Windows Analysis Report
Fattura Proforma (C) n 31.exe

Overview

General Information

Sample Name: Fattura Proforma (C) n 31.exe
Analysis ID: 632619
MD5: f9f9551391f15378d87182b087a0984e
SHA1: c81a7c0b39cd213adb431813114cecd856190411
SHA256: 6c2b7249173f7259dad5915a88a0b571644fed8140cd0268a88395e2308a44e4
Tags: agentteslaexe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Found malware configuration
Source: 1.2.Fattura Proforma (C) n 31.exe.4038208.3.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "Werner.Wagner@celoric.com", "Password": "LP#qETg8", "Host": "smtp.celoric.com"}
Multi AV Scanner detection for submitted file
Source: Fattura Proforma (C) n 31.exe Virustotal: Detection: 24% Perma Link
Source: Fattura Proforma (C) n 31.exe ReversingLabs: Detection: 19%
Machine Learning detection for sample
Source: Fattura Proforma (C) n 31.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 7.0.Fattura Proforma (C) n 31.exe.400000.8.unpack Avira: Label: TR/Spy.Gen8
Source: 7.0.Fattura Proforma (C) n 31.exe.400000.6.unpack Avira: Label: TR/Spy.Gen8
Source: 7.2.Fattura Proforma (C) n 31.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 7.0.Fattura Proforma (C) n 31.exe.400000.12.unpack Avira: Label: TR/Spy.Gen8
Source: 7.0.Fattura Proforma (C) n 31.exe.400000.10.unpack Avira: Label: TR/Spy.Gen8
Source: 7.0.Fattura Proforma (C) n 31.exe.400000.4.unpack Avira: Label: TR/Spy.Gen8
Uses 32bit PE files
Source: Fattura Proforma (C) n 31.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Fattura Proforma (C) n 31.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 1.2.Fattura Proforma (C) n 31.exe.4038208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Fattura Proforma (C) n 31.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Fattura Proforma (C) n 31.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Fattura Proforma (C) n 31.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Fattura Proforma (C) n 31.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Fattura Proforma (C) n 31.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Fattura Proforma (C) n 31.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Fattura Proforma (C) n 31.exe.40023e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Fattura Proforma (C) n 31.exe.3f893c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Fattura Proforma (C) n 31.exe.41e91b0.5.raw.unpack, type: UNPACKEDPE
Source: Fattura Proforma (C) n 31.exe, 00000007.00000002.692745771.00000000027B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Fattura Proforma (C) n 31.exe, 00000007.00000002.692745771.00000000027B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: Fattura Proforma (C) n 31.exe, 00000001.00000002.478450021.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: Fattura Proforma (C) n 31.exe, 00000007.00000002.694265183.0000000002B0D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pjLE02r21MVNC.com
Source: Fattura Proforma (C) n 31.exe, 00000007.00000002.692745771.00000000027B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://rzfHpn.com
Source: Fattura Proforma (C) n 31.exe, 00000007.00000002.694282802.0000000002B13000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://smtp.celoric.com
Source: Fattura Proforma (C) n 31.exe, 00000007.00000002.694282802.0000000002B13000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: Fattura Proforma (C) n 31.exe, 00000001.00000002.478450021.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Fattura Proforma (C) n 31.exe, 00000001.00000003.433392009.0000000005E05000.00000004.00000800.00020000.00000000.sdmp, Fattura Proforma (C) n 31.exe, 00000001.00000003.435190604.0000000005E0D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.com
Source: Fattura Proforma (C) n 31.exe, 00000001.00000003.433392009.0000000005E05000.00000004.00000800.00020000.00000000.sdmp, Fattura Proforma (C) n 31.exe, 00000001.00000003.435302266.0000000005E0E000.00000004.00000800.00020000.00000000.sdmp, Fattura Proforma (C) n 31.exe, 00000001.00000003.435254801.0000000005E0E000.00000004.00000800.00020000.00000000.sdmp, Fattura Proforma (C) n 31.exe, 00000001.00000003.435190604.0000000005E0D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comcerE
Source: Fattura Proforma (C) n 31.exe, 00000001.00000003.433392009.0000000005E05000.00000004.00000800.00020000.00000000.sdmp, Fattura Proforma (C) n 31.exe, 00000001.00000003.435302266.0000000005E0E000.00000004.00000800.00020000.00000000.sdmp, Fattura Proforma (C) n 31.exe, 00000001.00000003.435254801.0000000005E0E000.00000004.00000800.00020000.00000000.sdmp, Fattura Proforma (C) n 31.exe, 00000001.00000003.435190604.0000000005E0D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comead_
Source: Fattura Proforma (C) n 31.exe, 00000001.00000002.478450021.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Fattura Proforma (C) n 31.exe, 00000001.00000003.433392009.0000000005E05000.00000004.00000800.00020000.00000000.sdmp, Fattura Proforma (C) n 31.exe, 00000001.00000003.435190604.0000000005E0D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comwity
Source: Fattura Proforma (C) n 31.exe, 00000001.00000002.478450021.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: Fattura Proforma (C) n 31.exe, 00000001.00000002.478450021.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Fattura Proforma (C) n 31.exe, 00000001.00000002.478450021.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Fattura Proforma (C) n 31.exe, 00000001.00000002.478450021.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Fattura Proforma (C) n 31.exe, 00000001.00000002.478450021.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Fattura Proforma (C) n 31.exe, 00000001.00000002.478450021.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Fattura Proforma (C) n 31.exe, 00000001.00000002.478450021.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Fattura Proforma (C) n 31.exe, 00000001.00000002.478450021.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Fattura Proforma (C) n 31.exe, 00000001.00000002.478450021.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: Fattura Proforma (C) n 31.exe, 00000001.00000002.478450021.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Fattura Proforma (C) n 31.exe, 00000001.00000002.478450021.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Fattura Proforma (C) n 31.exe, 00000001.00000002.478450021.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Fattura Proforma (C) n 31.exe, 00000001.00000003.430766280.0000000005E08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnT
Source: Fattura Proforma (C) n 31.exe, 00000001.00000002.478450021.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Fattura Proforma (C) n 31.exe, 00000001.00000002.478450021.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Fattura Proforma (C) n 31.exe, 00000001.00000002.478450021.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: Fattura Proforma (C) n 31.exe, 00000001.00000002.478450021.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Fattura Proforma (C) n 31.exe, 00000001.00000002.478450021.0000000007012000.00000004.00000800.00020000.00000000.sdmp, Fattura Proforma (C) n 31.exe, 00000001.00000003.427581616.0000000005E1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Fattura Proforma (C) n 31.exe, 00000001.00000003.427581616.0000000005E1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com2
Source: Fattura Proforma (C) n 31.exe, 00000001.00000003.427581616.0000000005E1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.coma
Source: Fattura Proforma (C) n 31.exe, 00000001.00000002.478450021.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: Fattura Proforma (C) n 31.exe, 00000001.00000002.478450021.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Fattura Proforma (C) n 31.exe, 00000001.00000002.478450021.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: Fattura Proforma (C) n 31.exe, 00000001.00000003.430955587.0000000005E08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com_
Source: Fattura Proforma (C) n 31.exe, 00000001.00000003.430955587.0000000005E08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.comf
Source: Fattura Proforma (C) n 31.exe, 00000001.00000002.478450021.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: Fattura Proforma (C) n 31.exe, 00000001.00000002.478450021.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Fattura Proforma (C) n 31.exe, 00000001.00000002.478450021.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: Fattura Proforma (C) n 31.exe, 00000007.00000002.692745771.00000000027B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org%$
Source: Fattura Proforma (C) n 31.exe, 00000007.00000002.692745771.00000000027B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: Fattura Proforma (C) n 31.exe, 00000001.00000002.474516321.0000000003EC1000.00000004.00000800.00020000.00000000.sdmp, Fattura Proforma (C) n 31.exe, 00000007.00000000.469102375.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Fattura Proforma (C) n 31.exe, 00000007.00000000.467636633.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Fattura Proforma (C) n 31.exe, 00000007.00000002.692745771.00000000027B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown DNS traffic detected: queries for: smtp.celoric.com

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 1.2.Fattura Proforma (C) n 31.exe.4038208.3.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.Fattura Proforma (C) n 31.exe.40023e8.1.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.Fattura Proforma (C) n 31.exe.4038208.3.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 7.0.Fattura Proforma (C) n 31.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 7.0.Fattura Proforma (C) n 31.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 7.0.Fattura Proforma (C) n 31.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 7.0.Fattura Proforma (C) n 31.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 7.2.Fattura Proforma (C) n 31.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 7.0.Fattura Proforma (C) n 31.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.Fattura Proforma (C) n 31.exe.7b00000.10.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 1.2.Fattura Proforma (C) n 31.exe.41e91b0.5.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 1.2.Fattura Proforma (C) n 31.exe.40023e8.1.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.Fattura Proforma (C) n 31.exe.3f893c8.2.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.Fattura Proforma (C) n 31.exe.7b00000.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 1.2.Fattura Proforma (C) n 31.exe.40a86f0.4.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.Fattura Proforma (C) n 31.exe.40a86f0.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 1.2.Fattura Proforma (C) n 31.exe.41e91b0.5.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.Fattura Proforma (C) n 31.exe.41e91b0.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000001.00000002.479896370.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000007.00000002.692745771.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: Fattura Proforma (C) n 31.exe PID: 6268, type: MEMORYSTR Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
.NET source code contains very large array initializations
Source: 7.0.Fattura Proforma (C) n 31.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007bCC6CA229u002d787Cu002d4D12u002dA4D5u002d4C8E51A2FB29u007d/u0032BD7D317u002d5A30u002d4872u002d8336u002d62468305F018.cs Large array initialization: .cctor: array initializer size 11954
Source: 7.0.Fattura Proforma (C) n 31.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007bCC6CA229u002d787Cu002d4D12u002dA4D5u002d4C8E51A2FB29u007d/u0032BD7D317u002d5A30u002d4872u002d8336u002d62468305F018.cs Large array initialization: .cctor: array initializer size 11954
Source: 7.2.Fattura Proforma (C) n 31.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bCC6CA229u002d787Cu002d4D12u002dA4D5u002d4C8E51A2FB29u007d/u0032BD7D317u002d5A30u002d4872u002d8336u002d62468305F018.cs Large array initialization: .cctor: array initializer size 11954
Source: 7.0.Fattura Proforma (C) n 31.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007bCC6CA229u002d787Cu002d4D12u002dA4D5u002d4C8E51A2FB29u007d/u0032BD7D317u002d5A30u002d4872u002d8336u002d62468305F018.cs Large array initialization: .cctor: array initializer size 11954
Uses 32bit PE files
Source: Fattura Proforma (C) n 31.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 1.2.Fattura Proforma (C) n 31.exe.4038208.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.Fattura Proforma (C) n 31.exe.40023e8.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.Fattura Proforma (C) n 31.exe.4038208.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 7.0.Fattura Proforma (C) n 31.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 7.0.Fattura Proforma (C) n 31.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 7.0.Fattura Proforma (C) n 31.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 7.0.Fattura Proforma (C) n 31.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 7.2.Fattura Proforma (C) n 31.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 7.0.Fattura Proforma (C) n 31.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.Fattura Proforma (C) n 31.exe.7b00000.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 1.2.Fattura Proforma (C) n 31.exe.41e91b0.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 1.2.Fattura Proforma (C) n 31.exe.40023e8.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.Fattura Proforma (C) n 31.exe.3f893c8.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.Fattura Proforma (C) n 31.exe.7b00000.10.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 1.2.Fattura Proforma (C) n 31.exe.40a86f0.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.Fattura Proforma (C) n 31.exe.40a86f0.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 1.2.Fattura Proforma (C) n 31.exe.41e91b0.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.Fattura Proforma (C) n 31.exe.41e91b0.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000001.00000002.479896370.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000007.00000002.692745771.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: Fattura Proforma (C) n 31.exe PID: 6268, type: MEMORYSTR Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Detected potential crypto function
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Code function: 1_2_053974B8 1_2_053974B8
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Code function: 1_2_053974B2 1_2_053974B2
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Code function: 1_2_07608C58 1_2_07608C58
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Code function: 1_2_076052A8 1_2_076052A8
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Code function: 1_2_07600040 1_2_07600040
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Code function: 1_2_07608C48 1_2_07608C48
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Code function: 7_2_00BDF498 7_2_00BDF498
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Code function: 7_2_00BD2D50 7_2_00BD2D50
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Code function: 7_2_00BD2618 7_2_00BD2618
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Code function: 7_2_00BD1FE0 7_2_00BD1FE0
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Code function: 7_2_00BE3890 7_2_00BE3890
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Code function: 7_2_00BE0040 7_2_00BE0040
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Code function: 7_2_00BE42FB 7_2_00BE42FB
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Code function: 7_2_00BEE640 7_2_00BEE640
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Code function: 7_2_00BE9790 7_2_00BE9790
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Code function: 7_2_00BEA958 7_2_00BEA958
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Code function: 7_2_00C80040 7_2_00C80040
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Code function: 7_2_00C83038 7_2_00C83038
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Code function: 7_2_00C819D0 7_2_00C819D0
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Code function: 7_2_00C83DA6 7_2_00C83DA6
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Code function: 7_2_00C871B0 7_2_00C871B0
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Code function: 7_2_00C83768 7_2_00C83768
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Code function: 7_2_00C80006 7_2_00C80006
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Code function: 7_2_00C8B5C8 7_2_00C8B5C8
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Code function: 7_2_00C8E9E2 7_2_00C8E9E2
Sample file is different than original file name gathered from version info
Source: Fattura Proforma (C) n 31.exe, 00000001.00000002.474516321.0000000003EC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameoaMacbwxvcPdzawhAjgkvqfYYd.exe4 vs Fattura Proforma (C) n 31.exe
Source: Fattura Proforma (C) n 31.exe, 00000001.00000002.473781350.0000000002F02000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameoaMacbwxvcPdzawhAjgkvqfYYd.exe4 vs Fattura Proforma (C) n 31.exe
Source: Fattura Proforma (C) n 31.exe, 00000001.00000002.479896370.0000000007B00000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameIVectorView.dllN vs Fattura Proforma (C) n 31.exe
Source: Fattura Proforma (C) n 31.exe, 00000001.00000000.423750426.0000000000ACE000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameRemotingXmlConfigFileD.exe> vs Fattura Proforma (C) n 31.exe
Source: Fattura Proforma (C) n 31.exe, 00000001.00000002.478893788.00000000075F0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameCerbera.dll" vs Fattura Proforma (C) n 31.exe
Source: Fattura Proforma (C) n 31.exe, 00000005.00000000.463493689.000000000050E000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameRemotingXmlConfigFileD.exe> vs Fattura Proforma (C) n 31.exe
Source: Fattura Proforma (C) n 31.exe, 00000007.00000000.466657133.000000000056E000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameRemotingXmlConfigFileD.exe> vs Fattura Proforma (C) n 31.exe
Source: Fattura Proforma (C) n 31.exe, 00000007.00000000.469102375.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameoaMacbwxvcPdzawhAjgkvqfYYd.exe4 vs Fattura Proforma (C) n 31.exe
Source: Fattura Proforma (C) n 31.exe Binary or memory string: OriginalFilenameRemotingXmlConfigFileD.exe> vs Fattura Proforma (C) n 31.exe
Source: Fattura Proforma (C) n 31.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Fattura Proforma (C) n 31.exe Virustotal: Detection: 24%
Source: Fattura Proforma (C) n 31.exe ReversingLabs: Detection: 19%
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe File read: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe:Zone.Identifier Jump to behavior
Source: Fattura Proforma (C) n 31.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe "C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe"
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process created: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process created: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process created: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process created: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Fattura Proforma (C) n 31.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@5/1@2/0
Source: Fattura Proforma (C) n 31.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Mutant created: \Sessions\1\BaseNamedObjects\TfRqYHFSAGlCCkuDn
Source: 7.0.Fattura Proforma (C) n 31.exe.400000.8.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.0.Fattura Proforma (C) n 31.exe.400000.8.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.0.Fattura Proforma (C) n 31.exe.400000.6.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.0.Fattura Proforma (C) n 31.exe.400000.6.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.Fattura Proforma (C) n 31.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.Fattura Proforma (C) n 31.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Fattura Proforma (C) n 31.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Fattura Proforma (C) n 31.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Fattura Proforma (C) n 31.exe, Form1.cs .Net Code: BackView System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 1.0.Fattura Proforma (C) n 31.exe.9e0000.0.unpack, Form1.cs .Net Code: BackView System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 1.2.Fattura Proforma (C) n 31.exe.9e0000.0.unpack, Form1.cs .Net Code: BackView System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.Fattura Proforma (C) n 31.exe.420000.3.unpack, Form1.cs .Net Code: BackView System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.2.Fattura Proforma (C) n 31.exe.420000.0.unpack, Form1.cs .Net Code: BackView System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.Fattura Proforma (C) n 31.exe.420000.2.unpack, Form1.cs .Net Code: BackView System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.Fattura Proforma (C) n 31.exe.420000.1.unpack, Form1.cs .Net Code: BackView System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.Fattura Proforma (C) n 31.exe.420000.0.unpack, Form1.cs .Net Code: BackView System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.Fattura Proforma (C) n 31.exe.480000.7.unpack, Form1.cs .Net Code: BackView System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.Fattura Proforma (C) n 31.exe.480000.0.unpack, Form1.cs .Net Code: BackView System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.Fattura Proforma (C) n 31.exe.480000.3.unpack, Form1.cs .Net Code: BackView System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.Fattura Proforma (C) n 31.exe.480000.9.unpack, Form1.cs .Net Code: BackView System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.Fattura Proforma (C) n 31.exe.480000.1.unpack, Form1.cs .Net Code: BackView System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Code function: 1_2_0539A1E8 push E801005Eh; retf 1_2_0539A201
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Code function: 7_2_00BD7A37 push edi; retn 0000h 7_2_00BD7A39
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Code function: 7_2_00D4E28B push eax; ret 7_2_00D4E349
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Code function: 7_2_00D4D95C push eax; ret 7_2_00D4D95D
Source: initial sample Static PE information: section name: .text entropy: 7.90435959734
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 00000001.00000002.473781350.0000000002F02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Fattura Proforma (C) n 31.exe PID: 6892, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Fattura Proforma (C) n 31.exe, 00000001.00000002.473781350.0000000002F02000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: Fattura Proforma (C) n 31.exe, 00000001.00000002.473781350.0000000002F02000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe TID: 6896 Thread sleep time: -43731s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe TID: 6972 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe TID: 6292 Thread sleep count: 48 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe TID: 6292 Thread sleep time: -44272185776902896s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe TID: 6492 Thread sleep count: 2186 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe TID: 6492 Thread sleep count: 7647 > 30 Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Window / User API: threadDelayed 2186 Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Window / User API: threadDelayed 7647 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Thread delayed: delay time: 43731 Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Fattura Proforma (C) n 31.exe, 00000001.00000002.473781350.0000000002F02000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Fattura Proforma (C) n 31.exe, 00000001.00000002.473781350.0000000002F02000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: Fattura Proforma (C) n 31.exe, 00000001.00000002.473781350.0000000002F02000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: Fattura Proforma (C) n 31.exe, 00000001.00000002.473781350.0000000002F02000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Enables debug privileges
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Code function: 7_2_00BEE640 LdrInitializeThunk, 7_2_00BEE640
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Memory written: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process created: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Process created: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 1.2.Fattura Proforma (C) n 31.exe.4038208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Fattura Proforma (C) n 31.exe.40023e8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Fattura Proforma (C) n 31.exe.4038208.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Fattura Proforma (C) n 31.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Fattura Proforma (C) n 31.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Fattura Proforma (C) n 31.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Fattura Proforma (C) n 31.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Fattura Proforma (C) n 31.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Fattura Proforma (C) n 31.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Fattura Proforma (C) n 31.exe.40023e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Fattura Proforma (C) n 31.exe.3f893c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Fattura Proforma (C) n 31.exe.40a86f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Fattura Proforma (C) n 31.exe.41e91b0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000000.469102375.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.469793315.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.474516321.0000000003EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.468372244.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.690586626.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.474922718.00000000040A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.467636633.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.692745771.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Fattura Proforma (C) n 31.exe PID: 6892, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Fattura Proforma (C) n 31.exe PID: 6268, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Fattura Proforma (C) n 31.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000007.00000002.692745771.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Fattura Proforma (C) n 31.exe PID: 6268, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 1.2.Fattura Proforma (C) n 31.exe.4038208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Fattura Proforma (C) n 31.exe.40023e8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Fattura Proforma (C) n 31.exe.4038208.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Fattura Proforma (C) n 31.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Fattura Proforma (C) n 31.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Fattura Proforma (C) n 31.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Fattura Proforma (C) n 31.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Fattura Proforma (C) n 31.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.Fattura Proforma (C) n 31.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Fattura Proforma (C) n 31.exe.40023e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Fattura Proforma (C) n 31.exe.3f893c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Fattura Proforma (C) n 31.exe.40a86f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Fattura Proforma (C) n 31.exe.41e91b0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000000.469102375.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.469793315.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.474516321.0000000003EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.468372244.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.690586626.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.474922718.00000000040A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.467636633.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.692745771.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Fattura Proforma (C) n 31.exe PID: 6892, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Fattura Proforma (C) n 31.exe PID: 6268, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 632619 Sample: Fattura Proforma (C) n 31.exe Startdate: 23/05/2022 Architecture: WINDOWS Score: 100 18 smtp.celoric.com 2->18 20 us2.smtp.mailhostbox.com 2->20 22 Found malware configuration 2->22 24 Malicious sample detected (through community Yara rule) 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 9 other signatures 2->28 7 Fattura Proforma (C) n 31.exe 3 2->7         started        signatures3 process4 file5 16 C:\...\Fattura Proforma (C) n 31.exe.log, ASCII 7->16 dropped 30 Injects a PE file into a foreign processes 7->30 11 Fattura Proforma (C) n 31.exe 2 7->11         started        14 Fattura Proforma (C) n 31.exe 7->14         started        signatures6 process7 signatures8 32 Tries to steal Mail credentials (via file / registry access) 11->32 34 Tries to harvest and steal ftp login credentials 11->34 36 Tries to harvest and steal browser information (history, passwords, etc) 11->36
No contacted IP infos

Contacted Domains

Name IP Active
us2.smtp.mailhostbox.com 162.222.225.29 true
smtp.celoric.com unknown unknown