Windows Analysis Report
RFQ -PO.20571-0001-QBMS-PRQ-0200140.js

Overview

General Information

Sample name:	RFQ -PO.20571-0001-QBMS-PRQ-0200140.js
Analysis ID:	1519256
MD5:	5e1cdaa87915b9b6e7d852c0b7ce272b
SHA1:	978f40e995fe1fd0e10f73f8b7924dd31ffb6267
SHA256:	3335d593c4a2f7ab94a35fd5a0991026d1800592a18cc842686d3bf6bb66503d
Tags:	jsRedLineStealeruser-abuse_ch
Infos:

Detection

AgentTesla, RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Benign windows process drops PE files

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected RedLine Stealer

.NET source code contains very large strings

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Installs a global keyboard hook

JavaScript file contains suspicious strings

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

JavaScript source code contains large arrays or strings with random content potentially encoding malicious code

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: RFQ -PO.20571-0001-QBMS-PRQ-0200140.js

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Avira: detection malicious, Label: HEUR/AGEN.1311721
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Avira: detection malicious, Label: HEUR/AGEN.1311721
Source: C:\Users\user\AppData\Local\Temp\x.exe	Avira: detection malicious, Label: HEUR/AGEN.1321671
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Avira: detection malicious, Label: TR/Spy.Gen8
Source: C:\Users\user\AppData\Local\Temp\build.exe	Avira: detection malicious, Label: TR/AD.RedLineSteal.dzdht

Found malware configuration

Source: 16.2.svchost.exe.3189000.2.raw.unpack	Malware Configuration Extractor: RedLine {"C2 url": ["212.162.149.53:2049"], "Bot Id": "FOZ", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
Source: 16.2.svchost.exe.314b000.1.raw.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "s82.gocheapweb.com", "Username": "info2@j-fores.com", "Password": "london@1759"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\build.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	ReversingLabs: Detection: 83%

Multi AV Scanner detection for submitted file

Source: RFQ -PO.20571-0001-QBMS-PRQ-0200140.js

ReversingLabs: Detection: 23%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\x.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\build.exe	Joe Sandbox ML: detected

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.8:62826 version: TLS 1.2

Source:	Binary string: wntdll.pdbUGP source: x.exe, 00000002.00000003.1530923482.0000000004F40000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.1530355162.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1565181805.0000000003D50000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1565707457.0000000005050000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.1600560631.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.1600415328.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000009.00000003.1640373275.0000000004030000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000009.00000003.1640053185.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, x.exe, 0000000D.00000003.1680596257.0000000003B40000.00000004.00001000.00020000.00000000.sdmp, x.exe, 0000000D.00000003.1679446140.00000000039A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: x.exe, 00000002.00000003.1530923482.0000000004F40000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.1530355162.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1565181805.0000000003D50000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1565707457.0000000005050000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.1600560631.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.1600415328.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000009.00000003.1640373275.0000000004030000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000009.00000003.1640053185.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, x.exe, 0000000D.00000003.1680596257.0000000003B40000.00000004.00001000.00020000.00000000.sdmp, x.exe, 0000000D.00000003.1679446140.00000000039A0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,	2_2_00452492
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00442886
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_004788BD
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,	2_2_004339B6
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,	2_2_0045CAFA
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00431A86
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	2_2_0044BD27
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0045DE8F FindFirstFileW,FindClose,	2_2_0045DE8F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0044BF8B
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,	4_2_00452492
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	4_2_00442886
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	4_2_004788BD
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,	4_2_004339B6
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,	4_2_0045CAFA
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	4_2_00431A86
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	4_2_0044BD27
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0045DE8F FindFirstFileW,FindClose,	4_2_0045DE8F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	4_2_0044BF8B

Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then jmp 032078DCh	17_2_03207642
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	17_2_03207E60
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then jmp 032078DCh	17_2_0320767A
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	17_2_03207E58

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.8:62827 -> 212.162.149.53:2049
Source: Network traffic	Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.8:62827 -> 212.162.149.53:2049
Source: Network traffic	Suricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 212.162.149.53:2049 -> 192.168.2.8:62827
Source: Network traffic	Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 212.162.149.53:2049 -> 192.168.2.8:62827

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 212.162.149.53:2049

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.8:62827 -> 212.162.149.53:2049
Source: global traffic	TCP traffic: 192.168.2.8:62828 -> 51.195.88.199:587

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 51.195.88.199 51.195.88.199

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: OVHFR OVHFR
Source: Joe Sandbox View	ASN Name: UNREAL-SERVERSUS UNREAL-SERVERSUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

May check the online IP address of the machine

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.8:62828 -> 51.195.88.199:587

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_004422FE InternetQueryDataAvailable,InternetReadFile,

2_2_004422FE

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: pywolwnvd.biz
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: s82.gocheapweb.com

Source: unknown	Network traffic detected: HTTP traffic on port 62826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62826

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.8:62826 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: neworigin.exe.16.dr, cPKWk.cs	.Net Code: I3Mi2zn6x
Source: 16.2.svchost.exe.314b000.1.raw.unpack, cPKWk.cs	.Net Code: I3Mi2zn6x

Installs a global keyboard hook

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\neworigin.exe

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

2_2_0045A10F

Contains functionality to modify clipboard data

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		2_2_0045A10F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		4_2_0045A10F

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_0046DC80 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,

2_2_0046DC80

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,

2_2_0044C37A

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Window created: window name: CLIPBRDWNDCLASS

Potential key logger detected (key state polling based)

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		2_2_0047C81C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		4_2_0047C81C

System Summary

Malicious sample detected (through community Yara rule)

Source: 16.2.svchost.exe.314b000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 16.2.svchost.exe.3112000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 16.2.svchost.exe.314b000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 18.0.neworigin.exe.e60000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000010.00000002.1731769518.0000000003112000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

.NET source code contains very large strings

Source: server_BTC.exe.16.dr, opqcmgIPmeabY.cs	Long String: Length: 17605
Source: 16.2.svchost.exe.3112000.3.raw.unpack, opqcmgIPmeabY.cs	Long String: Length: 17605
Source: TrojanAIbot.exe.17.dr, opqcmgIPmeabY.cs	Long String: Length: 17605

JavaScript file contains suspicious strings

Source: RFQ -PO.20571-0001-QBMS-PRQ-0200140.js

Initial file: wscript.shell, adodb.stream, wmic

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

2_2_00431BE8

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

2_2_00446313

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,		2_2_004333BE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,		4_2_004333BE

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_004096A0	2_2_004096A0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0042200C	2_2_0042200C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0041A217	2_2_0041A217
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_00412216	2_2_00412216
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0042435D	2_2_0042435D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_004033C0	2_2_004033C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0044F430	2_2_0044F430
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_004125E8	2_2_004125E8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0044663B	2_2_0044663B
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_00413801	2_2_00413801
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0042096F	2_2_0042096F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_004129D0	2_2_004129D0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_004119E3	2_2_004119E3
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0041C9AE	2_2_0041C9AE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0047EA6F	2_2_0047EA6F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0040FA10	2_2_0040FA10
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0044EB5F	2_2_0044EB5F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_00423C81	2_2_00423C81
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_00411E78	2_2_00411E78
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_00442E0C	2_2_00442E0C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_00420EC0	2_2_00420EC0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0044CF17	2_2_0044CF17
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_00444FD2	2_2_00444FD2
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_04739400	2_2_04739400
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_004096A0	4_2_004096A0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0042200C	4_2_0042200C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0041A217	4_2_0041A217
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00412216	4_2_00412216
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0042435D	4_2_0042435D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_004033C0	4_2_004033C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0044F430	4_2_0044F430
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_004125E8	4_2_004125E8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0044663B	4_2_0044663B
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00413801	4_2_00413801
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0042096F	4_2_0042096F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_004129D0	4_2_004129D0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_004119E3	4_2_004119E3
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0041C9AE	4_2_0041C9AE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0047EA6F	4_2_0047EA6F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0040FA10	4_2_0040FA10
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0044EB5F	4_2_0044EB5F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00423C81	4_2_00423C81
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00411E78	4_2_00411E78
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00442E0C	4_2_00442E0C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00420EC0	4_2_00420EC0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0044CF17	4_2_0044CF17
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00444FD2	4_2_00444FD2
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_04845CB0	4_2_04845CB0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 6_2_04937628	6_2_04937628
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 9_2_04B5C628	9_2_04B5C628
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 13_2_04B5B628	13_2_04B5B628
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 15_2_049A9628	15_2_049A9628
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F751EE	16_2_00F751EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00FB39A3	16_2_00FB39A3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F76EAF	16_2_00F76EAF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00FA5980	16_2_00FA5980
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00FB515C	16_2_00FB515C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00FAD580	16_2_00FAD580
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00FAC7F0	16_2_00FAC7F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F77F80	16_2_00F77F80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00FA3780	16_2_00FA3780
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 17_2_032085B7	17_2_032085B7
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 17_2_032085C8	17_2_032085C8
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 19_2_030DDC74	19_2_030DDC74
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 19_2_058EEE58	19_2_058EEE58
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 19_2_058E8850	19_2_058E8850
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 19_2_058E0AFC	19_2_058E0AFC
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 19_2_058E0006	19_2_058E0006
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 19_2_058E0040	19_2_058E0040
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 19_2_058E8840	19_2_058E8840
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 19_2_058E0AF9	19_2_058E0AF9
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 19_2_058E1FF0	19_2_058E1FF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_0299B088	20_2_0299B088
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_0299B078	20_2_0299B078
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_082D3E98	20_2_082D3E98

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\build.exe 0576191C50A1B6AFBCAA5CB0512DF5B6A8B9BEF9739E5308F8E2E965BF9B0FC5
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\neworigin.exe DC441006CB45C2CFAC6C521F6CD4C16860615D21081563BD9E368DE6F7E8AB6B

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 0040E710 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 00401B10 appears 50 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 00408F40 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 004301F8 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 004115D7 appears 72 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 00416C70 appears 78 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 004181F2 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 00445AE0 appears 130 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 0041341F appears 36 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 00422240 appears 38 times

Java / VBScript file with very long strings (likely obfuscated code)

Source: RFQ -PO.20571-0001-QBMS-PRQ-0200140.js

Initial sample: Strings found which are bigger than 50

Yara signature match

Source: 16.2.svchost.exe.314b000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 16.2.svchost.exe.3112000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 16.2.svchost.exe.314b000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 18.0.neworigin.exe.e60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000010.00000002.1731769518.0000000003112000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: neworigin.exe.16.dr, cPs8D.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: neworigin.exe.16.dr, 72CF8egH.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: neworigin.exe.16.dr, G5CXsdn.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: neworigin.exe.16.dr, 3uPsILA6U.cs	Cryptographic APIs: 'CreateDecryptor'
Source: neworigin.exe.16.dr, 6oQOw74dfIt.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: neworigin.exe.16.dr, aMIWm.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: neworigin.exe.16.dr, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: neworigin.exe.16.dr, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: svchost.exe

Binary or memory string: CMD;.VBS;.VBpt-brh

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winJS@48/18@3/3

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_0044AF6C GetLastError,FormatMessageW,

2_2_0044AF6C

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,	2_2_004333BE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,	2_2_00464EAE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,	4_2_004333BE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,	4_2_00464EAE

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,

2_2_0045D619

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_004755C4 CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,

2_2_004755C4

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_0047839D CoInitialize,CoCreateInstance,CoUninitialize,

2_2_0047839D

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

2_2_0043305F

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 16_2_00F9CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,

16_2_00F9CBD0

Source: C:\Windows\SysWOW64\svchost.exe

File created: C:\Users\user\AppData\Roaming\bb5c1732d3a25be8.bin

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2452:120:WilError_03
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Mutant created: \Sessions\1\BaseNamedObjects\kbedaSzAAOYDRDgN
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5736:120:WilError_03
Source: C:\Windows\SysWOW64\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-bb5c1732d3a25be83d78ffaf-b
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1364:120:WilError_03
Source: C:\Windows\SysWOW64\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-bb5c1732d3a25be8-inf

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\x.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe	Command line argument: Wu		2_2_0040D6B0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Command line argument: Wu		4_2_0040D6B0

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RFQ -PO.20571-0001-QBMS-PRQ-0200140.js

ReversingLabs: Detection: 23%

Source: C:\Windows\SysWOW64\svchost.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ -PO.20571-0001-QBMS-PRQ-0200140.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 03:26 /du 23:59 /sc daily /ri 1 /f
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp6964.tmp.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 03:26 /du 23:59 /sc daily /ri 1 /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp6964.tmp.cmd""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: comsvcs.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: uxtheme.dll

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source: TrojanAIbot.exe.lnk.17.dr

LNK file: ..\..\..\..\..\ACCApi\TrojanAIbot.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Source: RFQ -PO.20571-0001-QBMS-PRQ-0200140.js

Static file information: File size 4877072 > 1048576

Source:	Binary string: wntdll.pdbUGP source: x.exe, 00000002.00000003.1530923482.0000000004F40000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.1530355162.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1565181805.0000000003D50000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1565707457.0000000005050000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.1600560631.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.1600415328.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000009.00000003.1640373275.0000000004030000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000009.00000003.1640053185.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, x.exe, 0000000D.00000003.1680596257.0000000003B40000.00000004.00001000.00020000.00000000.sdmp, x.exe, 0000000D.00000003.1679446140.00000000039A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: x.exe, 00000002.00000003.1530923482.0000000004F40000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.1530355162.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1565181805.0000000003D50000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1565707457.0000000005050000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.1600560631.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.1600415328.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000009.00000003.1640373275.0000000004030000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000009.00000003.1640053185.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, x.exe, 0000000D.00000003.1680596257.0000000003B40000.00000004.00001000.00020000.00000000.sdmp, x.exe, 0000000D.00000003.1679446140.00000000039A0000.00000004.00001000.00020000.00000000.sdmp

Binary contains a suspicious time stamp

Source: server_BTC.exe.16.dr

Static PE information: 0xAA16B5AE [Fri Jun 4 22:50:22 2060 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_0040EBD0 LoadLibraryA,GetProcAddress,

2_2_0040EBD0

JavaScript source code contains large arrays or strings with random content potentially encoding malicious code

Source: RFQ -PO.20571-0001-QBMS-PRQ-0200140.js

String : entropy: 5.97, length: 4876722, content: "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+AAAAA4fug4AtAnNIbg

Go to definition

PE file contains an invalid checksum

Source: server_BTC.exe.16.dr	Static PE information: real checksum: 0x0 should be: 0x42478
Source: x.exe.1.dr	Static PE information: real checksum: 0xa961f should be: 0x388577
Source: neworigin.exe.16.dr	Static PE information: real checksum: 0x0 should be: 0x480db
Source: build.exe.16.dr	Static PE information: real checksum: 0x0 should be: 0x575be
Source: TrojanAIbot.exe.17.dr	Static PE information: real checksum: 0x0 should be: 0x42478

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_00416CB5 push ecx; ret	2_2_00416CC8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00416CB5 push ecx; ret	4_2_00416CC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00402A57 push esp; retf	16_2_00402A58
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_0040513D push 5DBA3BDAh; iretd	16_2_00405151
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F74B64 push 00F74E86h; ret	16_2_00F74C24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F74B64 push 00F74E27h; ret	16_2_00F74EC9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F97DF0 push 00F97D4Bh; ret	16_2_00F97D80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F97DF0 push 00F97DD7h; ret	16_2_00F97D9F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F97DF0 push 00F97D5Fh; ret	16_2_00F97DB3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F97DF0 push 00F981E6h; ret	16_2_00F97E2D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F97DF0 push 00F97FCCh; ret	16_2_00F982BB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F97DF0 push 00F98468h; ret	16_2_00F9852D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F98550 push 00F9852Eh; ret	16_2_00F97F3A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F98550 push 00F98514h; ret	16_2_00F97F66
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F98550 push 00F97E66h; ret	16_2_00F98057
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F98550 push 00F9817Ah; ret	16_2_00F9808B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F98550 push 00F982E5h; ret	16_2_00F980D9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F98550 push 00F9826Ah; ret	16_2_00F9819E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F98550 push 00F9849Ch; ret	16_2_00F981E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F98550 push 00F98321h; ret	16_2_00F982E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F98550 push 00F97FBFh; ret	16_2_00F9831F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F98550 push 00F97FA8h; ret	16_2_00F9834C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F98550 push 00F984BAh; ret	16_2_00F983E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F98550 push 00F98426h; ret	16_2_00F984D8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F98550 push 00F98075h; ret	16_2_00F984FD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F98550 push 00F9808Ch; ret	16_2_00F98512
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F98550 push 00F98D45h; ret	16_2_00F987D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F98550 push 00F98AB5h; ret	16_2_00F98B13
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F98550 push 00F98784h; ret	16_2_00F98CA1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F98550 push 00F98DC9h; ret	16_2_00F98E1C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F98550 push 00F98D14h; ret	16_2_00F98E2E

Drops PE files

Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\x.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\neworigin.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	File created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\build.exe	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 03:26 /du 23:59 /sc daily /ri 1 /f

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 16_2_00F9CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,

16_2_00F9CBD0

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	2_2_0047A330
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,	2_2_00434418
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	4_2_0047A330
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,	4_2_00434418

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\build.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\build.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\x.exe	API/Special instruction interceptor: Address: 4739024
Source: C:\Users\user\AppData\Local\Temp\x.exe	API/Special instruction interceptor: Address: 48458D4
Source: C:\Users\user\AppData\Local\Temp\x.exe	API/Special instruction interceptor: Address: 493724C
Source: C:\Users\user\AppData\Local\Temp\x.exe	API/Special instruction interceptor: Address: 4B5C24C
Source: C:\Users\user\AppData\Local\Temp\x.exe	API/Special instruction interceptor: Address: 4B5B24C
Source: C:\Users\user\AppData\Local\Temp\x.exe	API/Special instruction interceptor: Address: 49A924C

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 3120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 3220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 3120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 15F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 31F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 3040000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\build.exe	Memory allocated: 30D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\build.exe	Memory allocated: 3240000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\build.exe	Memory allocated: 5240000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 21E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 2390000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 4390000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 1840000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 3330000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 5330000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 1040000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 2AA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 4AA0000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199790
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199683
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199484
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199375
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199265
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 4504
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 5304
Source: C:\Users\user\AppData\Local\Temp\build.exe	Window / User API: threadDelayed 1732
Source: C:\Users\user\AppData\Local\Temp\build.exe	Window / User API: threadDelayed 2548
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8842
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 751
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Window / User API: threadDelayed 3346
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Window / User API: threadDelayed 6443

Found evasive API chain (date check)

Source: C:\Users\user\AppData\Local\Temp\x.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\x.exe	API coverage: 3.7 %
Source: C:\Users\user\AppData\Local\Temp\x.exe	API coverage: 3.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe TID: 6820	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -30437127721620741s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -200000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -99890s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -99779s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -99672s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -99556s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -99397s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -99280s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -98375s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -98172s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -98046s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -97937s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -97815s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -97669s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -97560s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -97450s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -97334s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -97203s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -97093s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -96984s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -96875s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -96766s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -96656s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -96547s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -96437s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -99874s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -99536s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -99410s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -99054s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -98903s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -98781s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -98672s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -98562s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -98451s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -98328s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -98203s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -98094s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -97984s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -97875s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -97765s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -97656s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -97547s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -97436s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -97328s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -97219s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -97109s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -97000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -96872s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -96750s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -96599s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -1200000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -1199790s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -1199683s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -1199484s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -1199375s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -1199265s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 2648	Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 1436	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5208	Thread sleep count: 8842 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5308	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5188	Thread sleep count: 751 > 30
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 4676	Thread sleep time: -200760000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 4676	Thread sleep time: -386580000s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 5288	Thread sleep count: 35 > 30
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 4868	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 6856	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,	2_2_00452492
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00442886
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_004788BD
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,	2_2_004339B6
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,	2_2_0045CAFA
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00431A86
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	2_2_0044BD27
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0045DE8F FindFirstFileW,FindClose,	2_2_0045DE8F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0044BF8B
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,	4_2_00452492
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	4_2_00442886
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	4_2_004788BD
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,	4_2_004339B6
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,	4_2_0045CAFA
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	4_2_00431A86
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	4_2_0044BD27
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0045DE8F FindFirstFileW,FindClose,	4_2_0045DE8F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	4_2_0044BF8B

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,

2_2_0040E500

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99890
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99779
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99672
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99556
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99397
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99280
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98375
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98172
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98046
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97937
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97815
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97669
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97560
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97450
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97334
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97203
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97093
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96984
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96875
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96766
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96656
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96547
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96437
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99874
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99536
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99410
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99054
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98903
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98781
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98672
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98562
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98451
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98328
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98203
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98094
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97984
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97875
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97765
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97656
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97547
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97436
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97328
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97219
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97109
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97000
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96872
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96750
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96599
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199790
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199683
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199484
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199375
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199265
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: x.exe, 00000004.00000002.1566684491.0000000000A08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\3
Source: x.exe, 00000009.00000002.1650531483.0000000000928000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\K

Source: C:\Users\user\AppData\Local\Temp\x.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Process information queried: ProcessInformation

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_0045A370 BlockInput,

2_2_0045A370

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,

2_2_0040D590

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_0040EBD0 LoadLibraryA,GetProcAddress,

2_2_0040EBD0

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_047392F0 mov eax, dword ptr fs:[00000030h]	2_2_047392F0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_04739290 mov eax, dword ptr fs:[00000030h]	2_2_04739290
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_04737C50 mov eax, dword ptr fs:[00000030h]	2_2_04737C50
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_04844500 mov eax, dword ptr fs:[00000030h]	4_2_04844500
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_04845BA0 mov eax, dword ptr fs:[00000030h]	4_2_04845BA0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_04845B40 mov eax, dword ptr fs:[00000030h]	4_2_04845B40
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 6_2_04937518 mov eax, dword ptr fs:[00000030h]	6_2_04937518
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 6_2_049374B8 mov eax, dword ptr fs:[00000030h]	6_2_049374B8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 6_2_04935E78 mov eax, dword ptr fs:[00000030h]	6_2_04935E78
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 9_2_04B5C4B8 mov eax, dword ptr fs:[00000030h]	9_2_04B5C4B8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 9_2_04B5C518 mov eax, dword ptr fs:[00000030h]	9_2_04B5C518
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 9_2_04B5AE78 mov eax, dword ptr fs:[00000030h]	9_2_04B5AE78
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 13_2_04B5B4B8 mov eax, dword ptr fs:[00000030h]	13_2_04B5B4B8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 13_2_04B5B518 mov eax, dword ptr fs:[00000030h]	13_2_04B5B518
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 13_2_04B59E78 mov eax, dword ptr fs:[00000030h]	13_2_04B59E78
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 15_2_049A9518 mov eax, dword ptr fs:[00000030h]	15_2_049A9518
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 15_2_049A94B8 mov eax, dword ptr fs:[00000030h]	15_2_049A94B8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 15_2_049A7E78 mov eax, dword ptr fs:[00000030h]	15_2_049A7E78
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_0050B794 mov eax, dword ptr fs:[00000030h]	16_2_0050B794
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F71130 mov eax, dword ptr fs:[00000030h]	16_2_00F71130
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00FB3F3D mov eax, dword ptr fs:[00000030h]	16_2_00FB3F3D

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_004238DA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

2_2_004238DA

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0041F250 SetUnhandledExceptionFilter,	2_2_0041F250
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0041A208
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00417DAA
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0041F250 SetUnhandledExceptionFilter,	4_2_0041F250
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0041A208
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00417DAA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_0040160F SetUnhandledExceptionFilter,	16_2_0040160F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_0040160F SetUnhandledExceptionFilter,	16_2_0040160F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00FB1361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_00FB1361
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00FB4C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_00FB4C7B

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\System32\wscript.exe

File created: x.exe.1.dr

Jump to dropped file

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\x.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\x.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: B86008

Jump to behavior

Contains functionality to execute programs as a different user

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_00436CD7 LogonUserW,

2_2_00436CD7

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\Temp\x.exe

2_2_0040D590

Contains functionality to simulate keystroke presses

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,

2_2_00434418

Contains functionality to simulate mouse events

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event,

2_2_0043333C

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 03:26 /du 23:59 /sc daily /ri 1 /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp6964.tmp.cmd""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

2_2_00446124

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 16_2_00F98550 GetVolumeInformationW,wsprintfW,GetLastError,GetLastError,GetUserNameW,GetLastError,GetLastError,GetUserNameW,LocalFree,AllocateAndInitializeSid,wsprintfW,SetEntriesInAclW,GetLastError,OpenMutexW,

16_2_00F98550

Source: x.exe	Binary or memory string: Shell_TrayWnd
Source: wscript.exe, 00000001.00000003.1495166445.00000192DDBA3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1494715225.00000192E02E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1488192028.00000192E02E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\server_BTC.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\neworigin.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\build.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,

2_2_004720DB

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_00472C3F GetUserNameW,

2_2_00472C3F

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

2_2_0041E364

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,

2_2_0040E500

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 16.2.svchost.exe.314b000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.svchost.exe.3112000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.svchost.exe.314b000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.neworigin.exe.e60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000000.1724575722.0000000000E62000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1731769518.0000000003112000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 16.2.svchost.exe.3189000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.svchost.exe.3189000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.build.exe.f40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.1731769518.0000000003189000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1941971499.00000000032D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.1729162835.0000000000F42000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

OS version to string mapping found (often used in BOTs)

Source: x.exe	Binary or memory string: WIN_XP
Source: x.exe, 0000000D.00000000.1642698601.0000000000482000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
Source: x.exe	Binary or memory string: WIN_XPe
Source: x.exe	Binary or memory string: WIN_VISTA
Source: x.exe	Binary or memory string: WIN_7
Source: x.exe	Binary or memory string: WIN_8

Yara detected Credential Stealer

Source: Yara match	File source: 16.2.svchost.exe.314b000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.svchost.exe.3112000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.svchost.exe.314b000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.neworigin.exe.e60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000000.1724575722.0000000000E62000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1731769518.0000000003112000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1941971499.00000000032D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 16.2.svchost.exe.314b000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.svchost.exe.3112000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.svchost.exe.314b000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.neworigin.exe.e60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000000.1724575722.0000000000E62000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1731769518.0000000003112000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 16.2.svchost.exe.3189000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.svchost.exe.3189000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.build.exe.f40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.1731769518.0000000003189000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1941971499.00000000032D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.1729162835.0000000000F42000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	2_2_004652BE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	2_2_00476619
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,	2_2_0046CEF3
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	4_2_004652BE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	4_2_00476619
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,	4_2_0046CEF3

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.26.13.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
51.195.88.199	s82.gocheapweb.com	France	16276	OVHFR	true
212.162.149.53	unknown	Netherlands	64236	UNREAL-SERVERSUS	true

Contacted Domains

Name	IP	Active
pywolwnvd.biz	54.244.188.177	true
api.ipify.org	104.26.13.205	true
s82.gocheapweb.com	51.195.88.199	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	URL Reputation: safe	unknown
212.162.149.53:2049	true	Avira URL Cloud: safe	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: RFQ -PO.20571-0001-QBMS-PRQ-0200140.js

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Avira: detection malicious, Label: HEUR/AGEN.1311721
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Avira: detection malicious, Label: HEUR/AGEN.1311721
Source: C:\Users\user\AppData\Local\Temp\x.exe	Avira: detection malicious, Label: HEUR/AGEN.1321671
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Avira: detection malicious, Label: TR/Spy.Gen8
Source: C:\Users\user\AppData\Local\Temp\build.exe	Avira: detection malicious, Label: TR/AD.RedLineSteal.dzdht

Found malware configuration

Source: 16.2.svchost.exe.3189000.2.raw.unpack	Malware Configuration Extractor: RedLine {"C2 url": ["212.162.149.53:2049"], "Bot Id": "FOZ", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
Source: 16.2.svchost.exe.314b000.1.raw.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "s82.gocheapweb.com", "Username": "info2@j-fores.com", "Password": "london@1759"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\build.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	ReversingLabs: Detection: 83%

Multi AV Scanner detection for submitted file

Source: RFQ -PO.20571-0001-QBMS-PRQ-0200140.js

ReversingLabs: Detection: 23%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\x.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\build.exe	Joe Sandbox ML: detected

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.8:62826 version: TLS 1.2

Source:	Binary string: wntdll.pdbUGP source: x.exe, 00000002.00000003.1530923482.0000000004F40000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.1530355162.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1565181805.0000000003D50000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1565707457.0000000005050000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.1600560631.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.1600415328.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000009.00000003.1640373275.0000000004030000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000009.00000003.1640053185.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, x.exe, 0000000D.00000003.1680596257.0000000003B40000.00000004.00001000.00020000.00000000.sdmp, x.exe, 0000000D.00000003.1679446140.00000000039A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: x.exe, 00000002.00000003.1530923482.0000000004F40000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.1530355162.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1565181805.0000000003D50000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1565707457.0000000005050000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.1600560631.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.1600415328.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000009.00000003.1640373275.0000000004030000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000009.00000003.1640053185.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, x.exe, 0000000D.00000003.1680596257.0000000003B40000.00000004.00001000.00020000.00000000.sdmp, x.exe, 0000000D.00000003.1679446140.00000000039A0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,	2_2_00452492
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00442886
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_004788BD
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,	2_2_004339B6
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,	2_2_0045CAFA
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00431A86
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	2_2_0044BD27
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0045DE8F FindFirstFileW,FindClose,	2_2_0045DE8F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0044BF8B
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,	4_2_00452492
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	4_2_00442886
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	4_2_004788BD
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,	4_2_004339B6
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,	4_2_0045CAFA
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	4_2_00431A86
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	4_2_0044BD27
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0045DE8F FindFirstFileW,FindClose,	4_2_0045DE8F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	4_2_0044BF8B

Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then jmp 032078DCh	17_2_03207642
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	17_2_03207E60
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then jmp 032078DCh	17_2_0320767A
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	17_2_03207E58

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.8:62827 -> 212.162.149.53:2049
Source: Network traffic	Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.8:62827 -> 212.162.149.53:2049
Source: Network traffic	Suricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 212.162.149.53:2049 -> 192.168.2.8:62827
Source: Network traffic	Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 212.162.149.53:2049 -> 192.168.2.8:62827

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 212.162.149.53:2049

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.8:62827 -> 212.162.149.53:2049
Source: global traffic	TCP traffic: 192.168.2.8:62828 -> 51.195.88.199:587

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 51.195.88.199 51.195.88.199

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: OVHFR OVHFR
Source: Joe Sandbox View	ASN Name: UNREAL-SERVERSUS UNREAL-SERVERSUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

May check the online IP address of the machine

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.8:62828 -> 51.195.88.199:587

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_004422FE InternetQueryDataAvailable,InternetReadFile,

2_2_004422FE

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: pywolwnvd.biz
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: s82.gocheapweb.com

Source: unknown	Network traffic detected: HTTP traffic on port 62826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62826

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.8:62826 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: neworigin.exe.16.dr, cPKWk.cs	.Net Code: I3Mi2zn6x
Source: 16.2.svchost.exe.314b000.1.raw.unpack, cPKWk.cs	.Net Code: I3Mi2zn6x

Installs a global keyboard hook

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\neworigin.exe

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

2_2_0045A10F

Contains functionality to modify clipboard data

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		2_2_0045A10F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		4_2_0045A10F

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_0046DC80 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,

2_2_0046DC80

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,

2_2_0044C37A

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Window created: window name: CLIPBRDWNDCLASS

Potential key logger detected (key state polling based)

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		2_2_0047C81C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		4_2_0047C81C

System Summary

Malicious sample detected (through community Yara rule)

Source: 16.2.svchost.exe.314b000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 16.2.svchost.exe.3112000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 16.2.svchost.exe.314b000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 18.0.neworigin.exe.e60000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000010.00000002.1731769518.0000000003112000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

.NET source code contains very large strings

Source: server_BTC.exe.16.dr, opqcmgIPmeabY.cs	Long String: Length: 17605
Source: 16.2.svchost.exe.3112000.3.raw.unpack, opqcmgIPmeabY.cs	Long String: Length: 17605
Source: TrojanAIbot.exe.17.dr, opqcmgIPmeabY.cs	Long String: Length: 17605

JavaScript file contains suspicious strings

Source: RFQ -PO.20571-0001-QBMS-PRQ-0200140.js

Initial file: wscript.shell, adodb.stream, wmic

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

2_2_00431BE8

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\Temp\x.exe

2_2_00446313

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,		2_2_004333BE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,		4_2_004333BE

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_004096A0	2_2_004096A0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0042200C	2_2_0042200C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0041A217	2_2_0041A217
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_00412216	2_2_00412216
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0042435D	2_2_0042435D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_004033C0	2_2_004033C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0044F430	2_2_0044F430
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_004125E8	2_2_004125E8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0044663B	2_2_0044663B
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_00413801	2_2_00413801
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0042096F	2_2_0042096F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_004129D0	2_2_004129D0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_004119E3	2_2_004119E3
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0041C9AE	2_2_0041C9AE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0047EA6F	2_2_0047EA6F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0040FA10	2_2_0040FA10
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0044EB5F	2_2_0044EB5F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_00423C81	2_2_00423C81
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_00411E78	2_2_00411E78
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_00442E0C	2_2_00442E0C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_00420EC0	2_2_00420EC0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0044CF17	2_2_0044CF17
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_00444FD2	2_2_00444FD2
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_04739400	2_2_04739400
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_004096A0	4_2_004096A0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0042200C	4_2_0042200C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0041A217	4_2_0041A217
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00412216	4_2_00412216
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0042435D	4_2_0042435D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_004033C0	4_2_004033C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0044F430	4_2_0044F430
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_004125E8	4_2_004125E8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0044663B	4_2_0044663B
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00413801	4_2_00413801
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0042096F	4_2_0042096F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_004129D0	4_2_004129D0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_004119E3	4_2_004119E3
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0041C9AE	4_2_0041C9AE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0047EA6F	4_2_0047EA6F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0040FA10	4_2_0040FA10
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0044EB5F	4_2_0044EB5F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00423C81	4_2_00423C81
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00411E78	4_2_00411E78
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00442E0C	4_2_00442E0C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00420EC0	4_2_00420EC0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0044CF17	4_2_0044CF17
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00444FD2	4_2_00444FD2
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_04845CB0	4_2_04845CB0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 6_2_04937628	6_2_04937628
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 9_2_04B5C628	9_2_04B5C628
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 13_2_04B5B628	13_2_04B5B628
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 15_2_049A9628	15_2_049A9628
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F751EE	16_2_00F751EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00FB39A3	16_2_00FB39A3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F76EAF	16_2_00F76EAF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00FA5980	16_2_00FA5980
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00FB515C	16_2_00FB515C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00FAD580	16_2_00FAD580
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00FAC7F0	16_2_00FAC7F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F77F80	16_2_00F77F80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00FA3780	16_2_00FA3780
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 17_2_032085B7	17_2_032085B7
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 17_2_032085C8	17_2_032085C8
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 19_2_030DDC74	19_2_030DDC74
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 19_2_058EEE58	19_2_058EEE58
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 19_2_058E8850	19_2_058E8850
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 19_2_058E0AFC	19_2_058E0AFC
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 19_2_058E0006	19_2_058E0006
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 19_2_058E0040	19_2_058E0040
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 19_2_058E8840	19_2_058E8840
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 19_2_058E0AF9	19_2_058E0AF9
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 19_2_058E1FF0	19_2_058E1FF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_0299B088	20_2_0299B088
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_0299B078	20_2_0299B078
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_082D3E98	20_2_082D3E98

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\build.exe 0576191C50A1B6AFBCAA5CB0512DF5B6A8B9BEF9739E5308F8E2E965BF9B0FC5
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\neworigin.exe DC441006CB45C2CFAC6C521F6CD4C16860615D21081563BD9E368DE6F7E8AB6B

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 0040E710 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 00401B10 appears 50 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 00408F40 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 004301F8 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 004115D7 appears 72 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 00416C70 appears 78 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 004181F2 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 00445AE0 appears 130 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 0041341F appears 36 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 00422240 appears 38 times

Java / VBScript file with very long strings (likely obfuscated code)

Source: RFQ -PO.20571-0001-QBMS-PRQ-0200140.js

Initial sample: Strings found which are bigger than 50

Yara signature match

Source: 16.2.svchost.exe.314b000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 16.2.svchost.exe.3112000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 16.2.svchost.exe.314b000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 18.0.neworigin.exe.e60000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000010.00000002.1731769518.0000000003112000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: neworigin.exe.16.dr, cPs8D.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: neworigin.exe.16.dr, 72CF8egH.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: neworigin.exe.16.dr, G5CXsdn.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: neworigin.exe.16.dr, 3uPsILA6U.cs	Cryptographic APIs: 'CreateDecryptor'
Source: neworigin.exe.16.dr, 6oQOw74dfIt.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: neworigin.exe.16.dr, aMIWm.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: neworigin.exe.16.dr, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: neworigin.exe.16.dr, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: svchost.exe

Binary or memory string: CMD;.VBS;.VBpt-brh

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winJS@48/18@3/3

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_0044AF6C GetLastError,FormatMessageW,

2_2_0044AF6C

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,	2_2_004333BE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,	2_2_00464EAE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,	4_2_004333BE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,	4_2_00464EAE

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,

2_2_0045D619

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_004755C4 CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,

2_2_004755C4

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_0047839D CoInitialize,CoCreateInstance,CoUninitialize,

2_2_0047839D

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

2_2_0043305F

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 16_2_00F9CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,

16_2_00F9CBD0

Source: C:\Windows\SysWOW64\svchost.exe

File created: C:\Users\user\AppData\Roaming\bb5c1732d3a25be8.bin

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2452:120:WilError_03
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Mutant created: \Sessions\1\BaseNamedObjects\kbedaSzAAOYDRDgN
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5736:120:WilError_03
Source: C:\Windows\SysWOW64\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-bb5c1732d3a25be83d78ffaf-b
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1364:120:WilError_03
Source: C:\Windows\SysWOW64\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-bb5c1732d3a25be8-inf

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\x.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe	Command line argument: Wu		2_2_0040D6B0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Command line argument: Wu		4_2_0040D6B0

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RFQ -PO.20571-0001-QBMS-PRQ-0200140.js

ReversingLabs: Detection: 23%

Source: C:\Windows\SysWOW64\svchost.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ -PO.20571-0001-QBMS-PRQ-0200140.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 03:26 /du 23:59 /sc daily /ri 1 /f
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp6964.tmp.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 03:26 /du 23:59 /sc daily /ri 1 /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp6964.tmp.cmd""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: comsvcs.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: uxtheme.dll

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source: TrojanAIbot.exe.lnk.17.dr

LNK file: ..\..\..\..\..\ACCApi\TrojanAIbot.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Source: RFQ -PO.20571-0001-QBMS-PRQ-0200140.js

Static file information: File size 4877072 > 1048576

Source:	Binary string: wntdll.pdbUGP source: x.exe, 00000002.00000003.1530923482.0000000004F40000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.1530355162.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1565181805.0000000003D50000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1565707457.0000000005050000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.1600560631.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.1600415328.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000009.00000003.1640373275.0000000004030000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000009.00000003.1640053185.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, x.exe, 0000000D.00000003.1680596257.0000000003B40000.00000004.00001000.00020000.00000000.sdmp, x.exe, 0000000D.00000003.1679446140.00000000039A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: x.exe, 00000002.00000003.1530923482.0000000004F40000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.1530355162.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1565181805.0000000003D50000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1565707457.0000000005050000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.1600560631.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000006.00000003.1600415328.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000009.00000003.1640373275.0000000004030000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000009.00000003.1640053185.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, x.exe, 0000000D.00000003.1680596257.0000000003B40000.00000004.00001000.00020000.00000000.sdmp, x.exe, 0000000D.00000003.1679446140.00000000039A0000.00000004.00001000.00020000.00000000.sdmp

Binary contains a suspicious time stamp

Source: server_BTC.exe.16.dr

Static PE information: 0xAA16B5AE [Fri Jun 4 22:50:22 2060 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_0040EBD0 LoadLibraryA,GetProcAddress,

2_2_0040EBD0

JavaScript source code contains large arrays or strings with random content potentially encoding malicious code

Source: RFQ -PO.20571-0001-QBMS-PRQ-0200140.js

String : entropy: 5.97, length: 4876722, content: "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+AAAAA4fug4AtAnNIbg

Go to definition

PE file contains an invalid checksum

Source: server_BTC.exe.16.dr	Static PE information: real checksum: 0x0 should be: 0x42478
Source: x.exe.1.dr	Static PE information: real checksum: 0xa961f should be: 0x388577
Source: neworigin.exe.16.dr	Static PE information: real checksum: 0x0 should be: 0x480db
Source: build.exe.16.dr	Static PE information: real checksum: 0x0 should be: 0x575be
Source: TrojanAIbot.exe.17.dr	Static PE information: real checksum: 0x0 should be: 0x42478

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_00416CB5 push ecx; ret	2_2_00416CC8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00416CB5 push ecx; ret	4_2_00416CC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00402A57 push esp; retf	16_2_00402A58
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_0040513D push 5DBA3BDAh; iretd	16_2_00405151
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F74B64 push 00F74E86h; ret	16_2_00F74C24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F74B64 push 00F74E27h; ret	16_2_00F74EC9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F97DF0 push 00F97D4Bh; ret	16_2_00F97D80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F97DF0 push 00F97DD7h; ret	16_2_00F97D9F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F97DF0 push 00F97D5Fh; ret	16_2_00F97DB3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F97DF0 push 00F981E6h; ret	16_2_00F97E2D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F97DF0 push 00F97FCCh; ret	16_2_00F982BB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F97DF0 push 00F98468h; ret	16_2_00F9852D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F98550 push 00F9852Eh; ret	16_2_00F97F3A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F98550 push 00F98514h; ret	16_2_00F97F66
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F98550 push 00F97E66h; ret	16_2_00F98057
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F98550 push 00F9817Ah; ret	16_2_00F9808B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F98550 push 00F982E5h; ret	16_2_00F980D9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F98550 push 00F9826Ah; ret	16_2_00F9819E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F98550 push 00F9849Ch; ret	16_2_00F981E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F98550 push 00F98321h; ret	16_2_00F982E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F98550 push 00F97FBFh; ret	16_2_00F9831F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F98550 push 00F97FA8h; ret	16_2_00F9834C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F98550 push 00F984BAh; ret	16_2_00F983E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F98550 push 00F98426h; ret	16_2_00F984D8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F98550 push 00F98075h; ret	16_2_00F984FD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F98550 push 00F9808Ch; ret	16_2_00F98512
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F98550 push 00F98D45h; ret	16_2_00F987D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F98550 push 00F98AB5h; ret	16_2_00F98B13
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F98550 push 00F98784h; ret	16_2_00F98CA1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F98550 push 00F98DC9h; ret	16_2_00F98E1C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F98550 push 00F98D14h; ret	16_2_00F98E2E

Drops PE files

Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\x.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\neworigin.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	File created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\build.exe	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 03:26 /du 23:59 /sc daily /ri 1 /f

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 16_2_00F9CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,

16_2_00F9CBD0

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	2_2_0047A330
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,	2_2_00434418
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	4_2_0047A330
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,	4_2_00434418

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\build.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\build.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\x.exe	API/Special instruction interceptor: Address: 4739024
Source: C:\Users\user\AppData\Local\Temp\x.exe	API/Special instruction interceptor: Address: 48458D4
Source: C:\Users\user\AppData\Local\Temp\x.exe	API/Special instruction interceptor: Address: 493724C
Source: C:\Users\user\AppData\Local\Temp\x.exe	API/Special instruction interceptor: Address: 4B5C24C
Source: C:\Users\user\AppData\Local\Temp\x.exe	API/Special instruction interceptor: Address: 4B5B24C
Source: C:\Users\user\AppData\Local\Temp\x.exe	API/Special instruction interceptor: Address: 49A924C

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 3120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 3220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 3120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 15F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 31F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 3040000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\build.exe	Memory allocated: 30D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\build.exe	Memory allocated: 3240000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\build.exe	Memory allocated: 5240000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 21E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 2390000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 4390000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 1840000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 3330000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 5330000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 1040000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 2AA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 4AA0000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199790
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199683
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199484
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199375
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199265
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 4504
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 5304
Source: C:\Users\user\AppData\Local\Temp\build.exe	Window / User API: threadDelayed 1732
Source: C:\Users\user\AppData\Local\Temp\build.exe	Window / User API: threadDelayed 2548
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8842
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 751
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Window / User API: threadDelayed 3346
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Window / User API: threadDelayed 6443

Found evasive API chain (date check)

Source: C:\Users\user\AppData\Local\Temp\x.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\x.exe	API coverage: 3.7 %
Source: C:\Users\user\AppData\Local\Temp\x.exe	API coverage: 3.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe TID: 6820	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -30437127721620741s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -200000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -99890s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -99779s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -99672s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -99556s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -99397s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -99280s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -98375s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -98172s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -98046s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -97937s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -97815s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -97669s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -97560s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -97450s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -97334s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -97203s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -97093s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -96984s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -96875s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -96766s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -96656s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -96547s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -96437s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -99874s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -99536s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -99410s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -99054s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -98903s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -98781s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -98672s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -98562s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -98451s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -98328s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -98203s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -98094s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -97984s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -97875s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -97765s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -97656s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -97547s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -97436s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -97328s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -97219s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -97109s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -97000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -96872s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -96750s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -96599s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -1200000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -1199790s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -1199683s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -1199484s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -1199375s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5696	Thread sleep time: -1199265s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 2648	Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 1436	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5208	Thread sleep count: 8842 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5308	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5188	Thread sleep count: 751 > 30
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 4676	Thread sleep time: -200760000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 4676	Thread sleep time: -386580000s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 5288	Thread sleep count: 35 > 30
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 4868	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 6856	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,	2_2_00452492
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00442886
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_004788BD
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,	2_2_004339B6
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,	2_2_0045CAFA
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00431A86
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	2_2_0044BD27
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0045DE8F FindFirstFileW,FindClose,	2_2_0045DE8F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0044BF8B
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,	4_2_00452492
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	4_2_00442886
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	4_2_004788BD
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,	4_2_004339B6
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,	4_2_0045CAFA
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	4_2_00431A86
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	4_2_0044BD27
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0045DE8F FindFirstFileW,FindClose,	4_2_0045DE8F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	4_2_0044BF8B

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,

2_2_0040E500

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99890
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99779
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99672
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99556
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99397
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99280
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98375
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98172
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98046
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97937
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97815
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97669
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97560
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97450
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97334
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97203
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97093
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96984
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96875
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96766
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96656
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96547
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96437
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99874
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99536
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99410
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99054
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98903
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98781
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98672
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98562
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98451
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98328
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98203
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98094
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97984
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97875
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97765
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97656
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97547
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97436
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97328
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97219
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97109
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97000
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96872
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96750
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96599
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199790
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199683
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199484
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199375
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199265
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: x.exe, 00000004.00000002.1566684491.0000000000A08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\3
Source: x.exe, 00000009.00000002.1650531483.0000000000928000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\K

Source: C:\Users\user\AppData\Local\Temp\x.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Process information queried: ProcessInformation

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_0045A370 BlockInput,

2_2_0045A370

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\x.exe

2_2_0040D590

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_0040EBD0 LoadLibraryA,GetProcAddress,

2_2_0040EBD0

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_047392F0 mov eax, dword ptr fs:[00000030h]	2_2_047392F0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_04739290 mov eax, dword ptr fs:[00000030h]	2_2_04739290
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_04737C50 mov eax, dword ptr fs:[00000030h]	2_2_04737C50
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_04844500 mov eax, dword ptr fs:[00000030h]	4_2_04844500
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_04845BA0 mov eax, dword ptr fs:[00000030h]	4_2_04845BA0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_04845B40 mov eax, dword ptr fs:[00000030h]	4_2_04845B40
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 6_2_04937518 mov eax, dword ptr fs:[00000030h]	6_2_04937518
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 6_2_049374B8 mov eax, dword ptr fs:[00000030h]	6_2_049374B8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 6_2_04935E78 mov eax, dword ptr fs:[00000030h]	6_2_04935E78
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 9_2_04B5C4B8 mov eax, dword ptr fs:[00000030h]	9_2_04B5C4B8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 9_2_04B5C518 mov eax, dword ptr fs:[00000030h]	9_2_04B5C518
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 9_2_04B5AE78 mov eax, dword ptr fs:[00000030h]	9_2_04B5AE78
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 13_2_04B5B4B8 mov eax, dword ptr fs:[00000030h]	13_2_04B5B4B8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 13_2_04B5B518 mov eax, dword ptr fs:[00000030h]	13_2_04B5B518
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 13_2_04B59E78 mov eax, dword ptr fs:[00000030h]	13_2_04B59E78
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 15_2_049A9518 mov eax, dword ptr fs:[00000030h]	15_2_049A9518
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 15_2_049A94B8 mov eax, dword ptr fs:[00000030h]	15_2_049A94B8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 15_2_049A7E78 mov eax, dword ptr fs:[00000030h]	15_2_049A7E78
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_0050B794 mov eax, dword ptr fs:[00000030h]	16_2_0050B794
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00F71130 mov eax, dword ptr fs:[00000030h]	16_2_00F71130
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00FB3F3D mov eax, dword ptr fs:[00000030h]	16_2_00FB3F3D

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\x.exe

2_2_004238DA

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0041F250 SetUnhandledExceptionFilter,	2_2_0041F250
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0041A208
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00417DAA
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0041F250 SetUnhandledExceptionFilter,	4_2_0041F250
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0041A208
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00417DAA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_0040160F SetUnhandledExceptionFilter,	16_2_0040160F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_0040160F SetUnhandledExceptionFilter,	16_2_0040160F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00FB1361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_00FB1361
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 16_2_00FB4C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_00FB4C7B

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\System32\wscript.exe

File created: x.exe.1.dr

Jump to dropped file

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\x.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\x.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: B86008

Jump to behavior

Contains functionality to execute programs as a different user

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_00436CD7 LogonUserW,

2_2_00436CD7

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\Temp\x.exe

2_2_0040D590

Contains functionality to simulate keystroke presses

Source: C:\Users\user\AppData\Local\Temp\x.exe

2_2_00434418

Contains functionality to simulate mouse events

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event,

2_2_0043333C

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 03:26 /du 23:59 /sc daily /ri 1 /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp6964.tmp.cmd""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

2_2_00446124

Source: C:\Windows\SysWOW64\svchost.exe

16_2_00F98550

Source: x.exe	Binary or memory string: Shell_TrayWnd
Source: wscript.exe, 00000001.00000003.1495166445.00000192DDBA3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1494715225.00000192E02E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1488192028.00000192E02E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\server_BTC.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\neworigin.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\build.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\x.exe

2_2_004720DB

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_00472C3F GetUserNameW,

2_2_00472C3F

Source: C:\Users\user\AppData\Local\Temp\x.exe

2_2_0041E364

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,

2_2_0040E500

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 16.2.svchost.exe.314b000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.svchost.exe.3112000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.svchost.exe.314b000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.neworigin.exe.e60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000000.1724575722.0000000000E62000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1731769518.0000000003112000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 16.2.svchost.exe.3189000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.svchost.exe.3189000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.build.exe.f40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.1731769518.0000000003189000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1941971499.00000000032D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.1729162835.0000000000F42000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

OS version to string mapping found (often used in BOTs)

Source: x.exe	Binary or memory string: WIN_XP
Source: x.exe, 0000000D.00000000.1642698601.0000000000482000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
Source: x.exe	Binary or memory string: WIN_XPe
Source: x.exe	Binary or memory string: WIN_VISTA
Source: x.exe	Binary or memory string: WIN_7
Source: x.exe	Binary or memory string: WIN_8

Yara detected Credential Stealer

Source: Yara match	File source: 16.2.svchost.exe.314b000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.svchost.exe.3112000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.svchost.exe.314b000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.neworigin.exe.e60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000000.1724575722.0000000000E62000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1731769518.0000000003112000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1941971499.00000000032D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 16.2.svchost.exe.314b000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.svchost.exe.3112000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.svchost.exe.314b000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.neworigin.exe.e60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000000.1724575722.0000000000E62000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1731769518.0000000003112000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 16.2.svchost.exe.3189000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.svchost.exe.3189000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.build.exe.f40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.1731769518.0000000003189000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1941971499.00000000032D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.1729162835.0000000000F42000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	2_2_004652BE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	2_2_00476619
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,	2_2_0046CEF3
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	4_2_004652BE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	4_2_00476619
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,	4_2_0046CEF3

Windows Analysis Report
RFQ -PO.20571-0001-QBMS-PRQ-0200140.js

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1519256
Product:	CloudBasic
Start time:	09:20:12
Start date:	26.09.2024
Sample:	RFQ -PO.20571-0001-QBMS-PRQ-0200140.js
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	5e1cdaa87915b9b6e7d852c0b7ce272b
SHA1:	978f40e995fe1fd0e10f73f8b7924dd31ffb6267
SHA256:	3335d593c4a2f7ab94a35fd5a0991026d1800592a18cc842686d3bf6bb66503d

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TrojanAIbot.exe.log	ASCII text, with CRLF line terminators	64A2247B3C640AB3571D192DF2079FCF	A17AFDABC1A16A20A733D1FDC5DA116657AAB561	87239BAD85A89EB90322C658DFD589B40229E57F05B181357FF834FCBABCB7E2
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\build.exe.log	ASCII text, with CRLF line terminators	3FD5C0634443FB2EF2796B9636159CB6	366DDE94AEFCFFFAB8E03AD8B448E05D7489EB48	58307E94C67E2348F5A838DE4FF668983B38B7E9A3B1D61535D3A392814A57D6
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\server_BTC.exe.log	ASCII text, with CRLF line terminators	64A2247B3C640AB3571D192DF2079FCF	A17AFDABC1A16A20A733D1FDC5DA116657AAB561	87239BAD85A89EB90322C658DFD589B40229E57F05B181357FF834FCBABCB7E2
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	46EC557BA396F88FA6818DC45FB86905	8DF141A36E6CDD6FA71C23887D04BC14BDF220D1	5DEF590FCF190165C09781C3E6EF72B697EE7BC4909D7ACBB6273262FD28AEA3
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b11kihth.5ta.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jd1lijec.d5l.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lds3gji3.elb.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xxg3ntfa.rlf.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\build.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	3B6501FEEF6196F24163313A9F27DBFD	20D60478D3C161C3CACB870AAC06BE1B43719228	0576191C50A1B6AFBCAA5CB0512DF5B6A8B9BEF9739E5308F8E2E965BF9B0FC5
C:\Users\user\AppData\Local\Temp\neworigin.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	D6A4CF0966D24C1EA836BA9A899751E5	392D68C000137B8039155DF6BB331D643909E7E7	DC441006CB45C2CFAC6C521F6CD4C16860615D21081563BD9E368DE6F7E8AB6B
C:\Users\user\AppData\Local\Temp\server_BTC.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	50D015016F20DA0905FD5B37D7834823	6C39C84ACF3616A12AE179715A3369C4E3543541	36FE89B3218D2D0BBF865967CDC01B9004E3BA13269909E3D24D7FF209F28FC5
C:\Users\user\AppData\Local\Temp\surmount	data	8631B355627AE1EFB5D1EDB43D0D377A	8209A5670E41F0BFF4A1B32967D72C0F814C08BB	00BCB1DEF7468594CB071AFE44DFA7BF015CFE3AFE6D7E4A8D6242C8296F0D04
C:\Users\user\AppData\Local\Temp\tmp6964.tmp.cmd	DOS batch file, ASCII text, with CRLF line terminators	01CBBB372040FAC83A160BA5191611ED	C34367F2965E8BFBF6515DCD8160B924B3E8EC16	1AE43158FA5EB183ED9324614B187A9781F39DF8C65607B26649E383EC363FD7
C:\Users\user\AppData\Local\Temp\x.exe	PE32 executable (GUI) Intel 80386, for MS Windows	E7114D96EC31D8CD1C0233BD949D1E0F	6433ACE48FC9A6D4DE4451D0A35C91AF7C69D507	771B160A95FB3BAFE050A2E5552A1C697A5982773104C6A2B9549B538935ED23
C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	50D015016F20DA0905FD5B37D7834823	6C39C84ACF3616A12AE179715A3369C4E3543541	36FE89B3218D2D0BBF865967CDC01B9004E3BA13269909E3D24D7FF209F28FC5
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Icon number=0, Archive, ctime=Thu Sep 26 06:21:42 2024, mtime=Thu Sep 26 06:21:42 2024, atime=Thu Sep 26 06:21:39 2024, length=231936, window=	94DD92817ADD3C87CB8939F308EBA8FD	38029F47BD5EB4E5C37CF2D2AA2148139F54FE13	32E085163262D822BF73AE56C2F568FEA755E20481FC0AC0F3AB7287A7CFBE7B
C:\Users\user\AppData\Roaming\bb5c1732d3a25be8.bin	data	E49333D73E0424BD8083EF93C2B15444	8325435F2DF2FCDEFED04EF67FD8735AD1906019	68F368D37EC656986BEF3C4AA8176C70D0852250E074346EE0C85115BF75E9F9
\Device\Null	ASCII text, with CRLF line terminators, with overstriking	04A92849F3C0EE6AC36734C600767EFA	C77B1FF27BC49AB80202109B35C38EE3548429BD	28B3755A05430A287E4DAFA9F8D8EF27F1EDA4C65E971E42A7CA5E5D4FAE5023

Windows Analysis Report RFQ -PO.20571-0001-QBMS-PRQ-0200140.js

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
RFQ -PO.20571-0001-QBMS-PRQ-0200140.js

Malware Threat Intel
Provided by