm.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_02DEDF16 push FFFFFF8Bh; iretd 4_2_02DEDF1B
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.95675018012

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Moves itself to temp directoryShow sources
                      Source: c:\users\user\desktop\proforma invoice.exeFile moved: C:\Users\user\AppData\Local\Temp\tmpG154.tmpJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.Proforma Invoice.exe.25f0050.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.309881173.00000000025A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Proforma Invoice.exe PID: 6844, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: Proforma Invoice.exe, 00000000.00000002.309881173.00000000025A1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: Proforma Invoice.exe, 00000000.00000002.309881173.00000000025A1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 6928Thread sleep time: -45834s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 6900Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 6520Thread sleep time: -12912720851596678s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 2336Thread sleep count: 1241 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 2336Thread sleep count: 8607 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeWindow / User API: threadDelayed 1241Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeWindow / User API: threadDelayed 8607Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeThread delayed: delay time: 45834Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: Proforma Invoice.exe, 00000000.00000002.309881173.00000000025A1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: Proforma Invoice.exe, 00000000.00000002.309881173.00000000025A1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Proforma Invoice.exe, 00000000.00000002.309881173.00000000025A1000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: Proforma Invoice.exe, 00000000.00000002.309881173.00000000025A1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeCode function: 4_2_0129CC08 LdrInitializeThunk,4_2_0129CC08
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess created: C:\Users\user\Desktop\Proforma Invoice.exe C:\Users\user\Desktop\Proforma Invoice.exeJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeProcess created: C:\Users\user\Desktop\Proforma Invoice.exe C:\Users\user\Desktop\Proforma Invoice.exeJump to behavior
                      Source: Proforma Invoice.exe, 00000004.00000002.561875686.00000000017E0000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: Proforma Invoice.exe, 00000004.00000002.561875686.00000000017E0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: Proforma Invoice.exe, 00000004.00000002.561875686.00000000017E0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: Proforma Invoice.exe, 00000004.00000002.561875686.00000000017E0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Users\user\Desktop\Proforma Invoice.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Proforma Invoice.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: